Page 1 of 13 12311 ... LastLast
Results 1 to 10 of 126

Thread: Migrating to SSL (Encrypted) only access...

  1. #1
    SK Member Feb 2017 W4GPL's Avatar
    Join Date
    Jan 2008
    Location
    DM79ms
    Posts
    8,660

    Post Migrating to SSL (Encrypted) only access...

    Hello Islanders! We need to talk about changes I want to make to this forum and how they may impact you.

    In the very near future, I want to turn on SSL encryption exclusively for the entire site. Many sites have done this.. and normally it happens without most users even noticing a difference. However I have a couple of concerns, as I tried this briefly one day many months ago and I had to turn it off due to all the negative user feedback.

    First of all? "Dude, what is SSL?" Is the simplest of terms, it's a secure encrypted connect between you and a server. SSL is used on HTTP (web), e-mail, and many other services all the time. In fact, if you're not using SSL when transmitting a password or otherwise sensitive communication, you might want to ask yourself why -- and how you can change that. :)

    For those of you who are running an updated version of Firefox or Chrome, I could turn on SSL today and likely you wouldn't noticed any difference. For those of you running Internet Explorer and possibly other browsers, you might get an a scary ugly error message saying something to the effect of 'Not all content on this page is encrypted, be afraid, be very afraid.' For those of you running generally older browsers, you might get an even scarier error message saying this website's certificate isn't verifiable and you should run far far away...

    Now we can correct these errors by doing one of two things -- telling you to suck it up and deal with the errors and/or telling you get a modern browser that understands mixed content and/or we can disallow all external linking of content. E.g. no more direct URL image linking or non-SSL YouTube videos, or the like. Personally, I think the latter sucks. I like being able to take an image from arbitrary websites and using the [ img ] tag. So as a community, we have to decide what is more important.

    "Why is this important, aren't things working just fine as they are?" Well.. yes and no. Essentially if you're using an improperly secured wifi connection or cannot explicitly trust all the routers and gateways you run your connection through, it's possible for your password, content, and integrity to be hijacked. We recently had a brief scare with our administrative passwords -- and it was as a direct result of not using SSL. If we had already been using SSL, I would be able to cut back on my intake of Tums and Pepto by 10%. ;)

    At this moment, this is merely a request for comments, suggestions, and even a proper 'fsck you'. My post is a little rambling, so I'm hoping some of the other IT/security minded people on this forum will jump in and help me clarify my position.

    Thanks for your attention to this matter.

  2. #2
    Conch Master KJ3N's Avatar
    Join Date
    Jul 2009
    Location
    A secret cave in northern Delaware.
    Posts
    9,124
    How recent of a browser does one need? On the main desktop, I'm currently on FF 12. Not sure how recent Safari is on the iPad.
    "People Who Don't Want Their Beliefs Laughed at Shouldn't Have Such Funny Beliefs" -AD5MB

    "If someone tells you he believes in and talks to an invisible bunny named Harvey, you put him on medication and a regimen of therapy. If someone tells you he believes in and talks to God, well, that's perfectly acceptable. Why that's the case is impossible for me to fathom." - WP2XX



    Latest ClubLog entries.

  3. #3
    La Rata Del Desierto K7SGJ's Avatar
    Join Date
    Feb 2010
    Location
    The Desert
    Posts
    16,791
    Personally, it doesn't matter to me. If you and the rest of the technical folks feel more secure with SSL, and the site and users will be better off for it, then do it. I think most everyone here is capable of making the necessary changes on their end to adapt. If not, I'm sure there are plenty of knowledgeable people on here that can help a person out, as long as they know which way you came in.
    A clear conscience is usually a sign of a bad memory

    RIP ALBI-W3MIV RIP RUSS-W5RB RIP BOB-VK3ZL





  4. #4
    SK Member Feb 2017 W4GPL's Avatar
    Join Date
    Jan 2008
    Location
    DM79ms
    Posts
    8,660
    Quote Originally Posted by KJ3N View Post
    How recent of a browser does one need? On the main desktop, I'm currently on FF 12. Not sure how recent Safari is on the iPad.
    I can't quote specifics, but I know Firefox 3.x would support the certificate we use.. though I can speak to the warnings you might get, but they can be squelched.

    Really, I'm most concerned about our IE users, because IE is stupid. And that's not just Microsoft bias talking -- it really just handles this stuff in a dumb and non-friendly way.

  5. #5
    Pope Carlo l NQ6U's Avatar
    Join Date
    Jun 2010
    Location
    Maritime Mobile
    Posts
    30,011
    Go for it. I'm using FF 13.x, it should be able to handle whatever you want throw at it.
    All the world’s a stage, but obviously the play is unrehearsed and everybody is ad-libbing his lines. Maybe that’s why it’s hard to tell if we’re living in a tragedy or a farce.

  6. #6
    Pope Carlo l NQ6U's Avatar
    Join Date
    Jun 2010
    Location
    Maritime Mobile
    Posts
    30,011
    FWIW, Chrome and Safari (OS X and iOS version) both use the open source Webkit HTML engine. They should be able to handle it as well.
    All the world’s a stage, but obviously the play is unrehearsed and everybody is ad-libbing his lines. Maybe that’s why it’s hard to tell if we’re living in a tragedy or a farce.

  7. #7
    La Rata Del Desierto K7SGJ's Avatar
    Join Date
    Feb 2010
    Location
    The Desert
    Posts
    16,791
    Do you have a time frame in mind for the change?
    A clear conscience is usually a sign of a bad memory

    RIP ALBI-W3MIV RIP RUSS-W5RB RIP BOB-VK3ZL





  8. #8
    SK Member Feb 2017 W4GPL's Avatar
    Join Date
    Jan 2008
    Location
    DM79ms
    Posts
    8,660
    Quote Originally Posted by K7SGJ View Post
    Do you have a time frame in mind for the change?
    Soon. But I want to at least allow the majority of our members to see the notice and let them comment or at least note they may see some unexpected warning messages depending on the type of browser they use and the thread they're viewing. Most threads don't have external content so I wouldn't expect them to get any strange errors in those instances.

  9. #9
    Administrator N8YX's Avatar
    Join Date
    Feb 2007
    Location
    Out in the sticks
    Posts
    26,114
    We probably should test this with the various mobile browsers and identify any potential gotchas up front.
    "Everyone wants to be an AM Gangsta until it's time to start doing AM Gangsta shit."

  10. #10
    SK Member Feb 2017 W4GPL's Avatar
    Join Date
    Jan 2008
    Location
    DM79ms
    Posts
    8,660
    Quote Originally Posted by N8YX View Post
    We probably should test this with the various mobile browsers and identify any potential gotchas up front.
    Unfortunately, due to technical (and absolutely absurd) limitations of vBulletin, it's really an on or off proposition. vBulletin uses absolute URLs from the configuration and you can't specify it to detect whether or not the user coming to the SSL port. *sigh*

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •