[Discuss] phpBB goes green

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10416
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

[Discuss] phpBB goes green

Post by Noxwizard »

Discuss the announcement here.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: [Discuss] phpBB goes green

Post by updown »

Nice work! Congratulations!
Offsite content on our discussion boards is being redirected to a Camo server through a template hook, so you should never see mixed content warnings while browsing any part of our sites.
A complete 'howto" including template-hook would be nice - perhaps as a blog-post? Or are there already detailed instructions how to implement such a camo server with phpbb?
User avatar
Ephemeraboy
Registered User
Posts: 331
Joined: Tue Dec 29, 2009 4:25 pm
Location: Bandung Kota Hujan
Name: Bernando Bona Tius Sianipar
Contact:

Re: [Discuss] phpBB goes green

Post by Ephemeraboy »

awesome
:D
My diary, my notepad, and my life on
http://www.bonatius.com
My online shop at
http://www.nefara.com
User avatar
ViolaF
Registered User
Posts: 1543
Joined: Tue Aug 14, 2012 11:52 pm

Re: [Discuss] phpBB goes green

Post by ViolaF »

viewtopic.php?f=46&t=2160815#p13173706
Lumpy Burgertushie - Wed Aug 15, 2012 6:13 pm wrote: the simple fact is that unless you are taking people's credit cards on your board, there is very little else that would be a good reason to need to use ssl.
Sorry for laughing, but that was just in time :lol: :D
User avatar
naderman
Consultant
Consultant
Posts: 3736
Joined: Fri Aug 01, 2003 10:06 pm
Location: Berlin, Germany
Name: Nils Adermann
Contact:

Re: [Discuss] phpBB goes green

Post by naderman »

That's simply not true. For example cookies can be intercepted without SSL, meaning someone on a public wifi/company/university/whatever wifi might have their session or cookies stolen. Which then means another person can view and send private messages, post as if they were them, potentially even commit crimes like fraud while pretending to be another person whose cookies they intercepted.
I appreciate gifts from my Amazon wishlist.
naderman.de twitter: @naderman
User avatar
MichaelC
Consultant
Consultant
Posts: 3642
Joined: Mon Dec 21, 2009 3:36 pm
Location: Surrey, UK
Name: Michael Cullum
Contact:

Re: [Discuss] phpBB goes green

Post by MichaelC »

As Nils said, you can have your session hijacked. But you can also have the content that is sent to your browser manipulated as well as viewed, which in my opinion is a lot more dangerous.
:)
Formerly known as Unknown Bliss.
Formerly Website Team Lead/Manager & Development Team.
Please don't PM me for support (or stuff that belongs in the forums or tracker) but otherwise feel free
User avatar
Elias
Registered User
Posts: 5136
Joined: Sat Feb 25, 2006 4:31 pm
Location: In the Water!
Name: Elias

Re: [Discuss] phpBB goes green

Post by Elias »

Great move!

Good job to all!
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|
Offering private web hosting. Contact me for details.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: [Discuss] phpBB goes green

Post by Techie-Micheal »

Code: Select all

Name	phpbb_fe355_k
Value 	[redacted]
Host	        .phpbb.com
Path	        /
Secure	No
Expires	Tue, 30 Jul 2013 03:42:09 GMT
I don't remember phpBB having so many cookies, but why are some not marked as secure while others are?
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10416
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: [Discuss] phpBB goes green

Post by Noxwizard »

phpbb_fe355 is the Area51 cookie. Since we're not forcing that board to always run over HTTPS, the cookies aren't set with the secure flag. phpbb_1fh61 is the cookie for this board and it is set as secure.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: [Discuss] phpBB goes RED

Post by Pony99CA »

Whatever you did, I hate it. I previously opened Website bug #63154 about mixed content errors in IE 8 (which I'm forced to use here). Now, every new tab that I open here, I get IE's There is a problem with this website's security certificate error and I have to click Continue to this website (not recommended). When I click that link, I get a big RED address bar.

My own avatar isn't even showing now. :evil:

I wonder how many other users might be seeing this. if it's a new user, they might think that the site has been hacked and go away.

I know that you're trying to do the right thing, but I hope that there's at least some workaround (like a special URL we can use to avoid this stuff).

UPDATE: Even Area 51 is behaving oddly now. Here's a screen capture.
Area 51 Navigation Formatting
Area 51 Navigation Formatting
Area51.png (130.05 KiB) Viewed 4507 times
Notice the navigation bar (outlined in red) isn't formatted properly. (The images did show the first time, but not again unless I allow showing the blocked content.)

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10416
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: [Discuss] phpBB goes green

Post by Noxwizard »

Your browser appears to have issues with SSL in general. Your ticket was before we were using it anywhere, so that means you were getting the error from the Google +1 button. The Area51 pictures shows that you're not viewing Area51 over SSL and since the images all use relative paths, nothing at all is served over HTTPS. As I mentioned in the ticket, you're probably missing Windows updates to the root certificate store. Go here: http://windowsupdate.microsoft.com/ Tell it to install critical updates and check the Optional Updates section and look for a Root Certificates update and install it. You should also check to make sure that your clock is set correctly and not to some time in the distant future.

As per the announcement, this should continue in the bug tracker. You should use your old ticket as this seems to be on your side. I've tested IE8 from one of my active systems and one on BrowserShots. Neither have any problems.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
User avatar
Lumpy Burgertushie
Registered User
Posts: 68286
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: [Discuss] phpBB goes green

Post by Lumpy Burgertushie »

one thing I have noticed is that when you view a post and hit the back button, the post instantly shows as having been read. it did not do that previously. I would have to refresh the page to make the unread image change to read.
also, everything is loading extremely slow. I checked other sites/and other image heavy boards and they are loading just fine.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?
User avatar
Neo
Registered User
Posts: 113
Joined: Tue Jul 07, 2009 5:02 am
Location: Holland
Contact:

Re: [Discuss] phpBB goes green

Post by Neo »

Gratz :D
Kazuzeya
Registered User
Posts: 16
Joined: Sun Jun 26, 2011 11:26 pm

Re: [Discuss] phpBB goes green

Post by Kazuzeya »

updown wrote:Nice work! Congratulations!
Offsite content on our discussion boards is being redirected to a Camo server through a template hook, so you should never see mixed content warnings while browsing any part of our sites.
A complete 'howto" including template-hook would be nice - perhaps as a blog-post? Or are there already detailed instructions how to implement such a camo server with phpbb?
Agreed, a guide like this would be helpful. I have SSL enabled on my site/forum, and would like to not have mixed-content warnings.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: [Discuss] phpBB goes green

Post by Pony99CA »

Noxwizard wrote:Your browser appears to have issues with SSL in general. Your ticket was before we were using it anywhere, so that means you were getting the error from the Google +1 button.
I have certainly logged into other boards and secure sites without problems. I just logged into my online banking site from another tab in this browser window and their address bar turned green, so SSL seems to be working.

I just had somebody in another office visit phpbb.com and they had the same thing happen.
Noxwizard wrote:The Area51 pictures shows that you're not viewing Area51 over SSL and since the images all use relative paths, nothing at all is served over HTTPS.
As the Area51 problems seemed to start at the same time as this, I thought that you might have started serving images and such over HTTPS. Maybe the problems started earlier and I just didn't notice.
Noxwizard wrote:As I mentioned in the ticket, you're probably missing Windows updates to the root certificate store. Go here: http://windowsupdate.microsoft.com/ Tell it to install critical updates and check the Optional Updates section and look for a Root Certificates update and install it.
Windows Update says everything is up-to-date. However, this is a managed PC, so I probably couldn't update it if I wanted to.

Yes, it could be a certificate problem, but SSL is working as noted above.
Noxwizard wrote:You should also check to make sure that your clock is set correctly and not to some time in the distant future.
Nope, the clock is Friday 8/17/2012 at 1:17 PM (as I write this).
Noxwizard wrote:As per the announcement, this should continue in the bug tracker. You should use your old ticket as this seems to be on your side. I've tested IE8 from one of my active systems and one on BrowserShots. Neither have any problems.
OK, I'll go back to the ticket, but I wanted to see if other people were also having this problem. It started after upgrading to Windows 7 here, and it got much worse after you went HTTPS. I accept that part of this is environmental, but I'd like to find out why other sites don't have any problems or if there's a workaround (a URL to access a non-secure version of the site, for example).

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Post Reply

Return to “phpBB Discussion”