|Printable Version of Topic
Click here to view this topic in its original format
|Jcink.com Forums > Development News > HTTPS Encrypted Browsing|
|Posted by: John Mar 10 2017, 10:28 PM|
| HTTPS Encrypted Browsing
|Posted by: John Mar 10 2017, 10:34 PM|
| More importantly, let me know if you find any bugs browsing around on this forum under HTTPS. I only encountered 2 major bugs, the first was related to BBCode buttons. The second was quick-edit not being compatible with HTTPS. Both have been fixed.
In the coming weeks, I will be encouraging HTTPS use for all *.jcink.net users for the Admin CP. I'm working to make the Admin CP 100% https ready.
|Posted by: multiplicity! Mar 11 2017, 12:26 PM|
I use a special bit of coding that requires the url of my site, which it was before?
That code looks like this:
|Posted by: John Mar 11 2017, 12:28 PM|
| You can substitute x.b1.jcink.com with files.jcink.net, it won't make a difference. As long as /x/ is in the path, that's where your board's actual folder is on the system.
so take (if you're trying to work with https)
http://x.b1.jcink.com/uploads/x//av-<!-- |id| -->.png
and change it to
I did change a lot of our resource/media URLs to be more consistent to deal with this change which is why you're seeing the links as they are now.
|Posted by: multiplicity! Mar 11 2017, 12:48 PM|
I went ahead and made those changes like you said and you're right; there really is no difference other than it loads faster for me (not sure why, but might just be the difference in URL, IDK my computer is weird sometimes).
|Posted by: John Mar 11 2017, 01:12 PM|
| multiplicity! HTTPS is significantly faster than HTTP in some "test" cases, you are probably seeing a little speed bump with the forums.
|Posted by: GMaster479 Mar 11 2017, 02:34 PM|
|So what are your plans for making this work with custom domain names? Will it be something in the http://jcink.com/main/wiki/jfb-acp-system-settings-domain-manager for the ACP or would it be something we do through our own registrar (namecheap for example)?|
|Posted by: John Mar 11 2017, 02:57 PM|
The conundrum with domain names is that each domain needs its own SSL certificate.
We paid for all jcink domain users since it was a wildcard certificate through SSLTrust. Our *.jcink.net certificate was an "expensive" one ($400), but the cert covers everyone for 3 years.
Standard domain name certificates namecheap for SSL are only $9.00/year per domain name. Not so bad, but a significant cost increase yearly for someone who has. And every year the certificate expires, it needs to be renewed and sent to us and I'll have to manually insert their cert.
Ideally what I would like to do for domain owners is utilize a free solution called Let's Encrypt instead ( https://letsencrypt.org/ ). A problem with those certificates however, is that they only last 90 days. So a board owner would need to generate a new certificate every 90 days, then give it to us.
Obviously this adds a LOT of labor and inconvenience, along with "complexity", and the first option is less labor for us and the board owner, but adds cost.
The ultimate solution would be a way to enter a lets encrypt account's details into the Admin CP, and have our server automatically go to their site via some API and "create" a cert then load it in. This will take some time to fully implement and I'm not even sure I'll have this implemented by the end of this year.
I will, at the very least I think be ready to accept yearly certificates sometime during the summer via email/support ticket, probably toward the end. Initially we were not planning on going full HTTPS for another year even for the jcink domains, but the decision was made that this would be best for everyone and will make switching to HTTPS less painful when browsers finally "drop the hammer" on HTTP years in the future.
|Posted by: GMaster479 Mar 11 2017, 03:08 PM|
That seems annoying overall, though I love the sound of the ultimate solution you have there. That would be ideal.
I'll happily purchase the SSL certificate when you're ready to handle them. I think that if you could almost find a way to add the certificate when you add the domain name in it would be great at least as a hold over. I'm not exactly sure how that would work but I think it is something that should happen once that you never have to look at again after.
|Posted by: John Mar 11 2017, 03:23 PM|
| I agree, it's just unfortunate that you can't simply buy a certificate, load it once, and be done with it as long as you keep renewing it yearly. It needs to be changed out.
The need to switch out a cert adds a whole new level. Having to do it every 90 days is even worse. "Let's Encrypt's" rationale for the whole 90 day limit is that it's "more secure" (like changing a password every 90 days). I beg to differ, but whatever.
|Posted by: John Mar 12 2017, 05:00 PM|
| Few bugs identified by a user in the support ticket system. Most of the links under "JFH Resources" don't work / blank out. Will be fixing these, it's because they keep trying to redirect to http links.
|Posted by: John Mar 17 2017, 07:47 AM|
| Firefox 52 has thrown down the hammer harder than google. This nasty message is being displayed on HTTP logins now for those who have updated to the latest firefox. I figured this out when I was visiting Fedex's website and was shocked.
It is absolutely pertinent for those even without domains to work on making their forums HTTPS friendly.
As a result of this, we may begin to force HTTPS for newly created forums soon.
|Posted by: Leif Mar 18 2017, 11:59 AM|
|Jcink contacted me about whether or not I plan on switching. Yes, I do. Like, I cannot believe how fast this had come all down. I was planning on going to a secure connection later this year. But, I'm moving up my timeline to this week. I know a handful of you all use my image host, we will support the https change|
|Posted by: John Mar 18 2017, 06:45 PM|
| I have been contacting a few image hosts that are commonly used who have not yet switched that admins and members are commonly utilizing just to see what their plans are, if any. Here is a list of https supported image hosting, not complete.
Hopefully all of them start to switch, even though you can still use non-https images and includes in posts, it would be best to not do so.
One solution would be for us to run an image proxy, but I would rather not do that as it will require excessive amounts of resources.
|Posted by: Leif Mar 18 2017, 11:27 PM|
| Hey all! As per my conversation with Jcink earlier, I pushed out the SSL ahead of schedule.
For users of NickPicHost you can now swap over to https://cdn.nickpic.host from http://cdn.nickpic.host any time you'd like. I highly recommend going schemeless and referring to them as //cdn.nickpic.host
It is essential coverage and it'd support the green browser.
Edit: I added Shemeless link support. Plus, by default NickPic.Host will now serve SSL.
|Posted by: agenth Mar 19 2017, 12:06 PM|
| Hey, just to clarify, a question:
So if DoHTML is enabled for posts, does every post containing a http-image have to be edited to https?
I'm talking about codes that use html, but whose css is externally linked, albeit the image is inserted in the post by html.
|Posted by: John Mar 19 2017, 12:46 PM|
I tried to clarify that in this section:
but it may have been confusing, sorry.
[img] bbcode tag, or <img> html tag inserted images served via http are OK.
Images inserted via css -- such as the background-image:url() property, will NOT even display over http, while on https.
This also goes for your own board's CSS.
The problem with this of course, is that as time goes, what is acceptable today may not be acceptable tomorrow. And could happen overnight. I realize it's really hard to force members to use https for all of their images as well, especially right now. I'm currently brainstorming ways to make this easier. Possibly automatically checking posted image URLs to see if https is supported on the host they're using, and then automatically replacing their link.
That's a problem though since the image hosts still have to get with the program of updating to https, too. Since we can't do this replacement if it doesn't exist.
ALSO. Externally linked CSS of any kind *must* be served over https, too.
|Posted by: agenth Mar 19 2017, 01:29 PM|
| Thanks for clarifying!
I asked, because the images on http are displayed (still), even though I'm on the https url. But I'll change them now to prevent future disaster
|Posted by: John Mar 24 2017, 01:11 PM|
| HTTPS "bugs" fixed
Let me know if while browsing the Admin CP, if you are not viewing your board index, macros, or similar page, the lock icon turns to a strike. The Admin CP, at the very least, should be 100% HTTPS at all times.
My plan is to force HTTPS on this forum sometime next month -- currently I'm forcing it on the website.
We will not be forcing HTTPS on user forums since that would be chaotic, but the default forum state for new registrations IS going to change. It's very bad that new forum users see "not secure" when they sign up.
|Posted by: Leif Mar 25 2017, 03:01 PM|
|I have gone ahead and enforced https on my image host to be ready for this change with schemeless links options. The main site, login forums, and all other parts of this image host (not just the CDN) is now secure We're ready for this!|
|Posted by: John Mar 27 2017, 11:06 AM|
| Big update today everyone.
I configured a test domain/subdomain using the Let's Encrypt service today. And guess how much effort will be required from you guy's side to accomplish this? Zero, unless you count putting in a ticket and asking me to add your domain to our lets encrypt database and add it to our server configuration.
What about the 90 day issue? That's where the magic happens. Once I add your domain, it is set and done, and our Let's Encrypt setup is rigged to automatically renew it. No work on our part, no work on your part from there forward.
I still would love for this to be a fully automated process, through and through -- and we'll get there eventually, but today is a huge step. Since a large burden for domain owners will be effectively removed, both cost and maintenance wise, from our end as well as yours.
Note: I'm still not adding any domains yet but watch this thread. Have to figure out certain things like cleanup for old dead domains and other things related to keeping the system tidy.
|Posted by: CamilleNicole Mar 28 2017, 01:59 AM|
I'll most likely be moving all my images to your image host, then. Too lazy to constantly re-upload to imgbox/imgsafe just to upload theme images.
|Posted by: John Mar 28 2017, 02:13 AM|
|Skin/Theme images should really be uploaded to the JFH File Manager and not image hosts though. Our file manager can serve the content over https, so it is a great option.|
|Posted by: CamilleNicole Mar 28 2017, 04:03 AM|
It's mostly for the ones that aren't on my hard drive anymore. New skins will have everything on the file manager.
|Posted by: Leif Apr 7 2017, 12:47 AM|
| I've added a new feature to my host as well to help support this transition.
Schemeless links are now a programmed option!
|Posted by: John Apr 10 2017, 04:58 PM|
| Bug fixed:
Corrected an issue where the shoutbox was redirecting to http, breaking https.
|Posted by: CamilleNicole Apr 18 2017, 10:13 AM|
|I don't know why but mobile seems to have issues with HTTPS browsing on Jcink forums for me (using Chrome on Android; already using auto date & time so I know it's not that).|
|Posted by: John Apr 18 2017, 10:24 AM|
|I have not had any issues with mobile at all. Please describe what is happening.|
|Posted by: CamilleNicole Apr 18 2017, 10:37 AM|
This is the error code that's blacked out - "net::err_cert_authority_invalid"
This is what it looks like when I choose to proceed:
It might just be my phone being weird. I have no issues on my laptop just my phone.
|Posted by: John Apr 18 2017, 10:41 AM|
| The error you are getting is that it's saying our certificate authority is invalid. Which means that your phone is not willing to accept the place we purchased our certificate from. I have no idea why this would be, as ours was issued by Comodo Group.
I tested Google Chrome on my iOS and it's working.
What version of Android are you using?
|Posted by: multiplicity! Apr 18 2017, 10:52 AM|
|Posted by: John Apr 18 2017, 10:54 AM|
| That is so annoying and disappointing. I don't know what to do about this either, because if it hates the certificate because it was issued for being a wildcard there won't be much that I can do. I suspect that this will change in the future, but it looks like some android users may be out of luck for now. Thank you for letting me know about it, I'll talk to my certificate authority. For what we paid for, we were promised 99.9% browser support, though, so I'm legitimately pissed off now if this is an issue for ALL android devices on 6.x or lower.
I wonder if it is accepted by Android 7.x branch.
|Posted by: CamilleNicole Apr 18 2017, 02:53 PM|
| It probably will be.
I do find it weird that a freely-provided SSL certificate is supported, though. (On a privately-hosted site) Although the fact that I do it for each of my individual sites might be related...
|Posted by: John Apr 18 2017, 02:59 PM|
|I've got a trouble ticket in with my certificate authority now about the issue to see what they say. I'm hoping that there is a misconfiguration issue on my end somewhere and that it has nothing to do with the cert itself and/or the cert type of multi-domain wildcard.|
|Posted by: CamilleNicole Apr 18 2017, 03:09 PM|
|Apparently, it's based on carrier...the main domain is fine.|
|Posted by: John Apr 18 2017, 04:17 PM|
|Well, they are saying the installation needs additional files and then it should be fine. So I am hopeful that I am just missing this and we'll be 100%. Fingers crossed, confirming exactly which of their certificates I need to install.|
|Posted by: CamilleNicole Apr 18 2017, 04:26 PM|
|Seems to be working fine now for me. Did you already add the additional files?|
|Posted by: John Apr 18 2017, 04:31 PM|
|No, I didn't. I will be able to rebuild the certificate bundle in a couple hours. I'm confident that this will work fully after doing this.|
|Posted by: CamilleNicole Apr 18 2017, 04:39 PM|
I guess my phone is just weird then since it seems to randomly choose when it wants to trust the certificate at the moment.
|Posted by: John Apr 18 2017, 07:28 PM|
|I have rebuilt the certificate. After rebuilding the certificate I can see now in this ssl success test, that android devices are working. Please let me know what your real world results are.|
|Posted by: CamilleNicole Apr 18 2017, 09:03 PM|
|It's working now.|
|Posted by: multiplicity! Apr 19 2017, 06:04 AM|
|Posted by: John Apr 19 2017, 07:40 PM|
| Very happy to hear that.
I will continue to do more testing; I would like to start making ssl the default for new forums sometime in late May is the goal.
|Posted by: John Apr 30 2017, 07:30 PM|
|Live Chat/IRC was reported as not working with SSL via the web client, This issue has been fixed.|
|Posted by: John May 7 2017, 01:22 AM|
|I fixed the "share this topic" feature to link to files.jcink.net via https relatively. It was causing every topic show "insecure" regardless of member's hosted content status. Also removed some dead elements of said feature as well while I was at it.|
|Posted by: Tyrailius May 7 2017, 03:18 PM|
| I have a few questions about this:
1. Do I need to sign up somewhere to make my forum part of the HTTPS package, or do I simply just need to add the https part to my link?
2. For my custom skins, will simply adding s at the http make the skin work with https, or will I need to completely rehost the images somewhere with https enabled?
3. Are TinyPic and PhotoBucket https compatable?
|Posted by: John May 7 2017, 03:46 PM|
1. Simply add https to any existing .net link. https://generationz.jcink.net would be yours. It's free. And anyone can do it.
2. Images in CSS will need to be rehosted somewhere with HTTPS enabled if they don't have it. For most photobucket servers, you can simply change http:// to https:// and it will work, for example. TinyPic however does not support HTTPS.
3. #2 answers #3 as well.
|Posted by: Rosalieart May 10 2017, 01:49 AM|
| Is there a way to mass convert emoticons or a way to mass upload emoticons that are currently linked as urls to the board to preserve them? Photobucket doesn't appear to be https yet, and we have probably over a thousand 'emoticons' because they're sprites. XD;
edit: i'm blind! ignore me. just saw your latest post re:photobucket above.
|Posted by: Leif May 14 2017, 07:58 PM|
If you'd like I can mass convert them to another image host for you.
|Posted by: John May 14 2017, 08:22 PM|
Yes - PB support https. Very good thing since a lot use their service. Wish TinyPic would get on board...
|Posted by: RR of DD May 16 2017, 08:17 AM|
| cbox.ws aren't compatible with https on jcink?
https://dcreborn.jcink.net or is there some tweaking required on the cbox.ws code?
|Posted by: John May 16 2017, 08:21 AM|
|You need to edit the cbox code to use the HTTPS version of cBox. It should be as simple as changing http:// to https:// in the code. Web browsers do not allow non-https external chat apps to be embedded in https sites.|
|Posted by: RR of DD May 16 2017, 08:40 AM|
|ok thanks I'll give this a go later.|
|Posted by: John May 16 2017, 11:53 AM|
|No problem, let me know if you run into any trouble. It should be a very quick replacement. Cbox supports HTTPS.|
|Posted by: CamilleNicole May 16 2017, 01:18 PM|
| I'm just also gonna chime in to say that if you utilize multiple cboxes - one paid & others which aren't paid, you don't have to pay for all of them in order to use HTTPS despite what it says on the main site.
The general chatbox (left) is paid & the tagbox (right) is free.
You should only pay for cboxes if you need the features of paid for your site. I pay for the chatbox because I need to use the profile system so people can differentiate between staff, members, and guests. (Even if the site has yet to open at this time.)
|Posted by: John May 16 2017, 01:28 PM|
| Wow, I hadn't noticed that they say cbox free is "---" with respect to https enabled. That is very annoying, even if it works anyway. I can't understand why they are charging for that. They don't even (technically) have to pay for the "very expensive" wildcard certificate that we do.
