SSL Required by Facebook

[JohnCourt]

Dear folks, our Facebook login no longer functions, I have created a new login app at Facebook Dev panel, and upon logging into our community via Facebook, we are confronted with an error message:

Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://

I have never had an SSL cert for our community, do I really need one to use the Facebook login? And if I do need one, are there any unintended behaviors I may experience in our community with a new SSL?

Thanks!

[RevengeFNF]

You can use SSL without any issue. In fact you can check that this community is under SSL.

You can get free certificates with Let's Encrypt. 

[opentype]

The whole web is moving to SSL. You will have to switch eventually. The sooner the better. IPS 4.2 makes the transition as easy as possible, e.g. by rewriting existing images and delivering them locally over SSL. 

[JohnCourt]

Thanks to both for your feedback, greatly appreciate it!

With the SSL my domain will change from http to https correct? If so, all my links I have spread throughout the www will be broken?

[Aiwa]

10 minutes ago, JohnCourt said:

If so, all my links I have spread throughout the www will be broken?

Not if your virtual host is set up to redirect http requests to https. ?

[JohnCourt]

14 minutes ago, Aiwa said:

Not if your virtual host is set up to redirect http requests to https. ?

Thanks!

[RevengeFNF]

5 hours ago, Aiwa said:

Not if your virtual host is set up to redirect http requests to https. ?

Or he can enable HSTS to tell the client browser to always use https.

The best solution is to use both, the redirect and hsts.

[The Old Man]

If it helps, from my .htacess file:

#Force HSTS:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

 Good advice:

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Force https version of site with a 301 Permanent Redirection advisory to search engines, just rename the 2 lines to your own:

#Force https:
RewriteEngine On 
RewriteCond %{HTTP_HOST} ^millennium-thisiswhoweare\.net [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^(.*)$ https://millennium-thisiswhoweare.net/$1 [R=301,L]

Optional - enforce non-www version of the site again with a 301 Permanent Redirect:

#Force non-www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.millennium-thisiswhoweare\.net [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^(.*)$ https://millennium-thisiswhoweare.net/$1 [L,R=301]

 

[JohnCourt]

Thank you for all the great direction here. From reading I also understand we can either make our entire community SSL or just the login and commerce pages. I do not have any commerce in our community, no credit cards exchange through our community.

With that being said should I only enable SSL for logging in to the community? We want to protect personal information such as emails and login information.

From what I have read, to enable SSL site wide also uses valuable resources?

[opentype]

3 minutes ago, JohnCourt said:

With that being said should I only enable SSL for logging in to the community?

No. And that option is removed anyway with 4.3. 

 

3 minutes ago, JohnCourt said:

We want to protect personal information such as emails and login information.

Exactly. That’s why everything needs to be SSL. If you don’t have it, recent browsers will actively warn your users and tell them you site is insecure.

 

3 minutes ago, JohnCourt said:

From what I have read, to enable SSL site wide also uses valuable resources?

That’s mostly a myth. 

[O9C4]

Is the Error because no SSL on my plan?

[Meddysong]

No, I don't think so. I've been getting that one a lot over the past week or so and I'm on SSL.

[O9C4]

Updated the Valid OAuth Redirect URIs (Facebook Login\Settings) to:

as in Guides

4. Go to the Products > Facebook Login > Settings tab from the left sidebar. In the Valid OAuth redirect URIs field enter the value shown in your AdminCP, which will be your community's URL ending with "/oauth/callback/" on the end. You must click Save Changes at the bottom to save this.

Then appeared the first Error again:

Still nothing changed and the Error.

It looks like all about the SSL.

Use HTTPS

Use HTTPS, instead of HTTP, as an internet protocol, because it uses encryption. HTTPS keeps transmitted data private and guards against eavesdropping attacks. It also prevents data from being tampered with during transmission by, for example, introducing advertisements or malicious code.

https://developers.facebook.com/docs/facebook-login/security/#https

and

• Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.

Does anyone tryed to obtain a free certificate for your domain(s) from Let's Encrypt?

[Meddysong]

4 minutes ago, O9C4 said:

Does anyone tryed to obtain a free certificate for your domain(s) from Let's Encrypt?

I didn't use Let's Encrypt but I watched a YouTube video yesterday on uploading a free certificate from sslforfree.com to cPanel and then uploaded several certificates without a problem: