Enable SSL because of new Google guidelines

[Apfelstrudel]

Hello,

now we have to think about enabling SSL because Google Chrome starts to show warning messages beginning in Jan 17 for all pages which have a login (PW form). This is the case for almost all forum pages. ?

https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Here in the forum I read a lot of topics about SSL and that it will cause many mixed-content warnings.

Normally it should be no problem running the standard pages in http because our forum (and I think most the forums out there) have nothing special which needs encryption.

Is it possible to use SSL for standard logins only? I don't mean the acp login. I'm talking about the member login.

I know that there is a "SSL for login only" setting in acp but this doesn't affect the member logins. There must be a feature to replace the login pulldown in the forum header with a link to the SSL login page.

Is there any built-in feature to do this`?

Thanks in advance for any help.

[opentype]

52 minutes ago, Apfelstrudel said:

Is there any built-in feature to do this`?

No. You need to move over everything because the login form is available on every page. 

[Apfelstrudel]

Unfortunately that's what I assumed. ?

Thanks, opentype. So I have to run some replace queries in mysql to get rid of this mixed content warnings.

But what about the external pics?

[opentype]

There is this 3rd party option, but I much rather see a native IPS function for this. 

 

[Rhett]

36 minutes ago, opentype said:

No. You need to move over everything because the login form is available on every page. 

That's not really true, we have the option to use SSL for logins and acp only, which then makes those links/urls use https/ssl. 

Google is only concerned with login info, checkout etc. 

[opentype]

10 minutes ago, Rhett said:

That's not really true, we have the option to use SSL for logins and acp only, which then makes those links/urls use https/ssl. 

What is not true? If that option is turned on, can I not pull down the login form as guest from an http page? 

[Rhett]

1 minute ago, opentype said:

What is not true? If that option is turned on, can I not pull down the login form as guest from an http page? 

If you set the site to use SSL for logins, all login pages use https/ssl. If you are having any trouble with this, please submit a ticket if needed.  

 

[Nathan Explosion]

Rhett - the login process will use https, that is correct. But the username/password field is still on a http only page, and the drop down of it doesn't change that

That is what the issue is with what people are getting from Google.

[Colonel_mortis]

4 minutes ago, Rhett said:

If you set the site to use SSL for logins, all login pages use https/ssl. If you are having any trouble with this, please submit a ticket if needed.  

 

Every page is a login page, since every page has a login dropdown. That means that it is not secure (even if you submit to HTTPS, because an attacker can modify the page), and Chrome and Firefox both flag it as such.

[Rhett]

9 minutes ago, Nathan Explosion said:

Rhett - the login process will use https, that is correct. But the username/password field is still on a http only page, and the drop down of it doesn't change that

That is what the issue is with what people are getting from Google.

 

7 minutes ago, Colonel_mortis said:

Every page is a login page, since every page has a login dropdown. That means that it is not secure (even if you submit to HTTPS, because an attacker can modify the page), and Chrome and Firefox both flag it as such.

That sounds more like a false positive in this case on googles end if so, if the form is loaded and submitted over https, it's not insecure.   

[Colonel_mortis]

4 minutes ago, Rhett said:

The login form on all pages should be using https if you have it set to, even the drop down, if it's not please submit a ticket.  

No, the dropdown login box, #elUserSignIn_menu, is embedded into every page, including the ones loaded over HTTP. The form submits to a HTTPS origin (probably, I've not actually checked since I don't have a site with that configuration to hand), but, as I explained in my previous post, that is not sufficient.

My site uses HTTPS for everything, so I can't submit a ticket (which would result in me being told to submit a feature request anyway), but this is an issue. Admins should have the option to remove the dropdown login box.

[Rhett]

Just now, Colonel_mortis said:

No, the dropdown login box, #elUserSignIn_menu, is embedded into every page, including the ones loaded over HTTP. The form submits to a HTTPS origin (probably, I've not actually checked since I don't have a site with that configuration to hand), but, as I explained in my previous post, that is not sufficient.

My site uses HTTPS for everything, so I can't submit a ticket (which would result in me being told to submit a feature request anyway), but this is an issue. Admins should have the option to remove the dropdown login box.

I'll do some testing, the sole purpose for ssl for logins to do just that, if it's not working in this manner, we can get it fixed.   Thanks for the info. 

[bradl]

Quote

But what about the external pics?

IPS now has natively an option to copy-and-cache remote images so that 'remote' images are served from the local (SSL) source, avoiding mixed-content. In the ACP you can also specify an expiry time for the cache after which the image will be re-fetched and re-cached if called for.

[EricT]

1 hour ago, bradl said:

IPS now has natively an option to copy-and-cache remote images so that 'remote' images are served from the local (SSL) source, avoiding mixed-content. In the ACP you can also specify an expiry time for the cache after which the image will be re-fetched and re-cached if called for.

I can't find the settings on ACP. Coudl you help me ?

Thank you

 

[bradl]

Systems → Settings → Posting although I usually get to it by typing SSL in the ACP search pane and it pops up automatically.

[Apfelstrudel]

That was my point. At the moment all pages are login pages and from Googles point of view they need to be within a SSL page. So we need a feature to replace the pulldown with a link to the ssl login page. Then there is no need to have the complete forum ssl-ed.

 

11 hours ago, bradl said:

Systems → Settings → Posting although I usually get to it by typing SSL in the ACP search pane and it pops up automatically.

 

12 hours ago, bradl said:

IPS now has natively an option to copy-and-cache remote images

Thanks. I already found this setting but I'm a little bit concerned about the copyright issue. If I cache those remote images that they are on my server (from technical point of view) and this could cause troubles.

[Andy Millne]

1 hour ago, Apfelstrudel said:

Thanks. I already found this setting but I'm a little bit concerned about the copyright issue. If I cache those remote images that they are on my server (from technical point of view) and this could cause troubles.

This is not legal advice but it is no different to users copying an image from another site and uploading to yours. You can still remove the images after a report of any infringement.

[Apfelstrudel]

Sorry Andy, but here in Europe it might be different. Some courts said that having an image on my server (even as cache) is "some sort of" owning it. Unfortunately. But it could be different depending on the location and country.

[Andy Millne]

Just now, Apfelstrudel said:

Sorry Andy, I have to correct you. Here in Europe it might be different. Some courts said that having an image on my server (even as cache) is "some sort of" owning it. Unfortunately. But it could be different depending on the location and country.

Yes I realise what you are saying and I'm not getting into the law but like I say if you have attachment uploads enabled you are already allowing this.

I am also in Europe btw

[Apfelstrudel]

6 minutes ago, Andy Millne said:

if you have attachment uploads enabled you are already allowing this

On the other side that's true. But in this case I, as the owner, can say it was the decision of the user and the admin was not aware of it but caching all images by script it was definitely my intension to do so.

In the meantime here in our country admins are only responsible for problems if they are aware of issues.

So here it might be a difference. Anyway I understand you and I'm just asking how I could eliminte this issue. But I think I can't.

[Andy Millne]

Yes it's one of the many vagaries in Internet law unfortunately and I'm not aware of it ever being tested in court. If you're concerned, in practice I would expect so long as you stated in your terms that links should not be added to copyrighted material, you only cached on a temporary basis and were pro active about removal after reports of infringement then I would be extremely surprised if anything more came of it.

[opentype]

12 minutes ago, Andy Millne said:

… it is no different to users copying an image from another site and uploading to yours. 

Correct, but uploading/local caching is very different in a legal sense than just embedding from a different server. 

So a forum site in Europe can have thousands of images like that, which are no problem, but become one after the switch to SSL. 

[Andy Millne]

1 minute ago, opentype said:

So a forum site in Europe can have thousands of images like that, which are no problem, but become one after the switch to SSL. 

You should probably just Brexit  

[opentype]

I am not opposed to these copyright laws. I am a creator myself and don’t want my content to by uploaded to other server without my permission and out of my control. 

[Apfelstrudel]

16 hours ago, Rhett said:

I'll do some testing, the sole purpose for ssl for logins to do just that, if it's not working in this manner, we can get it fixed.   Thanks for the info.

Could you please keep us posted on this testings? We would need this solution asap.