Probably just trying to make extra sales from the SSL aspect. Thanks for the info CamilleNicole that should save some people money from upgrading if they don't need it.
|Posted by: klin May 16 2017, 01:33 PM|
Weird, I hadn't noticed this. I just switched our free cbox to use HTTPS, with no trouble.
What a scummy move, though. Too bad there aren't any truly awesome cbox.ws competitors. (Though the real cbox killer is gonna be embeddable Discord channels, let's be real. Wish I knew more about websockets to try a hand at it myself.)
|Posted by: John May 16 2017, 01:38 PM|
|In the end it's not going to work for them anyway long term. Charging for SSL-enabled access as a business model of any kind is a dead-end road...|
|Posted by: CamilleNicole May 16 2017, 01:54 PM|
|Yup. For the free cbox, you just have to change http to https within the code itself and it'll work with no problem.|
|Posted by: Heir of the world May 18 2017, 09:02 PM|
| I've noticed that emails that I get alerting me that there's been a post in a subscribed topic/forum or that I've been tagged in have the http link. Can/will this be changed to link to https instead?
(Unrelated to https, but I've also noticed I will sometimes and inconsistently get emails for topics I'm tagged in that link me to the .b1 site instead of .net. Any idea why?)
|Posted by: John May 18 2017, 09:18 PM|
| That's coming from the fact that some of your members are still utilizing the b1 url. To stop this, you might want to use a script that forces people to use not only https, but your jcink.net url as well. I'll try to dig up the script for that.
There is no way to set a "primary" url within JFH, there has never been a need, though with the https migration this is something we may need to address.
|Posted by: Heir of the world May 19 2017, 01:29 AM|
|Thanks John! This would be hugely useful so we have everything working consistently, especially in prep for https migration.|
|Posted by: Chlocelot Jun 28 2017, 05:04 PM|
| I have a new site opening so I have been going through and trying to make sure that everything is secure and using the https:// before launch and I noticed something while testing pages. I don't know if this is a glitch, or a known thing, or if my forum is just a snowflake because it was registered before March of this year, but I just wanted to make sure you know that many of the little pip images are not secure. I think this might be the b1.jcink problem mentioned somewhere though.
EG: In the mod CP, all the little images in the menu are unsecured:
In the default avatar:
I don't know if I can edit them but if you can I haven't found where.
For the ones I can edit, all the macros for the skin are not secure and when I try to change it, the images breaks.
results in a broken image for me.
Once again, I haven't read through all the pages here. I just wanted to make sure you were aware.
|Posted by: John Jun 28 2017, 05:14 PM|
| b1.jcink.com is a legacy url so it is not equipped with https.
Anywhere you see files.b1.jcink.com substitute it directly for files.jcink.net and https will work.
Since you registered your board before March of this year, it doesn't have some the new default https based URLs that I setup with the default skin.
The Mod CP images have now been fixed though thanks for pointing that out Chlocelot I wasn't aware of that.
|Posted by: Chlocelot Jun 28 2017, 05:21 PM|
| Oh okay, that's what I was missing. I also wanted to know one thing while I caught up through this conversation; this is all new to me and I know someone is going to ask.
I have a custom domain for my site. I know as of this moment they are not https supported because the logistics are still being worked through (I'm catching up). If I finish rigging the site to be https ready, so every page has a little green lock, and someone accesses it through the custom domain, are they still secure?
Or can I use mysite.com and if someone is worried about it just tell them to bookmark and use https://mysite.jcink.net?
|Posted by: John Jun 28 2017, 05:24 PM|
No. If they access https://yourdomain.ext/ they will receive a certificate error.
If they access http://yourdomain.ext the domain name will work normally, but the connection will (obviously) not be secure.
A temporary solution would be to use a URL redirect from your domain name to the jcink.net https version until we have domains figured out.
|Posted by: Chlocelot Jun 28 2017, 05:31 PM|
Okay, I'll redirect through the https URL for my forum and make sure everything is ready to go for when custom domains can be supported. Thank you so much!
|Posted by: John Jun 28 2017, 05:32 PM|
| Yep. That is the best course of action.
