Converting to https

[Flint]

Yes, it is interesting.
Thank you for the work and the commentary.

ETA: I'm getting the green hair thing, too.

[glatt]

So I posted two smilies this morning from my laptop using Firefox and they worked. But now on tapatalk, I only see one of them worked.

[xoxoxoBruce]

Quote:

Originally Posted by glatt

So I posted two smilies this morning from my laptop using Firefox and they worked. But now on tapatalk, I only see one of them worked.

They are both there, you just can't see them on tapatalk.

[Undertoad]

It's pretty easy to see what's causing security problems on a page, using Chrome.

You hit F12 and the Developers Console comes up. If you use Chrome and accidentally have hit F12, you have seen this thing. If you've ever developed in CSS or Javascript, you already know.

The Security tab tells you exactly why the page is considered non-secure.

~

Changing ALL hotlinked images is going to be a drag, or at least, a dangerous thing. I'm not sure it can even be done. There's no global search and replace in the forum software. Each one of those images is linked with an insecure permanent BBCODE bit of text. The change has to happen at database level and it has the potential to break things.

[BigV]

Quote:

Originally Posted by Undertoad

snip--

Changing ALL hotlinked images is going to be a drag, or at least, a dangerous thing. I'm not sure it can even be done. There's no global search and replace in the forum software. Each one of those images is linked with an insecure permanent BBCODE bit of text. The change has to happen at database level and it has the potential to break things.

when you say BBCODE bit of *text*, do you really mean it's a text string that you can find and edit? Albeit, metric monkeytons of them, sure.

I ask, because I have an editor that can handle very, very large files. I've only bothered to try it on text files, not... other files. And I don't know what kind of files you're dealing with wrt the places where the offending "BBCODE bit of text" is.

The editor is at work and my brain is offline. If you're interested, indicate that and I'll dig up the editor / link info for you. The tool all by itself is impressive.

[glatt]

I know nothing about this stuff, so maybe this is a dumb question. But I don't think it's critical that old hotlinked images be displayed. Can you just break the image link and leave the text link there, pointing to the picture?

[xoxoxoBruce]

Or download the image, break the link and put the image back in the post, but only UT and the mods can do that.

[footfootfoot]

Well, that'll serve us for hotlinking.

And while "converting to https," invites the response, "Yeah, you know me." it doesn't really want it to come to the party because of the superfluous s at the end. So, no.

[glatt]

Yeah, I'm not fixing thousands of hot linked images.

[footfootfoot]

Quote:

Originally Posted by glatt

Yeah, I'm not fixing thousands of hot linked images.

Slacker

[Undertoad]

And it may not matter all that much either.

Google is downgrading pages not served up with https, and soon they will be sending warnings about any page that appears to be collecting password or credit card data over a page without https.

Do they downgrade if the page is secure, but contains insecure sections? I don't know.

It's an issue because, if you're not logged in, every Cellar page has a login box at the top.

The register page is entirely secure...

[Undertoad]

We are currently enforcing https, which means if people are browsing with http they will get rudely re-directed to the https version.

Let's see if any issues are reported in the next hour or so

[sexobon]

One probably has to look outside of database fixes as some folks did with phpBB by creating an extension that runs hyperlinked http requests through an SSL image proxy server which rewrites them to https to appear as secure for viewing. I don't know if anything like this has ever been developed for vBulletin; but, it might be worth looking around for. If you find something, it might be worth bringing back the tip mug to pay for it. I suppose you could do a poll.

Quote:

... Background Information:
If a phpBB board is served from a https:// server, it will generally behave well as a secure site, but any image links posted by users as http://... will appear to browsers to be insecure content, in some browsers promoting a security warning dialogue, and in other browsers resulting in the image becoming inaccessible.

A direct solution of converting the image links in the phpBB database is generally impractical, so an accepted solution is to use a SSL proxy to make the images appear to be secure. Camo is an example of such a proxy.

With this extension installed, when a phpBB page is being loaded by a user, links to http://... images are rewritten so that they become https:// links to the camo proxy server, with the original link address encoded into the new link. The user's browser then requests the image from the camo proxy which accesses the original location and re-serves it on-the-fly using the https:// protocol. ...

[Flint]

Quote:

Originally Posted by sexobon

One probably has to look outside of database fixes as some folks did with phpBB by creating an extension that runs hyperlinked http requests through an SSL image proxy server which rewrites them to https to appear as secure for viewing. I don't know if anything like this has ever been developed for vBulletin; but, it might be worth looking around for. If you find something, it might be worth bringing back the tip mug to pay for it. I suppose you could do a poll.

That sounds like the ungrounded electrical socket adapters, that let you plug three-pronged plugs into two-pronged outlets. You can plug the thing in, but it isn't really grounded. It just bypasses the security feature. If I understand correctly, this is what you mean by "appear as" secure.

Conversely, I'm not a big fan of data rot, so there's that...

[Undertoad]

The long run plan is to get away from vBulletin though, cos vBulletin has lost its mojo. But it may be possible to proxy these requests anyway... looking into it...