Forum SSL

Mark · Thu, 14 Jul 2016 08:44

Hi Hardy,

I find myself staying at hotels with open unencrypted wifi (even shared encrypted wifi wouldn't be much better) and are a little concerned about logging into this forum via HTTP. Similar concerns are valid on airport/aircraft wifi networks.

Is it easy to enable HTTPS in the forum software?
Free SSL certificates are available here: https://letsencrypt.org/

Thanks,
Mark

Hardy Heinlin · Thu, 14 Jul 2016 08:56

Hi Mark,

I don't know. This forum software is from http://www.simplemachines.org/ -- maybe there's a hint on their website ...

Are you concerned about your forum password?

Cheers,

|-|ardy

Gary Oliver · Thu, 14 Jul 2016 09:07

Don't worry mark we will install a faraday cage around the sim for you

Hardy Heinlin · Thu, 14 Jul 2016 09:12

Speaking of Faraday ...

QuoteI find myself staying at hotels [...] and are ...

Did a lightning strike cut the single Mark into plural while typing this sentence? :-)

Mark · Thu, 14 Jul 2016 09:17

Quote from: Gary Oliver on Thu, 14 Jul 2016 09:07
Don't worry mark we will install a faraday cage around the sim for you

The Marks would like to inform you that we are pleased with this proposal...

Britjet · Thu, 14 Jul 2016 15:22

No pets in the sim please. It's bad enough with Gary's cat without having faradays as well..

evaamo · Thu, 14 Jul 2016 19:01

Quote from: Hardy Heinlin on Thu, 14 Jul 2016 08:56
Are you concerned about your forum password?

I knew it was a bad idea setting my Aerowinx forum password to be the same as my Gmail and online banking one!

What has the world come to!?

Send one of those Faraday cages my way too, please, Gary!

On a serious note now: there's also https://www.startcom.org. I've been using their certs on my servers for a few years now.

If you need any help with this Hardy, let me know.

cheers,
-E

Jeroen Hoppenbrouwers · Thu, 14 Jul 2016 21:45

Hardy: at least in theory, the Forum software should not need to know anything about HTTPS. It's purely a web server (Apache?) thing. Possibly you need to reset the base URL, if the Forum has one, so all explicit links to itself would be HTTPS instead of HTTP, but that's it.

Enabling HTTPS on the web server is not difficult but likely much more complex than you may expect. Security is hard, and not forgiving. You need to have everything lined up before it works at all.

Hoppie

Mark · Fri, 15 Jul 2016 09:18

Hoppie, you're right - the majority of the configuration is on the web server.

See:
http://wiki.simplemachines.org/smf/SMF2.0:Server_settings
'Force cookies to be secure'
This option isn't mandatory if HTTPS is enabled on the webserver, it's another layer of security that stops session hijacking via non-HTTPS access.

I find setting up HTTPS on all my sites (in my day job) to be easy but that's the benefit of experience. That's possibly why it might not be appropriate here - it'll take Hardy's time away from the next PSX beta.

Edit: Also looks like a version update would be sensible, see change log:
http://wiki.simplemachines.org/smf/SMF2.1:Features
'Full SSL Support'
but this latest version does say:
'Note: As this is in development, we do not recommend running SMF 2.1 on a production site.'
so maybe I started this thread too early...

744 Forum

News:

Forum SSL

Mark

Hardy Heinlin

Gary Oliver

Hardy Heinlin

Mark

Britjet

evaamo

Jeroen Hoppenbrouwers

Mark