I get these warnings from http://helpman.it-authoring.com/ucp.php?mode=login::
Might be an idea to move the phpBB forums over to https for the reasons explained in Mozilla's [Learn More].
Using HTTPS instead of HTTP for forums
Moderator: Tim Green
-
- Posts: 454
- Joined: Thu Nov 16, 2006 1:29 pm
- Location: London, UK
Using HTTPS instead of HTTP for forums
You do not have the required permissions to view the files attached to this post.
- Tim Green
- Site Admin
- Posts: 23189
- Joined: Mon Jun 24, 2002 9:11 am
- Location: Bruehl, Germany
- Contact:
Re: Using HTTPS instead of HTTP for forums
Hi Simon,
We do plan to switch the forum to https in the relatively near future. We are already aware of the reasons why this might be a good idea.
We do plan to switch the forum to https in the relatively near future. We are already aware of the reasons why this might be a good idea.
Regards,
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
-
- Posts: 454
- Joined: Thu Nov 16, 2006 1:29 pm
- Location: London, UK
Re: Using HTTPS instead of HTTP for forums
Ah, you read this xkcd comic too?Tim Green wrote: We are already aware of the reasons why this might be a good idea.
- Tim Green
- Site Admin
- Posts: 23189
- Joined: Mon Jun 24, 2002 9:11 am
- Location: Bruehl, Germany
- Contact:
Re: Using HTTPS instead of HTTP for forums
Hi Simon,
I hadn't read that one but unusually, it's a little misleading. To get users' passwords as a site operator you have to design your own completely insecure system. With a more secure system like phpBB or pretty much any standard online system nowadays, the operator doesn't have access to the passwords. At most they could access the encrypted hashes, which can't be used as passwords. You would have to rewrite the forum software to actually monitor your users entering the passwords to get them, and we really have better things to do with our time.
That being said, phpBB definitely isn't perfect. As far as I can see the password hashing is performed on the server side with a PHP function, when it should ideally be hashed at the user end with a JS function instead, so that only the hash is ever sent across the net. That would be the main reason for activating https -- I'm currently waiting for a Let's Encrypt certificate for just that purpose. In the long term, I'm hoping that phpBB gets a SQRL interface, although I'm not holding my breath.
There's not a lot you can do about users using bad passwords and the same bad password for every site, apart from encouraging them to get LastPass or something like it.
I hadn't read that one but unusually, it's a little misleading. To get users' passwords as a site operator you have to design your own completely insecure system. With a more secure system like phpBB or pretty much any standard online system nowadays, the operator doesn't have access to the passwords. At most they could access the encrypted hashes, which can't be used as passwords. You would have to rewrite the forum software to actually monitor your users entering the passwords to get them, and we really have better things to do with our time.
That being said, phpBB definitely isn't perfect. As far as I can see the password hashing is performed on the server side with a PHP function, when it should ideally be hashed at the user end with a JS function instead, so that only the hash is ever sent across the net. That would be the main reason for activating https -- I'm currently waiting for a Let's Encrypt certificate for just that purpose. In the long term, I'm hoping that phpBB gets a SQRL interface, although I'm not holding my breath.
There's not a lot you can do about users using bad passwords and the same bad password for every site, apart from encouraging them to get LastPass or something like it.
Regards,
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
- Tim Green
- Site Admin
- Posts: 23189
- Joined: Mon Jun 24, 2002 9:11 am
- Location: Bruehl, Germany
- Contact:
Re: Using HTTPS instead of HTTP for forums
The forum now supports https. Enjoy.
Regards,
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
-
- Posts: 454
- Joined: Thu Nov 16, 2006 1:29 pm
- Location: London, UK
Re: Using HTTPS instead of HTTP for forums
Nice work! It's a very minor point, but I think you need to serve 'http://www.it-authoring.com/bb/helpauth/favicon.ico' over https too.
- Tim Green
- Site Admin
- Posts: 23189
- Joined: Mon Jun 24, 2002 9:11 am
- Location: Bruehl, Germany
- Contact:
Re: Using HTTPS instead of HTTP for forums
Thanks, fixed. I was meaning to look for the cause of the insecure content reference over the weekend.Simon Dismore wrote:Nice work! It's a very minor point, but I think you need to serve 'http://www.it-authoring.com/bb/helpauth/favicon.ico' over https too.
Regards,
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.