Using HTTPS instead of HTTP for forums

This section is for questions relating to using the forum. Announcements on updates and any issues with the forum software may also be posted here occasionally.

Moderator: Tim Green

Post Reply
Simon Dismore
Posts: 454
Joined: Thu Nov 16, 2006 1:29 pm
Location: London, UK

Using HTTPS instead of HTTP for forums

Unread post by Simon Dismore »

I get these warnings from http://helpman.it-authoring.com/ucp.php?mode=login::
Console-warning-in-Nightly-45.png
Rapport-warning-in-Chrome-46.png
Might be an idea to move the phpBB forums over to https for the reasons explained in Mozilla's [Learn More].
You do not have the required permissions to view the files attached to this post.
User avatar
Tim Green
Site Admin
Posts: 23153
Joined: Mon Jun 24, 2002 9:11 am
Location: Bruehl, Germany
Contact:

Re: Using HTTPS instead of HTTP for forums

Unread post by Tim Green »

Hi Simon,

We do plan to switch the forum to https in the relatively near future. We are already aware of the reasons why this might be a good idea. 8)
Regards,
Tim (EC Software Documentation & User Support)

Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Simon Dismore
Posts: 454
Joined: Thu Nov 16, 2006 1:29 pm
Location: London, UK

Re: Using HTTPS instead of HTTP for forums

Unread post by Simon Dismore »

Tim Green wrote: We are already aware of the reasons why this might be a good idea. 8)
Ah, you read this xkcd comic too?
User avatar
Tim Green
Site Admin
Posts: 23153
Joined: Mon Jun 24, 2002 9:11 am
Location: Bruehl, Germany
Contact:

Re: Using HTTPS instead of HTTP for forums

Unread post by Tim Green »

Hi Simon,

I hadn't read that one but unusually, it's a little misleading. To get users' passwords as a site operator you have to design your own completely insecure system. With a more secure system like phpBB or pretty much any standard online system nowadays, the operator doesn't have access to the passwords. At most they could access the encrypted hashes, which can't be used as passwords. You would have to rewrite the forum software to actually monitor your users entering the passwords to get them, and we really have better things to do with our time. ;-)

That being said, phpBB definitely isn't perfect. As far as I can see the password hashing is performed on the server side with a PHP function, when it should ideally be hashed at the user end with a JS function instead, so that only the hash is ever sent across the net. That would be the main reason for activating https -- I'm currently waiting for a Let's Encrypt certificate for just that purpose. In the long term, I'm hoping that phpBB gets a SQRL interface, although I'm not holding my breath.

There's not a lot you can do about users using bad passwords and the same bad password for every site, apart from encouraging them to get LastPass or something like it. :roll:
Regards,
Tim (EC Software Documentation & User Support)

Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
User avatar
Tim Green
Site Admin
Posts: 23153
Joined: Mon Jun 24, 2002 9:11 am
Location: Bruehl, Germany
Contact:

Re: Using HTTPS instead of HTTP for forums

Unread post by Tim Green »

The forum now supports https. Enjoy. :mrgreen:
Regards,
Tim (EC Software Documentation & User Support)

Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Simon Dismore
Posts: 454
Joined: Thu Nov 16, 2006 1:29 pm
Location: London, UK

Re: Using HTTPS instead of HTTP for forums

Unread post by Simon Dismore »

Nice work! It's a very minor point, but I think you need to serve 'http://www.it-authoring.com/bb/helpauth/favicon.ico' over https too. :-)
User avatar
Tim Green
Site Admin
Posts: 23153
Joined: Mon Jun 24, 2002 9:11 am
Location: Bruehl, Germany
Contact:

Re: Using HTTPS instead of HTTP for forums

Unread post by Tim Green »

Simon Dismore wrote:Nice work! It's a very minor point, but I think you need to serve 'http://www.it-authoring.com/bb/helpauth/favicon.ico' over https too. :-)
Thanks, fixed. I was meaning to look for the cause of the insecure content reference over the weekend.
Regards,
Tim (EC Software Documentation & User Support)

Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Post Reply