SSL is now enabled

XxAtillaxX · Before February 2015

SSL is now enabled for this site as you may or may not have noticed.
This may or may not mean a whole lot, but it is integral to preventing man-in-the-middle attacks and eavesdropping. Read more...

N1KF

Creature · Before February 2015

I still don't understand what this means.

N1KF

some woman · Before February 2015

Creature wrote:

I still don't understand what this means.

Shellshock Live of course!

N1KF

Creature · Before February 2015

some man wrote:

Creature wrote:
I still don't understand what this means.
Shellshock Live of course!

Why do we need this?

N1KF

Different55 · Before February 2015

I'm having a hard time believing anyone cares even a fraction about this site enough to launch any sort of attack that making the site's communications secure will help. What we're most vulnerable to are raids, can you do anything about those? Maybe preventing repetitive posts and disallowing image posting until you have a handful of posts made?

N1KF

XxAtillaxX · Before February 2015

Different55 wrote:

I'm having a hard time believing anyone cares even a fraction about this site enough to launch any sort of attack that making the site's communications secure will help. What we're most vulnerable to are raids, can you do anything about those? Maybe preventing repetitive posts and disallowing image posting until you have a handful of posts made?

Yes. I'm going to make it so that you need to have a certain amount of posts before you can embed images.
I'm also adding some more information about tags.

EDITS:
Added an 'About BBCode' that shows more information about BBCode.
Added a limit of minimum 25 posts before a user can use BBCode.
Added a new BBCode Tag (click here to find out!)
Updated youtube tags to load content from youtube over https.
Updated the Help page to reference youtube tags.
Working on mailservers to actually work properly.

N1KF

Dazz · Before February 2015

Geee thanks a lot... now the forum doesn't work on Chrome

Last edited by dazz (Oct 6 2014 1:01:18 pm)

N1KF

N1KF · Before February 2015

dazz wrote:

Geee thanks a lot... now the forum doesn't work on Chrome

It works fine for me.

some woman · Before February 2015

N1KF wrote:

dazz wrote:
Geee thanks a lot... now the forum doesn't work on Chrome
It works fine for me.

Same here.

N1KF

XxAtillaxX · Before February 2015

dazz wrote:

Geee thanks a lot... now the forum doesn't work on Chrome

It should work fine, in the case that it doesn't, it is only temporary.
SSL may not fully propagate entirely, however it should be fine for everyone within 24 hours.

The forum should be fully functional despite any certificate issues.

Viewing topics will not have a padlock icon, because it is loading images that people embed in their signatures without https. The type of content that can be loaded is unable to modify content on-site, with the exception of being (possibly) youtube with restrictions IF the content is loaded.

N1KF

Zumza · Before February 2015

Atilla I don't believe that someone will tray to intercept the data between any user to forum...
I hope it dosent have any heart bleed issues.

N1KF

Creature · Before February 2015

For me it's okay having that, forum isn't run by me, i don't choose if the forum will die with ee or don't.

N1KF

XxAtillaxX · Before February 2015

The Doctor wrote:

Atilla I don't believe that someone will tray to intercept the data between any user to forum...
I hope it dosent have any heart bleed issues.

There aren't any heartbleed issues, that's a good concern however. Nor do I think a user would try to intercept any data, however that doesn't mean that encryption shouldn't be everywhere. It's a technology that only helps.

Plus, man in the middle attacks don't just occur from out of nowhere. If you use any of your devices from anywhere, any connections you make on a public wifi connection without encryption can have unwanted consequences.

This is what a man in the middle attack is. It can happen outside your home, and it affects a lot of people - especially due to wifi authentication and trust issues, if you want to learn more, google pineapple wifi.

N1KF

Dazz · Before February 2015

XxAtillaxX wrote:

dazz wrote:
Geee thanks a lot... now the forum doesn't work on Chrome
It should work fine, in the case that it doesn't, it is only temporary.
SSL may not fully propagate entirely, however it should be fine for everyone within 24 hours.
The forum should be fully functional despite any certificate issues.
Viewing topics will not have a padlock icon, because it is loading images that people embed in their signatures without https. The type of content that can be loaded is unable to modify content on-site, with the exception of being (possibly) youtube with restrictions IF the content is loaded.

Ok ok my bad, this time, for the first time I actually can proceed and enter the page, usually it gives me an error, now is working, thank you! I still get the ''https red slash'' but meh it's ok.

Last edited by dazz (Oct 6 2014 1:33:11 pm)

N1KF

Different55 · Before February 2015

I can't access it from Opera anymore. It works fine on my mobile browser but on desktop it just says

Secure connection: fatal error (40) from server.
https://eeforumify.com/
Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences.
Please note that some encryption methods are no longer supported, and that access will not be possible until the website has been upgraded to use strong encryption.

so if you could switch to a different encryption method, I'd appreciate it.

And everyone is now getting invalid certificate errors on browsers that do work. While we might actually be more secure, it's not coming off that way to everyone who now sees security warnings on every page, whether that's a popup or just an annoyingly bright red address bar) where before there were none. We're probably going to scare a few potential new members, annoy a few more away, and scare away one or two old users who might think that the forums have been hacked.

EDIT: I've been doing some research on HTTPS, and HTTPS with a self-signed certificate can't protect us from man-in-the-middle attacks. Is ours self-signed? I thought so, because it yells at everyone about security.

Last edited by Different55 (Oct 6 2014 5:59:25 pm)

N1KF

XxAtillaxX · Before February 2015

Different55 wrote:

I can't access it from Opera anymore. It works fine on my mobile browser but on desktop it just says
Secure connection: fatal error (40) from server.
https://eeforumify.com/
Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences.
Please note that some encryption methods are no longer supported, and that access will not be possible until the website has been upgraded to use strong encryption.
so if you could switch to a different encryption method, I'd appreciate it.
And everyone is now getting invalid certificate errors on browsers that do work. While we might actually be more secure, it's not coming off that way to everyone who now sees security warnings on every page, whether that's a popup or just an annoyingly bright red address bar) where before there were none. We're probably going to scare a few potential new members, annoy a few more away, and scare away one or two old users who might think that the forums have been hacked.
EDIT: I've been doing some research on HTTPS, and HTTPS with a self-signed certificate can't protect us from man-in-the-middle attacks.

http://stackoverflow.com/a/11726273/4026373 wrote:

a self signed certificate is more insecure than a CA certificate only when the client does not know the certificate in advance and therefore has no way to validate that the server is who it says it is.
If you add the self signed certificate to the client and don't accept any other certificate, you're actually as secure (or, one could argue, even more so) than having a certificate authority signed certificate.
The important parts to keep SSL secure with or without a certificate authority are;
The server private key (and in the case of a CA, the private keys of all its roots) is kept secret.
The client knows the server certificate (or its CA root).

The SSL errors should disappear within a day or two. The encryption shouldn't be a problem.

N1KF

Zumza · Before February 2015

its funny that the Forum of EE have SSL but EE dosent.

N1KF

Different55 · Before February 2015

XxAtillaxX wrote:

The encryption shouldn't be a problem.

It is tho. ;_;

N1KF

AzurePudding · Before February 2015

I thought these forums were down for a few days, I was getting an error page until just now I noticed there was a "Continue anyway" button. Now the adress bar is red, huh..

N1KF

Different55 · Before February 2015

And that's going to happen to every person who comes here. I doubt we'll ever see another new user as long as they keep getting scared off by security errors designed to look intimidating. Trying to run a (small) website (Where nobody will ever launch a MITM attack) with SSL without a certificate is just shooting yourself in the foot. Having a self-signed certificate desensitizes everyone to security errors. If they somehow get caught up in a MITM attack, they'll see another error... Which they will then ignore because most people don't know better. The errors will look identical to them, so they'll continue and then fall into the MITM anyway. Some browsers display certificate errors once each session. Those people are particularly susceptible, since they won't even notice if something is out of the ordinary. This SSL isn't helping anyone.

And I'm probably going to be a lot less active since I can only get on the forums on my phone as long as we keep the current encryption method.

N1KF

N1KF · Before February 2015

Different55 wrote:

And that's going to happen to every person who comes here.

Every person but me? I am having no errors of any kind.

skullz17 · Before February 2015

I don't have any errors either.

N1KF

Different55 · Before February 2015

If you weren't warned at least the first time you came here after SSL was added, I fear for your browser.

N1KF

Cyclone or Meredith · Before February 2015

I also don't get any errors across multiple browsers, computers and networks.

N1KF

skullz17 · Before February 2015

Tried on firefox, chrome and ie. Didn't get any warnings at all.

N1KF

Official Everybody Edits Forums

#1 Before February 2015

SSL is now enabled

#2 Before February 2015

Re: SSL is now enabled

#3 Before February 2015

Re: SSL is now enabled

#4 Before February 2015

Re: SSL is now enabled

#5 Before February 2015

Re: SSL is now enabled

#6 Before February 2015

Re: SSL is now enabled

#7 Before February 2015

Re: SSL is now enabled

#8 Before February 2015

Re: SSL is now enabled

#9 Before February 2015

Re: SSL is now enabled

#10 Before February 2015

Re: SSL is now enabled

#11 Before February 2015

Re: SSL is now enabled

#12 Before February 2015

Re: SSL is now enabled

#13 Before February 2015

Re: SSL is now enabled

#14 Before February 2015

Re: SSL is now enabled

#15 Before February 2015

Re: SSL is now enabled

#16 Before February 2015

Re: SSL is now enabled

#17 Before February 2015

Re: SSL is now enabled

#18 Before February 2015

Re: SSL is now enabled

#19 Before February 2015

Re: SSL is now enabled

#20 Before February 2015

Re: SSL is now enabled

#21 Before February 2015

Re: SSL is now enabled

#22 Before February 2015

Re: SSL is now enabled

#23 Before February 2015

Re: SSL is now enabled

#24 Before February 2015

Re: SSL is now enabled

#25 Before February 2015

Re: SSL is now enabled

Board footer