SWBFgamers.com and SSL

Started by Led, July 08, 2018, 09:03:16 AM

Previous topic - Next topic
Our forum web host has converted us to SSL, meaning you can update your bookmarks to

https://www.swbfgamers.com

(note the https)

:cheers:
Quote from: Abraham Lincoln. on November 04, 1971, 12:34:40 PM
Don't believe everything you read on the internet

Huzzah for no more browser 'this site is not secure' and moar encryption!


Inb4 Regent makes the British comment

(Love you bro, no h8 m8 i r8 8/8)

Quote from: RepComm on July 08, 2018, 12:39:39 PM
Huzzah for no more browser 'this site is not secure' and moar encryption!


Inb4 Regent makes the British comment

(Love you bro, no h8 m8 i r8 8/8)
Er...

All that time I spent worrying about SSL may now be spent drinking tea?

Gah, you have a way with words. I consider myself the bitter end of an excellent joust. Well played, sir.

July 12, 2018, 07:08:45 PM #4 Last Edit: July 12, 2018, 07:31:22 PM by RepComm
Heya, I'm here with thangs and stuph.

Attached are reference images from FireFox 61.0.4 (64bit) on Windows 10.
One that is functional is HTTP unsecured, the other is secured.

There are several bugs mostly related to the PHP not spitting out HTTPs at the beginning of its references.

For example, my avatar image url is http://www.swbfgamers.com/user_avs/avatar_1946_1512895951.png
This works great, but using https://swbfgamers.com the php still outputs that link, which is sent to the client as unencrypted data. This is nearly harmless, since I do not care if someone sniffs that through my network, but it is a bug non-the-less, and it has implications that the PHP code needs a working on.

If you are comfortable, I am capable with these things and can probably fix the problem the correct way by testing a copy of the site as-is with my machine locally, probably with a dummy/empty (besides a test account I'd create to test streaming of the images as HTTP/s) database. I wouldn't really even need FTP access.

[spoiler=A list of unsecured resources I used my browser console to debug are listed]
[/spoiler]

I was going to be all fancy and use the DOM debug tool thing to check every href/src, but I guess the FireFox guys decided they were cooler than me.

If you inject the https manually through browser console, the bugs go away.

edit- Just found that relative links such as the banner for the site:
Code (css) Select

#header {
    ...
    #333333 url(../images/custom/header-bg-2.jpg) no-repeat
}

Are resolved to HTTPs automatically (or whatever you're currently connected via, so http would be resolved if you type in http://swbfgamers.com). So a lot of things like avatars and such that are uploaded could use relative paths instead of hard code references. This would make a much easier job of updating the PHP.

As far as imgur and pile.randimg.net go, they support HTTPs if you jack the s in there manually, but you would need to write some kind of code to automatically do this. You could additionally figure out where the source of those images are being input and demand the HTTPs from the user setting the value, and last ditch effort test an HTTPs version with a fetch request, and if it errors out deny the operation and spit a "url doesn't support SSL/HTTPS" to the user.

edit- pile.randimg.net doesn't do HTTPs if you just jack it in there.. Time for code!

edit- added Android 6.0.1 Firefox 59.0.2 https:// screen shot

I suspect this kind of thing may be partially cleaned up in the next SMF release, but I can't say for sure.  You might want to visit the SMF release forum and see what's up with it.

I could install a test forum for you to work with it you want.  I'm not sure I want to go through the process of duplicating this database though.

Quote from: Abraham Lincoln. on November 04, 1971, 12:34:40 PM
Don't believe everything you read on the internet