|
Converting to https
The Cellar is converting to https so that everything will be more secure.
There was a bit of oddness in the last hour or two as I set things up. Please let me know of any oddities you might still notice, things not working and whatnot... thankee! |
No smilies and can't attach a picture to a post.
|
|
On the toolbar below the tagline, clicking the Community link doesn't give a drop down menu for Social Groups and Members List. It instead refreshes the page adding those links to the toolbar which expands it out of the Cellar Index framework.
|
1 Attachment(s)
I believe smilies, the drop-down menu, and attachments are fixed.
If a picture of Eagles CB Jalen Mills is attached |
Does he have green hair?
|
Quote:
|
still not working for me ...if I click on more smilies it does nothing. Or hangs.
|
:) let's see if a regular one works :eek:
|
It may take a browser refresh (or even a close and re-open) to tell the browser the new settings are in?
|
done that a bazillion time because I use exploder and it sucks. And at least one restart. I'm sure it's just me. thanks
|
probably some pop-up blocker shite got reset or something
|
That is very possible due to the address change - you may have to create a new exception for the https version of the site, or the non-www version of the site if you're directed there.
|
Is that Baby Carrot Top up there?
|
so... it still shows http://. I closed and went through a google search to try and bypass favorites... should the address be https now?
|
No well it's not enforced yet, but will be soon cos it's not truly secure until then. Still working out the first set of issues.
|
Everything seems to be working for me, and considerably faster too. :thumb:
|
1 Attachment(s)
|
Works for me in firefox
|
1 Attachment(s)
:dunce: Works OK for me in Forefox, too ...
|
There are still a few lingering items going on... working on it.
Ugh, I did not expect this to be such a problem... |
Yeah. The actual issue is that the site was built depending on Yahoo! code, loaded from Yahoo!, that is delivered INSECURELY and so all Javascript is broken in the https version of our site.
Working on it... |
Thanks for your work!
|
My pleasure sir!
And just like that, a little research says you can obtain the same Javascirpt libraries from Google instead of Yahoo!. We are now getting those from Google over SSL, which means they are secure too. (But a little... slower? Hmmm is it just me?) This appears to have been one of the final steps in getting the "lock" symbol to show up when you browse the site with https. Which is a goal of all this. In another day or two, if everything works, I'll figure out how to redirect all http requests to https. |
The lock symbol is broken right now on any page where requests are made for attachments, or images with http instead of https. So if an https page includes a call for http... it's not secure. Makes sense.
I just add this running commentary in case this is interesting for folks |
So I posted two smilies this morning from my laptop using Firefox and they worked. But now on tapatalk, I only see one of them worked.
|
Quote:
|
Yes, it is interesting.
Thank you for the work and the commentary. ETA: I'm getting the green hair thing, too. |
It's pretty easy to see what's causing security problems on a page, using Chrome.
You hit F12 and the Developers Console comes up. If you use Chrome and accidentally have hit F12, you have seen this thing. If you've ever developed in CSS or Javascript, you already know. The Security tab tells you exactly why the page is considered non-secure. ~ Changing ALL hotlinked images is going to be a drag, or at least, a dangerous thing. I'm not sure it can even be done. There's no global search and replace in the forum software. Each one of those images is linked with an insecure permanent BBCODE bit of text. The change has to happen at database level and it has the potential to break things. |
Quote:
|
I know nothing about this stuff, so maybe this is a dumb question. But I don't think it's critical that old hotlinked images be displayed. Can you just break the image link and leave the text link there, pointing to the picture?
|
Well, that'll serve us for hotlinking.
And while "converting to https," invites the response, "Yeah, you know me." it doesn't really want it to come to the party because of the superfluous s at the end. So, no. |
Or download the image, break the link and put the image back in the post, but only UT and the mods can do that.
|
Yeah, I'm not fixing thousands of hot linked images.
|
Quote:
|
And it may not matter all that much either.
Google is downgrading pages not served up with https, and soon they will be sending warnings about any page that appears to be collecting password or credit card data over a page without https. Do they downgrade if the page is secure, but contains insecure sections? I don't know. It's an issue because, if you're not logged in, every Cellar page has a login box at the top. The register page is entirely secure... |
We are currently enforcing https, which means if people are browsing with http they will get rudely re-directed to the https version.
Let's see if any issues are reported in the next hour or so |
One probably has to look outside of database fixes as some folks did with phpBB by creating an extension that runs hyperlinked http requests through an SSL image proxy server which rewrites them to https to appear as secure for viewing. I don't know if anything like this has ever been developed for vBulletin; but, it might be worth looking around for. If you find something, it might be worth bringing back the tip mug to pay for it. I suppose you could do a poll.
Quote:
|
The long run plan is to get away from vBulletin though, cos vBulletin has lost its mojo. But it may be possible to proxy these requests anyway... looking into it...
|
Quote:
Conversely, I'm not a big fan of data rot, so there's that... |
It is interesting to notice how many sites on the net have this issue... and how many won't even serve up https versions. https://cnn.com serves up a ton of http:
This may give us some Google mojo. |
@ Flint,
Yes, unfortunately, it only preserves viewing ability. |
1 Attachment(s)
Clicking on the link in post 41.
. |
I'm getting the privacy message. I'll come back tomorrow when the people that know what they are doing get done.
|
Quote:
I ask, because I have an editor that can handle very, very large files. I've only bothered to try it on text files, not... other files. And I don't know what kind of files you're dealing with wrt the places where the offending "BBCODE bit of text" is. The editor is at work and my brain is offline. If you're interested, indicate that and I'll dig up the editor / link info for you. The tool all by itself is impressive. |
All this stuff is in a database and easily editable, the question is whether increasing the size of the text field that contains each post will break the system. The developers have, as usual, done their best to make it difficult. I'm inclined to let it go, seeing how many top sites have the issue.
|
http://www.cellar.org/showthread.php?t=32417
This is what I have as a URL, although the http part is not visible. I didn't log out when I closed my browser. |
I turned off enforcing... turning it back on now so the http will redirect automatically to https
The web spiders are a little confused right now... all still trying the old addresses, let's see how they do with this |
tapatalk is confused right now, but I can get here on my laptop.
|
That's no good, we need tapatalk... they offer a way to specify that the forum uses https, but that feature is down now! Redirection cancelled...
|
3 minutes later and not editing my post... the feature works now and Tapatalk has been updated to understand we are https. Redirection back on. It may take a cycle for Tapatalk to pick this up for everyone. It certainly hasn't figured it out yet on my device...
|
On my phone, which I can't show you because it's on my phone and this is not my phone and I tried to send a picture of it to my email to add here but I can't do that either so I'll describe it:
address box has a red triangle with an exclamation point in it, then https://cellar org only the https is in red and has cross-outs superimposed. Then in the page space the triangle, "Your connection is not private" "Attackers might be trying to steal...blah blah blah" "NET::ERR_CERT_AUTHORITY_INVALID" I don't use Tapatalk. Don't particularly want to. If this has been addressed I couldn't find it in the small amount of time I had to look for it. Thanks! |
That might have happened cos it picked up an old cert that I was using for a while to test it yesterday... but after I installed a proper cert the authority should now be valid.
In cases like these, if you know it's the Cellar, you can hit "Advanced" and the "proceed anyway". Only if you know it's the Cellar. |
I'm on my PC and not being forced anywhere https wise. It's the same, familiar, comfy pair of slippers ...
|
tapatalk is working now and my pc sees https, looks like it's all working for me now.
|
Tapatalk for me is still vexed if redirection is on.
Ugh so I've had it turned off and let's wait a day for it to pick up that change |
I have a headache in my eye.
|
I have an eye in my headache.
|
Btw, working fine now. Good work. :)
|
Well I don't care for it. I can't get one picture anywhere. They all show 0 then broke ticket. This sucks. I will come back in a few see how things are. I hate "new and improved"..
tarheel |
| All times are GMT -5. The time now is 04:24 AM. |
Powered by: vBulletin Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.