Can we have SSL?

Announcements and items of immediate importance.
ian_krase
Posts: 348
Joined: Mon Nov 28, 2016 7:48 am
Real name: Ian Krase

Can we have SSL?

Post by ian_krase » Wed Aug 09, 2017 4:27 am

This forum is one of the very few sites with any kind of logon that doesn't support SSL/HTTPS security. Since the introduction of Lets Encrypt, the certificate needed for this kind of security can be provided for free.

Is there a chance we could have the forums secured with SSL? Anybody who submitted to the temptation of reuusing passwords is currently at risk.

User avatar
Frank Sanns
Site Admin
Posts: 1542
Joined: Fri Jun 14, 2002 6:26 pm
Real name: Frank Sanns
Location: Pittsburgh, PA USA

Re: Can we have SSL?

Post by Frank Sanns » Wed Aug 09, 2017 10:35 pm

Done.

Let me know if it is working for everybody or if there is any problem.

John Myers
Posts: 34
Joined: Wed Mar 08, 2017 12:13 am
Real name:
Location: SoCal

Re: Can we have SSL?

Post by John Myers » Thu Aug 10, 2017 2:47 am

I'm forced to login with https but firefox shows the CERT is bad, which requires you ignore their dire warnings and add an exception for this site.

ian_krase
Posts: 348
Joined: Mon Nov 28, 2016 7:48 am
Real name: Ian Krase

Re: Can we have SSL?

Post by ian_krase » Thu Aug 10, 2017 3:28 am

Wait, you mean you need to type "https" manually to secure-login, or you can *only* login with https?


Everybody is trying to really crack down on untrusted certificates... where it sometimes seems that "trust" means "paid Verisign umpteen hundred dollars".

However, that does get you past the question of whether the exception you're adding for the first time is even valid.

Let's Encrypt is automated and it only guarantees that you do indeed own the domain name, but it's better, and makes HTTPS automagical for non-technical users which is important -- encouraging people to ignore/clickthrough security warnings is not a good habit to teach.

John Myers
Posts: 34
Joined: Wed Mar 08, 2017 12:13 am
Real name:
Location: SoCal

Re: Can we have SSL?

Post by John Myers » Thu Aug 10, 2017 4:02 am

It wasn't letting me login at all with just http.
I logged in with HTTPS and temporally allowed the exception.
The CERT was from Media Temple which appears to be the hosting site for this forum.

I'm able to now login with http, so I'm not sure whats was going on.

Jim Stead
Posts: 87
Joined: Thu Aug 20, 2015 3:44 am
Real name: Jim Stead

Re: Can we have SSL?

Post by Jim Stead » Thu Aug 10, 2017 4:36 am

I'm posting this in case it is helpful -

I was previously logged in with http, no problem with view access. I tried https with Firefox and ran into the same problem John had. But, the issue is not a lack of trust. It's the domain name. The Cert appears to be a wildcard for the host company, rather than Fusor.net
IE:
www.fusor.net uses an invalid security certificate.
The certificate is only valid for the following names: *.gridserver.com, gridserver.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

When going back to http, I was not able to stay logged in. I went through the login process and was told I successfully logged in. But, as soon as I went anywhere I was logged out. I did this more than once to prove it was not a fluke. Oddly enough, the "Registered Users" list at the bottom showed me as connected the whole time.

In Firefox, I cleared my cookies and tried connecting again. I was able to login this time under http, but things were really slow and I saw a memory error page from the site.
That's gone now, speed is back to normal. Perhaps it was entirely unrelated.

A re-test of https showed the same results as before, but I am able to go back to http and see that I am still logged in. Posting this under those conditions.

ian_krase
Posts: 348
Joined: Mon Nov 28, 2016 7:48 am
Real name: Ian Krase

Re: Can we have SSL?

Post by ian_krase » Thu Aug 10, 2017 10:53 am

I've previously suffered the logging-out problem on my smartphone. Today I had it on my desktop as well.

Jeroen Vriesman
Posts: 280
Joined: Mon Feb 07, 2011 9:08 pm
Real name: Jeroen Vriesman
Location: Netherlands
Contact:

Re: Can we have SSL?

Post by Jeroen Vriesman » Thu Aug 10, 2017 2:56 pm

Not how it should be.

the http login still exists, shows "succesfull login" and then it logs out, and I had to manually type the https login url... And the certificate exception has to be added manually.

Let's encrypt has an update mechanism which should be installed on the server, not ideal.

Comodo also offers free certificates, so getting one for www.fusor.net would be the first step. Then configure the webserver to always redirect any http url to https.

User avatar
Frank Sanns
Site Admin
Posts: 1542
Joined: Fri Jun 14, 2002 6:26 pm
Real name: Frank Sanns
Location: Pittsburgh, PA USA

Re: Can we have SSL?

Post by Frank Sanns » Thu Aug 10, 2017 3:50 pm

Comodo is free only for the first 90 days. Let's Encrypt on the server is not something I am wild about.

Before paying for something what is the cost to benefit ratio? In understand people can see what we are reading but it is a public forum that everybody can read anyway. Yes it could be intercepted en-route and passwords are not secure but is this really a risk for us on this forum? Maybe it is, maybe it is not. Throwing a switch on a setting is easy and free as I have attempted but alas it is not working as needed.

Any other suggestions or routes that make sense?

Jeroen Vriesman
Posts: 280
Joined: Mon Feb 07, 2011 9:08 pm
Real name: Jeroen Vriesman
Location: Netherlands
Contact:

Re: Can we have SSL?

Post by Jeroen Vriesman » Fri Aug 11, 2017 8:03 am

ah, just the first 90 days...my mistake.

Indeed de letsencrypt scripts are a bit big, and following the steps manually is tedious.
I used startssl, they do have completely free certs.

About the benefits:
The unencrypted passwords might be sniffed, so the fusor site itself could be hacked, sometimes people use the same passwords for other services, that's also a risk.

You could use a diy-certificate-authority signed certificate, the encryption would work completely fine, it's just that browsers don't trust the certificate authority by default, so the user has to make a security exception.
But startssl offers certs for free, and email notification when a renewal is needed, so no need to use your own cert auth. As with letsencrypt it's only domain validation, but that doesn't make any difference for the encryption itself.

Post Reply