Which tree do I need to bark up?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
Hermskii
Registered User
Posts: 54
Joined: Thu May 13, 2004 4:45 am
Location: Houston, TX
Contact:

Which tree do I need to bark up?

Post by Hermskii » Tue Aug 20, 2019 3:39 am

I'm currently using version 3.2.3 of PHPBB.

I added that button that allows people to post YouTube videos in people's post on my forum. I have tons of these on thons of topics throughout my forum.

The other day, my hosting provider talked me into getting a SSL certificate and we installed it. Now when you go to my forum it no longer says "Not Secure" in the url bar. Now I have the little lock or it says https:// etc.

After they set this up a member of my forum who constantly post these YouTube videos saw they were all gone. I called my provider and they said the YouTube videos were unsecure because they were considered mixed content and thus they were blocked. They want about $200 to go into all of the places on my forum where there is a unsecure YouTube video and make them work. Then they want another $200 each year to continue making them work AND they want me to open a ticket to have each new YouTube video that someone post get set up to work.

I am not a web guy. I can't do this stuff usually. There is no money changing hands at my website/forum. Do I need the security? Funny how they didn't not warn me this may be an issue. Surely this has happened to somebody here before.

Any help is appreciated. Thanks!
~Peace~

Hermskii

User avatar
warmweer
Registered User
Posts: 2688
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Which tree do I need to bark up?

Post by warmweer » Tue Aug 20, 2019 7:57 am

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
The other day, my hosting provider talked me into getting a SSL certificate and we installed it. Now when you go to my forum it no longer says "Not Secure" in the url bar. Now I have the little lock or it says https:// etc.
....
Do I need the security? Funny how they didn't not warn me this may be an issue. Surely this has happened to somebody here before.
You ask whether you need the security? What arguments did your host use to convince you to get SSL certificate?
Yes, it's an extra layer of security but I fail to see the necessity (and certainly at that price), but there are always more layers which could be installed, and which can slow down your board and/or block some functionalities.
If you didn't have any problems without the SSL, I see no need for it.
Just make sure you have regular backups. AND keep your board uptodate!! (hint: 3.2.3 is not uptodate)
As for the youtube stuff, have a look at the Media embed extension. Youtube can also be added using custom BBcode and IIRC the AdvancedBBCode extension also has a youtube BB code.
My board's not broken, it just went peculiar

User avatar
AmigoJack
Registered User
Posts: 5606
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Which tree do I need to bark up?

Post by AmigoJack » Tue Aug 20, 2019 9:08 am

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
Which tree do I need to bark up?
Please choose an appropriate subject that summarizes your content - that would help more than this.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
that button that allows people to post YouTube videos in people's post on my forum
More likely to link or embed videos, not to post them. Now we have to find out which you are talking about - that's why filling out an SRT with your actual issue, a link to an example and most likely account credentials would help to be able to reproduce the issue.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
my forum it no longer says "Not Secure" in the url bar
The internet browser says so, and it's also not the website that is safe/unsafe - it's only about the transmission. Sadly people without basic knowledge about this are teached the wrong way by well-known internet browsers.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
these YouTube videos saw they were all gone. I called my provider and they said the YouTube videos were unsecure because they were considered mixed content
The videos aren't gone, they surely continue to exist - their embedding is blocked because one of the concepts of a secure transmission is to only consider the whole website safe when every of its linked resources was transferred thru HTTPS - if only one thing (picture, font, style, video...) is linked thru HTTP then we have mixed content.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
They want about $200 to go into all of the places
Believe it or not: based on how good they work this amount of money is justified.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
a unsecure YouTube video
Such a thing does not exist.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
Do I need the security?
Most likely not, but in the end only you or/and your users can answer this. Again: HTTPS is about secure transfer, not securing the website or its content in general.

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
Any help is appreciated
Most likely it's easy to directly manipulate the database to turn all YouTube links that use HTTP into HTTPS ones. But as written before: most likely the story won't end there - whoever embedded other resources (i.e. pictures) thru HTTP reintroduce the "mixed content" issue. And to add even more confusion: not every other website automatically is able to deliver content thru HTTPS just because you want it in HTTPS. If YouTube would not support HTTPS then by theory you cannot avoid mixed content at all.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
John connor
Registered User
Posts: 2208
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Which tree do I need to bark up?

Post by John connor » Tue Aug 20, 2019 3:47 pm

I'd ditch that host. Go to webhosting talk and look around for a new one. $200 to fix links which can easily be done by you is insane. You can do this in one of two ways: 1) with a database query to fix all HTTP links belonging to all links to HTTPS. Or 2) download your database file, use Notepad ++ and run a search and replace there.

I used the Notepad ++ route myself since I don't know database code and I knew it work. I've used Notepad ++ numerous times before as well when I changed domains and needed to change all links in my board to reflect the new domain.

Now whether you need a TLS Cert. or not isn't really important. But Google is wanting everyone to use TLS so it would be in your best interest to at least deploy it, especially since Lets Encrypt is free and most good hosts should offer Lets Encrypt in cPanel. I sure hope your host didn't coax you out of money for a TLS Cert. If so, GET RID OF THAT HOST!

Also, the nature of a forum makes it so that some links use HTTP instead of HTTPS, so you'll likely get a mixed content warning in your browser. You can see what links aren't using HTTPS by using the Dev Tools in your browser. And, if you use CloudFlare, it will automatically fix damn near every non-HTTPS link automatically if you turn that option on in your CloudFlare account. I use the option myself and I have yet to see insecure content.

Care to share a link to your board and who your host is?

User avatar
John connor
Registered User
Posts: 2208
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Which tree do I need to bark up?

Post by John connor » Tue Aug 20, 2019 3:55 pm

Never mind, I see your link.


Looking just at this post, you have mixed content because the user Evilgrin has a HTTP link to his emoticon in his Sig. That link can be served via HTTPS.


evilgrins.jpg

User avatar
AmigoJack
Registered User
Posts: 5606
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Which tree do I need to bark up?

Post by AmigoJack » Tue Aug 20, 2019 4:08 pm

John connor wrote:
Tue Aug 20, 2019 3:47 pm
I have yet to see insecure content
Didn't took long for an example of how HTTPS is misunderstood by people.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Hermskii
Registered User
Posts: 54
Joined: Thu May 13, 2004 4:45 am
Location: Houston, TX
Contact:

Re: Which tree do I need to bark up?

Post by Hermskii » Thu Aug 22, 2019 3:05 am

Thanks all for the detailed responses. I'm going to get with a web guy I know and show him this thread and see what he thinks and go that route. I suspect we will keep the certificate which was a SSL I think and not a TLS. I hope to use a find and replace tool and run it against the forum data swapping out the http for https and hope that gets it mostly done. I'll have to dig more to resolve the left over issues.

Thanks again.
~Peace~

Hermskii

User avatar
John connor
Registered User
Posts: 2208
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Which tree do I need to bark up?

Post by John connor » Thu Aug 22, 2019 3:15 am

If it is in fact SSL and you paid for that you got jacked. It needs to be TLS. Go here and you can test your Cert. https://www.ssllabs.com/ssltest/

Also, a simple database query would achieve what you want to accomplish to change all HTTP links to HTTPS links. However, some links may not be HTTPS enabled so they will break. But it would be better to have a few broken links then a bunch of non-secure links. Another thing is that you'll face an issue when someone shares a HTTP link or uses one in their signature.

I thought there was an extension here to help with mixed content, but I don't remember its name. Perhaps someone else will. I even asked about an extension being created that rewrites all HTTP links using the HTTPS Everywhere database, but no takers.

The other route is CloudFlare like I mentioned.

Hermskii
Registered User
Posts: 54
Joined: Thu May 13, 2004 4:45 am
Location: Houston, TX
Contact:

Re: Which tree do I need to bark up?

Post by Hermskii » Thu Aug 22, 2019 4:33 am

This is a reply to everyone just to fill in some blanks for some of you:

Here is a link to the specific thread on my forum that a user noticed and informed me all of the You Tube in bedded videos are missing from:

https://www.hermskii.com/forum/viewtopic.php?f=4&t=3019

My hosting provider if that is what you call them is GoDaddy.

What I meant by the title of this thread was that I didn't know whether the issue was within PHPBB or from the SSL or where my issue was coming from and thus didn't know where to go to get it fixed.

The SSL didn't cost too much if I recall. I hated that I had to modify my own htaaccess file for it to work. When they sold it to me, I thought they just had to throw a switch and it was done. I sure never expected it to break anything or to work properly and prevent portions of my forum to not be visible again etc.

I want the few folks who do visit my website and forum to know they should be OK visiting and clicking on stuff. I know and they know that they are responsible for their own protection why on the web but I think ity is right to make my area as safe as can be expected by someone who doesn't know squat about web-based security.

John, I really appreciate your responses. Thank you for being so willing to be so helpful.

Thank you all!
~Peace~

Hermskii

User avatar
AmigoJack
Registered User
Posts: 5606
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Which tree do I need to bark up?

Post by AmigoJack » Thu Aug 22, 2019 6:53 am

John connor wrote:
Tue Aug 20, 2019 3:47 pm
fix all HTTP links belonging to all links to HTTPS
John connor wrote:
Thu Aug 22, 2019 3:15 am
change all HTTP links to HTTPS links
Again: do this only if you're sure all the target servers indeed support HTTPS. Or if you want to break links intentionally to consider non-HTTPS servers rather dead than there. If you would link to your board in the past which didn't support HTTPS a HTTPS link would lead to nowhere.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
JoshyPHP
Code Contributor
Posts: 1012
Joined: Mon Jul 11, 2011 12:28 am

Re: Which tree do I need to bark up?

Post by JoshyPHP » Thu Aug 22, 2019 5:04 pm

Hermskii wrote:
Tue Aug 20, 2019 3:39 am
I added that button that allows people to post YouTube videos in people's post on my forum.
No idea what that is, but if that's a custom BBCode then you just edit the BBCode to replace "http:" with "https:" and you're done. Edit: apparently your YouTube thing is a Flash applet so you're going to have to replace it. You should definitely post that in the Support forum.
Hermskii wrote:
Tue Aug 20, 2019 3:39 am
They want about $200 to go into all of the places on my forum where there is a unsecure YouTube video and make them work. Then they want another $200 each year to continue making them work [...]
The first part is fine as fixing your site is usually not part of web hosting packages. On the other hand, the thing about paying yearly is sketchy as hell and could be downright dishonest.

Depending on what kind of work you need, your $200 may be better spent on creating a phpBB extension that fixes the issue permanently.
I wrote the thing that does BBCodes in 3.2.

User avatar
Tastenplayer
Registered User
Posts: 293
Joined: Thu Jul 03, 2014 9:20 pm
Location: Switzerland
Name: Jutta Koliofotis
Contact:

Re: Which tree do I need to bark up?

Post by Tastenplayer » Thu Aug 22, 2019 5:39 pm

So if the forum is hosted in an EU country, then in any case with SSL certificate.
E.g. a transmission form containing personal data has to be encrypted according to the data protection regulation. In the phpBB Forum e.g. the registration form and the Contact Admin form.
How that is if you have members from EU countries in your forum is the question.

There are more and more pages you can not visit anymore, because they are not encrypted and are considered insecure for the browser. Or the access is made more difficult by the browsers.

The Youtube videos have definitely not disappeared. Probably this is no Let`s Encrypt but another certificate that causes problems if the YT video was inserted with http address.

AmigoJack is absolutely right: First you have to check if an http link has been converted into an https link. You can't just change all links in your forum to https.

Pay $200 every year: Never in my life would I do that!
I've been browsing my forum for days to find Youtube videos that aren't displayed and links that aren't working correctly .
With the free certificate "Let`s Encrypt" all Youtube videos are displayed without any problems (With Media extension installed and also these, which are inserted with BBcode. But the BBcode has to be changed to https).
Either this is such an extreme certificate or your hoster has configured the server extremely.
https://abload.de/img/https_yt1dknb.jpg https://abload.de/img/ytbbcodhttpssxkft.jpg

There should be a command with which you can correct / adjust all Youtube links in the database at once (if they have been inserted with BBcode). But unfortunately I did not save this command on my PC (Anyway, I seem to remember that this command was for the database). Maybe someone knows it here.

Edit 23.8.19
What you can do to avoid problems with images from non https pages: install the Ext "External images as link.
Then images from non https pages are only displayed as link and there is no error (green lock in browser disappears) and your forum is described as insecure by the browser because of these images.
https://www.phpbb.com/customise/db/exte ... s_as_link/
Image
My phpBB Style Board & MoreBlackfog 3.2.8 (Version 3.2.8.1)Graphit 3.2.8Mixture 3.2.8FlowerPower 3.2.8 (an olivegreen style with flower forum & topic Icons).BROWSERLING - Test your style live in all IE Versions
Be the best version of yourself rather than a bad copy of someone else!
Excuse me for my English, but I learned the language by speaking to people and not at school. The best online Translator

User avatar
John connor
Registered User
Posts: 2208
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Which tree do I need to bark up?

Post by John connor » Fri Aug 23, 2019 7:16 pm

Looking at the page source for the link you posted, the YouTube links are NOT HTTPS, but are just HTTP. You can solve this with a database query that will rewrite all HTTP links to HTTPS links. However, I mentioned that there may be some links where this will break them since they are not HTTPS capable.

What extension are you using to parse YouTube links? I highly recommend this one, but it is retroactive. Meaning only new content will be parsed. Not the old content.

And it figures that this is GoDaddy because they do indeed suck. I wouldn't even buy a domain from them. In fact, one should ALWAYS separate their hosting account from their domain registration as a security precaution. For me I have my host, and my domain is with Namesilo. I highly recommend them.

Anyway, go to the webhosting talk website and find a new host. You should have never bought a TLS cert when you could have used a free one from LetsEncrypt which should be an option in your cPanel. If GoDaddy doesn't even have that they are truly pathetic. In fact, all hosts should offer that. It's part of cPanel and I don't think it costs that much for the host to offer it in their cPanel offerings. The host buys cPanel from the cPanel company that makes cPanel.

http://www.webhostingtalk.com/

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3289
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Which tree do I need to bark up?

Post by thecoalman » Sat Aug 24, 2019 1:04 am

Hermskii wrote:
Thu Aug 22, 2019 4:33 am

Here is a link to the specific thread on my forum that a user noticed and informed me all of the You Tube in bedded videos are missing from:

https://www.hermskii.com/forum/viewtopic.php?f=4&t=3019
The BBcode just uses the video ID? You have been posting it like this?

Code: Select all

[youtube]jjJuv00mlk0[/youtube]
If so this is actually very simple to fix. Go to Posting tab >> BBcodes link on the left if you are not already there >> Click green gear next to youtube

Under BBcode usage it should be:

Code: Select all

[youtube]{SIMPLETEXT}[/youtube]
Replacement:

Code: Select all

<iframe width="560" height="315" src="https://www.youtube.com/embed/{SIMPLETEXT}" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Done deal as far as the youtube videos go.... Note you are still going to have mixed content on that page and others. For example the image of Clint in that one posters signature is not https. That can only be fixed with database queries, as already noted you can;t simply do a find http and replace with https.

If you want to you can uncheck "display on posting page" when editing the BBcode. Install the media embed extension. The user only need to post a link and it will automatically embed.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

Post Reply

Return to “phpBB Discussion”