• Welcome to Simple Machines Community Forum. Please login or sign up.
January 26, 2022, 06:34:09 PM

News:

SMF 2.1 RC4 has been released! Try it out and help us test! :) Read more.


Does SMF 2.0.2 support SSL/HTTPS?

Started by FreeMag, June 27, 2012, 12:31:38 PM

Previous topic - Next topic

FreeMag

Hi,

i've a short question:

Does SMF 2.0.2 support SSL/TLS, without big changes in the source code?



Arantor

It should do, there should be an option in the admin panel for this.
No good deed goes unpunished
All helpful urges should be circumvented

FreeMag

Okay,

I just found this Option (Configuration -> Server Settings... -> Cookies and Sessions )
QuoteForce cookies to be secure
(This only applies if you are using HTTPS - don't use otherwise!)

Will this encrypt all connection to/from my forum (activities in the forum -> postings, threads, ect) or only the login?

SMF 2 should encrypt all activities from the users .
No matter if they log-in, read/open a post, create a post.

Arantor

No, that's just for cookies.

I seem to recall the SSL option is somewhere else, you can use the front page of the admin panel to search for HTTPS and SSL.
No good deed goes unpunished
All helpful urges should be circumvented

ademanuele

Have you found a solution to this, I am also trying to find out how to implement SSL/https but could not find anything in the add min panel?

badon

December 10, 2012, 02:58:16 PM #5 Last Edit: December 10, 2012, 04:35:56 PM by Colin
I'm amazed that in the year 2012, there's still a bit of software out there that has a user account login while barfing all the data out into the world for everyone to see. PM's, restricted forums, etc are all viewable by everyone. The sensible thing to do is to make HTTPS the default for everything. Then, when it doesn't work for some people, they won't be merrily unaware that they're barfing in public.

I am absolutely horrified that this has happened to me. What did I say that was supposed to be private, but is now in somebody's database? This discussion needs to be resurrected until it is fixed, so people will at least know that they're "logging in" to a crowded room with microphones, cameras, glass walls, and [Snipped by Colin out of courtesy for our younger audience.]

Sticky/pin/announce/wail/etc?

vbgamer45

Couple issues with https normally requires a dedicated ip won't work with most shared hosting, plus the cost of SSL certificate, slows down the forum/performance since everything is encrypted. Probably not needed for the vast majority of forums,

But would be nice if SMF has some SSL support built in for instances when it would be required.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Kindred

oh, please...   none of the forums I have been on use SSL... not SMF, not phpBB, not VB...
nor does Wordpress or Joomla, by default...
(actually WordPress requires a very buggy add-on to do https)


So, I'd hardly say that this is a hot ticket issue.

Also, as vbgamer points out - SSL is difficult on a shared server, if not outright impossible on some... and the certs require payment (which many site owners can't or won't do)

Finally...   even if you use SSL, the data is still stored in clear-text in the database..... the only thing encrypted in the SMF database is the password.


P.S. Instead of resurrecting old threads to complain, you could try using the search to find some threads with answers... http://www.simplemachines.org/community/index.php?topic=489673.0
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrPhil

If a site owner should happen to have SSL available anyway (say, for a store), it would be wonderful for SMF to be able to use SSL for password entry and change, user information entry/edit/display, and anything else reasonably considered sensitive. It would be nice to be able to put the entire forum under SSL, as some sites require that when members are discussing very sensitive information (obviously, guest access needs to be shut off). SMF has lost some users because it doesn't offer SSL usage. Granted, some people think SSL gives them more security than it really does (e.g., makes it hack-proof, protects the database against snooping, etc. NOT!).

SSL is common on shared servers (including private SSL certificates). Private certs do cost some money, and usually require a dedicated IP address (additional $$). If you don't mind having a funky URL that doesn't have your domain name, many servers offer "shared" certs for free. And if you already have spent the money for SSL for other applications, why not be able to use it for SMF?

Kindred

well, there is a mod for SSL login... although it has not been updated for 2.0 final
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ademanuele

You can have SSL set up. I have it on my server and SM is using it. I used someone to set this up for me, and can;t remember how it was done, but it is possible....

Arantor

Actually for the most part setting up SSL is actually very very easy. There's just no magic tick box for it.

Pretty much you can start by replacing all the theme URL and primary board URL settings to point to https instead of http and that will fix the bulk of it before you start. Then it's a fairly quick find/replace in the posts to replace links between posts with https instead of http - to do it entirely across the site.

Then just tick the SSL cookies box.
No good deed goes unpunished
All helpful urges should be circumvented

badon

What do you mean by "find/replace in the posts" and "links between posts"?

Arantor

Any posts that link to other posts on the same forum are going to need changing because they'll all have http not https in them. It's a quick enough SQL statement to do that find/replace.
No good deed goes unpunished
All helpful urges should be circumvented

badon

I think I could probably solve that by forcing SSL on the server, to avoid needing to alter the database. Thanks for the help!

Arantor

Except you would still need to modify the database anyway, because all you'd end up doing is forcing every single link in posts/PMs only to have to make two hits to the site - instead of just fixing them once and for all.
No good deed goes unpunished
All helpful urges should be circumvented

geokir

I am about to install an ssl to my forum.. as I read you dont think this a good idea? will it slow the forum so much?

Arantor

I didn't say it wasn't a good idea, but unless you actually need it you could consider avoiding it.

There *is* a performance hit attached, and there isn't necessarily the security benefit that you might think you're getting. If you actually have a signed certificate, that's something, but it's possible to hijack and MITM attack it anyway.
No good deed goes unpunished
All helpful urges should be circumvented

badon

Quote from: ademanuele on December 11, 2012, 03:55:19 AM
You can have SSL set up. I have it on my server and SM is using it. I used someone to set this up for me, and can;t remember how it was done, but it is possible....

Just an update, I took the same route you did, and had someone set up SSL for me. There were some quirks to get around, like configuring SMF's base URL to be https://whatever.whatever/whatever with the HTTPS part. Also, since non-https linsk are all over the internet, we forced HTTPS in Apache's configuration, so everyone will always be using SSL. Then, we disabled post text and PM text in notification emails, which is a "leak" that gets around SSL if even one person gets a notification: [TIP/TRICK] Hide PM Text in Email Notifications.

Now, our Tor, VPN, and proxy users don't have to worry as much about MITM attacks, and people can have a greater degree of privacy in their PM's and pseudonymous posts, which matches their expectations better. It's still possible for system admins on our servers and internal network to snoop, but dragnet-style snooping by uninvited parties is largely eliminated.

Did I mention how much I love SMF? We've been using it as  a blog platform, a bug tracking platform, and a bunch of other things that involve conversations that people normally don't think of a forum as the best way to do it. From my point of view, there are 3 kinds of sites of the internet:

1. Forums.
2. Wikis.
3. Everything else.

Having a major, actively developed, popular, security conscious, and BSD-licensed forum software available is a gift from heaven. Thank you SMF!

CyberianIce

My forum is SMF 2.0.7 and my server uses SSL encryption. At first look everything looks good but SMF parse some of the internal URLs without SSL (i.e in recent post section)

Does anybody tired to fix this because as I see it it's big security flaw?

Advertisement: