26 replies to this topic

[Grumpy]

Well, with recent case of security outbreak, thought it'd be a good time to make a small change.

 

Short version:

• SSL logins! Hit forums page first! And then click login. This will allow your login info to be encrypted while it comes to our server.
• Admin panel! Yeah... doesn't affect you (minus 3 people)...

 

 

Long version:

Definitions:

Core site - This includes forums, members page, mod panel, admin panel, etc. which are included by IPB's most basic forum package.

IPC - IP.Content based - This includes front page, comics, random, groups, chat, etc. This is an addon module made by IPB.

 

Batoto has a lot of non-secure content in the core site. That includes people's signatures, social media crap, etc. So, throughout the core site you'll see either a mixed content warning, broken padlock or missing padlock (depending on browser). So, it's not something that was added to make the entire site encrypted, but mainly to target safer login page and admin panel.

 

As for the IPC pages, I found out it's rather impossible (without large amount of reprogramming ipc) to support https right now due to how ipc is made and how ads work. So, whenever you visit an IPC page, you'll be sent back to http (non encrypted). 

 

If you are one of those odd people that still use IE8 or similar ancient browsers, you're gonna start getting a lot of popups saying this page has mixed content and how it's insecure.... when it's still not any worse than regular page. You can turn that warning off permanently. Here is some random blog I found which gives a tutorial on how to disable that. But this demographic only make up <0.01% of my viewers (percentage counter doesn't go any lower). Multiply that with chance that they actually view the forums, you become <0.001%. So, I've safely nulled them from my loss calculation.

 

 

PS. I finally used the SSL 1 year voucher I got back in 2012.

[RSG]

Just to let you know, the notifications thing does not want to load on  front page

[Grumpy]

Just to let you know, the notifications thing does not want to load on  front page

feexed. thanks.

[ku4eto]

Self signed SSL ? Since you are using cURL , i am finding it a bit hard to understand how exactly you got SSL only on some of the pages ( those without ads ) , while on other there is ssl ( exception ) ?

[Grumpy]

Self signed SSL ? Since you are using cURL , i am finding it a bit hard to understand how exactly you got SSL only on some of the pages ( those without ads ) , while on other there is ssl ( exception ) ?

Self signed would get a big warning (and worthless). It's Comodo verified.

 

I can put partial SSL because I programmed it that way. Not really much else I can say tbh. I make rules like if Xpage, enable ssl, in the server & ipb.

[ku4eto]

Clicked too fast on the security exception to see if it was Self signed or verified. A question a bit out of the security - does the SQL DB's are separated like : forum accounts , user accounts , content and so on ? I dont have big experience with multi DB related coding.

[Grumpy]

Clicked too fast on the security exception to see if it was Self signed or verified. A question a bit out of the security - does the SQL DB's are separated like : forum accounts , user accounts , content and so on ? I dont have big experience with multi DB related coding.

There is only one active schema for Batoto, but it is designed so that parts of it can be extracted to separate sql servers. Don't see the need though, the db server is more than capable to handle current load.

 

But again, this is announcement thread. If you want to ask me private questions, shoot me a PM. Or make general threads if you want public to be with it.

[Mousehunter]

I had an issue the last 2-3 days that I don't get automatically logged in after closing down the browser (using firefox 29.0.1), and I need to fix the language setting on the front page again, is this connected to the current issues?

 

edit: logging in while on the forum fixed it.

Edited by Mousehunter, 10 June 2014 - 08:28 PM.

[PsychoMantis]

Grumpy,

can you somehow fix Youtube links on forum? After you have added SSL, YouTube embed videos stopped showing in some topics

(though some topics are totally fine, 'cause they dont run under https.)

 

it kinda ruined whole Your Favorite OP/ED Anime Music

Edited by PsychoMantis, 11 June 2014 - 09:34 PM.

[Daktyl]

Grumpy,

can you somehow fix Youtube links on forum? After you have added SSL, YouTube embed videos stopped showing in some topics

(though some topics are totally fine, 'cause they dont run under https.)

 

it kinda ruined whole Your Favorite OP/ED Anime Music

Until grumpy fixes the issue, you can always temporarily allow "unsafe content" also called "insecure content" (content loaded through http over an https connection) which should show the Youtube videos just fine.

Google/Bing how to do it with your favorite browser.

 

Obviously, this is not a recommended thing, but it works *shrug*

To Grumpy:

Oh, it just hit me (and I don't know the full issues with it), but couldn't you use the SPDY protocol instead of HTTP now?

 

It would require serving pages completely over https instead of the mixed-content we have now, and I know that wouldn't be financially beneficial right now with only the one SSL cert (as the image servers would have to have one too)...

Unless you have a wildcard cert. Then everything should be fine, no?

Edited by Daktyl198, 12 June 2014 - 01:01 AM.

[Grumpy]

It would require serving pages completely over https instead of the mixed-content we have now, and I know that wouldn't be financially beneficial right now with only the one SSL cert (as the image servers would have to have one too)...

Unless you have a wildcard cert. Then everything should be fine, no?

It's not our servers that is the source of mixed content, but third party. Like people's signatures hosted on other sites that's breaking the SSL. So, even a wildcard cert wouldn't help.

[Grumpy]

Grumpy,

can you somehow fix Youtube links on forum? After you have added SSL, YouTube embed videos stopped showing in some topics

(though some topics are totally fine, 'cause they dont run under https.)

 

it kinda ruined whole Your Favorite OP/ED Anime Music

Fixed youtube urls.

[x5c0d3]

I don't know how the template engine of IP Board works. But "all you have to do" (uuh.. sounds so simple) is to change the http:// from active content like js links, or embeds to https. I did this some months ago for phpBB for a customer of mine who changed to https. If I can help in any way feel free to contact me. If IP Board uses Smarty you can simply set an output filter method and change the urls with a small regex.

Edited by x5c0d3, 12 June 2014 - 11:10 PM.

[Kannade]

Fixed youtube urls.

 

I'm still having an issue with embedded youtube vids. The only videos that show up for me are the ones that are inside quotes. For example:

 

Spoiler

 

ps ilu grumpy-senpai

[Daktyl]

I'm still having an issue with embedded youtube vids. The only videos that show up for me are the ones that are inside quotes. For example:

 

Spoiler

 

ps ilu grumpy-senpai

Works fine for me, try a cache-free reload (ctrl+shift+r on Firefox/Chrome/Opera)

[Grumpy]

I don't know how the template engine of IP Board works. But "all you have to do" (uuh.. sounds so simple) is to change the http:// from active content like js links, or embeds to https. I did this some months ago for phpBB for a customer of mine who changed to https. If I can help in any way feel free to contact me. If IP Board uses Smarty you can simply set an output filter method and change the urls with a small regex.

For normal sites, that's all that requires is changing setting from http to https. Problem is not us, but 3rd party sources who doesn't necessarily have SSL options.

 

I'm still having an issue with embedded youtube vids. The only videos that show up for me are the ones that are inside quotes. For example:

 

Spoiler

 

ps ilu grumpy-senpai

That's odd. I double checked the embed codes and cleared cache again. Seems to be working this time around. Not sure why it was different in that case. Each browser handles it differently though. Opera/Chome will display anyway and say https broke. Firefox seems to not display it at all for flash content. I suppose that makes FF a bit more secure.

[x5c0d3]

For normal sites, that's all that requires is changing setting from http to https. Problem is not us, but 3rd party sources who doesn't necessarily have SSL options.

Yes that's what I meant. I change the posted urls to https even if the user posted an active content with a http link. For external pictures I use a small picproxy which runs on our server (on https) and uses curl to grab the external pic and provide it. That to make sure that we can use https even for sites that don't have it.

[x5c0d3]

It looks like this server is owned by you. So I guess you also have root access to the shell. You could add

Redirect permanent /forums/ https://www.batoto.net/forums/

inside the VirtualHost Configuration of Port 80 if you want the IP Board forcibly run on https. Or use mod_rewrite

RewriteEngine On

RewriteCond %{HTTPS} != on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

Edited by x5c0d3, 13 June 2014 - 04:27 PM.

[Grumpy]

 

It looks like this server is owned by you. So I guess you also have root access to the shell. You could add

Redirect permanent /forums/ https://www.batoto.net/forums/

inside the VirtualHost Configuration of Port 80 if you want the IP Board forcibly run on https. Or use mod_rewrite

RewriteEngine On

RewriteCond %{HTTPS} != on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

I don't use apache. And something like that is already what's being done to parts of the site.

 

Yes that's what I meant. I change the posted urls to https even if the user posted an active content with a http link. For external pictures I use a small picproxy which runs on our server (on https) and uses curl to grab the external pic and provide it. That to make sure that we can use https even for sites that don't have it.

The primary perpetrator of the ssl breaker is ads. And I can't cache that.

[x5c0d3]

But the ad hosters mostly also provide a https version like Facebook, Twitter, Google Adsense and many others.

 

Blame on me that I didn't take a look at the header data of you request replies. nginx is what you use. btw... please don't understand me wrong. All I want is to offer my help and maybe knowledge. That's my way to donate to a site I like and use alot.

Edited by x5c0d3, 13 June 2014 - 07:55 PM.