Secure Login

[digitaltoast]

An old topic, but yes.
As mobstergeek and I both stated, SSL is the way to go. Feel free to let us know if you have any questions about setting it up.

True, it HAS been a while since 2008, but I was wondering what changed your mind between then ("pointless waste of time and resources") to now ("the way to go")?

Anyway, great that it's being embraced, but as far as I can tell from copious reading, with 3.0.12 it's still the case that it's either "all or nothing", rather than secure login page, but non-SSL board. There's nothing being discussed that's private, per-se, but a fair few members log in from an open public wifi point and we've been asked about it, that's all.

Am I also understanding right that 3.1 might do the latter? I'm not expecting it before 2015 though, so I'm just wondering what the best option is for now

Thanks again.

[Techie-Micheal]

An old topic, but yes.
As mobstergeek and I both stated, SSL is the way to go. Feel free to let us know if you have any questions about setting it up.

True, it HAS been a while since 2008, but I was wondering what changed your mind between then ("pointless waste of time and resources") to now ("the way to go")?

Anyway, great that it's being embraced, but as far as I can tell from copious reading, with 3.0.12 it's still the case that it's either "all or nothing", rather than secure login page, but non-SSL board. There's nothing being discussed that's private, per-se, but a fair few members log in from an open public wifi point and we've been asked about it, that's all.

Am I also understanding right that 3.1 might do the latter? I'm not expecting it before 2015 though, so I'm just wondering what the best option is for now

Thanks again.

Changed my mind? I stated:

Which is what I've been trying to explain ... Hopefully when it comes from someone else, people will start to believe me. There is absolutely no reason to try and talk someone out of using SSL. That's absolutely ridiculous. Encrypting logins using a tried and true method such as SSL is a very good thing, if that's what people want to do.

At any rate, I think it should be all or nothing. While you log in using SSL, if your session cookies are sent over HTTP instead of HTTPS, they can be stolen and the account impersonated. It's your choice, I just want to let you know the reasons for all or nothing.

[digitaltoast]

While you log in using SSL, if your session cookies are sent over HTTP instead of HTTPS, they can be stolen and the account impersonated. It's your choice, I just want to let you know the reasons for all or nothing.

Ah, OK! Excellent reasons! Fair enough. And it wasn't until after I'd posted that I noticed QUITE how old this thread was, so thanks for not only answering persuasively, but not shouting at me either!

[Techie-Micheal]

You're welcome.

[Pony99CA]

While I realize that the responses saying that HTTPS is worthless for boards are old, you will notice that phpbb.com now uses HTTPS.

Steve

[Seibertron]

FYI ... Google is going to start giving warnings for pages with secure logins. Time for me to figure out how to do this. Anyone have any instructions?

Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for http://www.**************.tld/

To: owner of http://www.**************.tld/

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.

http://www.**************.tld/phpbb/ucp.php?mode=login

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.

Here’s how to fix this problem:

Use HTTPS pages to collect sensitive information
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, move collection of password and credit card input fields to pages served using the HTTPS protocol.
Read the WebFundamentals article

Need more help?

• Learn more about this change in the blog post “Moving Towards a More Secure Web.”
• Learn how to Secure your site with HTTPS.
• Ask questions in our forum for more help - mention message type [WNC-10026400].

[Lumpy Burgertushie]

first, this is just a part of google trying to take over the whole internet and decide how everything should be done. personally I would ignore it.

technically, this has always been the way the browsers work, they just didn't give you a warning. remember the little "lock" icon in the taskbar or in the address bar? that has always let you know if a page was being run through SSL or not. not difference, just a new warning.

now, the way to solve this if you are worried about it is to get a SSL certificate, have it installed by your host and then switch your protocol over to https instead of http

a lot of work for very little benefit but I guess that is the way google wants it.


robert

[digitaltoast]

Or just ignore the post above because it's bad advice and utterly wrong on almost every level.

Just use Cloudflare - free certificate, secure, nothing to install, configure or pay for Job done.

http://stackoverflow.com/questions/3045 ... dflare-ssl
https://support.cloudflare.com/hc/en-us ... ions-mean-

Basically, just choose "flexible ssl"

YOu might need to read this if you get any problems
https://support.cloudflare.com/hc/en-us ... 276247-SSL
https://support.cloudflare.com/hc/en-us ... HTTPS-SSL-

[Lumpy Burgertushie]

sorry, but the advice is fine, you gave the same advice: get a SSL. that is what I said and what you said.

now, the rest of what I posted was obviously my opinion and it is just as valid as yours is about the need for SSL and the reason that all of a sudden google is going crazy trying to force everyone to switch to https.

the facts are that the only time SSL has any effect on anything is when you click the submit button on a form.

it has no affect on protecting your information once it is on the server, only during the transfer from yoru computer to the server.

running normal html/css under SSL has absolutely no benefit to anyone.

if you have a form that you are transmitting information running under SSL that is what it protects and that is where you benefit from it. you know, a form, like logging in or submitting a post or an order form etc.


robert

[digitaltoast]

running normal html/css under SSL has absolutely no benefit to anyone.

Sorry, but that is simply incorrect. It gives a BIG speed boost as the requests can be served over http2, which is not possible with non-ssl sites.

Here is a real-world test done over a 48h period:

Code: Select all

HTTP Protocol Version	Average Page Load time
HTTP 1.x		9.07 sec.
HTTP/2			4.27 sec.

Given that a forum like phpbb serves so many assets, and given that so many can be bundled into a single request over ssl, it made an instant and noticeable difference to my forum. And I don't mean numbers only measurable by a computer, I mean a switch from "page loading..almost there, loaded" to "bang, loaded".

SSL is about so much more than just security.

[sakm]

It not just google!

Apple are making it so all apps have to connect to https https://techcrunch.com/2016/06/14/apple ... d-of-2016/

so if anyone has things like tapatalk on their forum they will need https too

I am sure I have read somewhere that firefox is going to be giving similar warnings on non https too

[digitaltoast]

Indeed - it is of course nothing to do with "google trying to take over the whole internet and decide how everything should be done", it's a policy decided by many browsers.

https://blog.mozilla.org/security/

Changes to Firefox security user experience
Up until now, Firefox has used a green lock icon in the address bar to indicate when a website is using HTTPS and a neutral indicator (no lock icon) when a website is not using HTTPS. The green lock icon indicates that the site is using a secure connection.

In order to clearly highlight risk to the user, starting this month in Firefox 51 web pages which collect passwords but don’t use HTTPS will display a grey lock icon with a red strike-through in the address bar.

Clicking on the “i” icon, will show the text, “Connection is Not Secure” and “Logins entered on this page could be compromised”.

[Techie-Micheal]

It not just google!

Apple are making it so all apps have to connect to https https://techcrunch.com/2016/06/14/apple ... d-of-2016/

so if anyone has things like tapatalk on their forum they will need https too

I am sure I have read somewhere that firefox is going to be giving similar warnings on non https too

Firefox does as well.

- Chrome warns about insecure connections with login pages
- Firefox warns about insecure connections with login pages

This is not, was not, and will not be about "taking over the Internet," Lumpy. This is about safety.

the facts are that the only time SSL has any effect on anything is when you click the submit button on a form.

No. Just ... no. Please stop spreading false information.

[Lumpy Burgertushie]

Ok, I will bow out of the conversatioin because I don't wish to really argue with anyone about this subject. I just hate to see anyone spreading fear around when it is not based on truth. I have been studying and doing web stuff since the beginning. that does not make me an expert on security or anything else, but I have seen a lot of changes in the technology over the years. I have seen a lot of misinformation spread around the net over the years ( and the real world outside the net for that matter ).
Using SSL is mainly about securing the data during the transfer from the sending computer to the receiving computer. once that data is on the server, SSL can not possibly be doing any good for its security. that is just the way it works. I guess there may be other benefits to using SSL via something like cloudfare but that still doesn't change what SSL is and what it does.
ok,
I'm out of this one. sorry for taking the discussion off topic.


robert

[Techie-Micheal]

Ok, I will bow out of the conversatioin because I don't wish to really argue with anyone about this subject. I just hate to see anyone spreading fear around when it is not based on truth. I have been studying and doing web stuff since the beginning. that does not make me an expert on security or anything else, but I have seen a lot of changes in the technology over the years.

I, however, am an expert. I have a Bachelor of Science degree with a concentration in Information Security, and I have two certifications in Information Security, along with over a decade of real-world Information Security experience, including defending, architecting, and breaching computer networks. Credentials now out of the way, let's correct the wrong information so that users are not discouraged from making decisions based on accurate information.

Using SSL is mainly about securing the data during the transfer from the sending computer to the receiving computer.

It also encrypts the communication when the client (web browser) receives the HTML back. It is not one-way communication, but bi-directional. Man-in-the-Middle, which is what TLS protects against, can manipulate that communication in both directions.

once that data is on the server, SSL can not possibly be doing any good for its security.

Nobody is claiming that data at rest can be protected with TLS. This is about communication between the client and the server.