Remember that using https content on http can't and won't hurt at all, it's only a good thing.
|Posted by: John Jan 23 2018, 02:54 PM|
| It has been a while since there was an update but it is 2018 and starting sometime in February we will be making the default URL that is given to newly registered boards the HTTPS one. There has been a lot of time in the past year and we've seen dramatically increased HTTPS usage and support from image hosts, script hosts, etc.
Starting today if you feel you are HTTPS-ready and are using the *.jcink.net subdomain, you can enable a new setting in Admin CP > System Settings > Security and Privacy > Force HTTPS (HTTP Secure). This will seamlessly redirect everyone on your board to the https mode; including old posted links.
Example here, all of these http links will take you to https since we have turned the setting on here.
http://support.jcink.net/ - main link
http://support.jcink.net/index.php?showforum=78 - forum link
http://support.jcink.net/index.php?showtopic=27295 - topic link
This update should make switching to https a more comfortable experience as well for everyone.
|Posted by: John Feb 11 2018, 02:25 PM|
| We have fixed a small bug:
The "website" field in the profiles was not accepting https. It will accept the links now and insert them correctly.
|Posted by: John Feb 18 2018, 01:41 PM|
|Posted by: owl Feb 18 2018, 03:27 PM|
|The actual BBcode for adding a link to a post above where I'm typing now is called http:// - I don't know if that effects something, other than being confusing - maybe it could be changed to the word 'link' or something instead.|
|Posted by: John Feb 18 2018, 04:10 PM|
|It doesn't affect anything with respect to the browser signifying that the site is secure BUT It's confusing and I will change it to just say LINK. And remove the default prefix of http:// as well in the input box.|
|Posted by: owl Feb 18 2018, 04:21 PM|
Thanks John, I think it looks a lot cleaner too!
|Posted by: GMaster479 Mar 2 2018, 08:18 PM|
|Any idea when we will be able to make domains used in the http://jcink.com/main/wiki/jfb-acp-system-settings-domain-manager usable for HTTPS or is there any way to do so right now?|
|Posted by: John Mar 2 2018, 08:50 PM|
|Posted by: Tyrailius Jul 15 2018, 12:33 PM|
|With the HTTPS encryption update in the future, will the website portion of the profiles automatically change to the https link? For example, if I click the "WWW" button on your profile, JCInk, it says "john.cuppi.net", will that automatically update to the https link? I am manually going through and updating all of our members websites portion to say https instead of http, but I am not sure if I am doing unnecessary work .|
|Posted by: John Jul 15 2018, 01:03 PM|
| Links to external sites do not give you a "not secure" penalty in the browser.
In the future. when virtually everyone is on https. we may just replace all of those links for convenience, but until then that isn't really feasible.
I would say that it is not necessary to replace member website links. It's the embedded content that is important to change within things such as your css and wrappers.
For example you have a link to postimg in your navigation bar to an image that is being served over http. It's telling me your board is not "fully secure" as a result. Website links alone won't cause that.
|Posted by: Tyrailius Jul 15 2018, 02:08 PM|
|So basically anything a user posts to an external site will not hurt us? For example if a user posts a HTTP link to ESPN, we should be fine? The main thing would be to update the signatures/avatars, user posted images, etc?|
|Posted by: John Jul 15 2018, 05:46 PM|
Yes, you aren't penalized for non-https links:
Right. But you don't really have to panic about doing this in my opinion.
Right now, all google is doing is showing "Not Secure" next to the http urls. What you're seeing now is the maximum in their current plan. You can see the full plan here:
See, what we're hoping for is that by the time the glove is really thrown down on HTTP, we'll be able to just mass-replace all http with https. They have no plans for that at all though! So I would not expect that to be an issue for years.
Last report from late 2017 indicated that "73 percent of pages loaded in the US using HTTPS in Chrome on Windows, up from 59 percent a year ago." Obviously that is just not enough for Google to decide to block all http connections or become too harsh on a page that might have a little image or something that isn't served over https. They will add a little warning as they have now, but tha's it. My personal prediction is that once enough of the internet is on https (it'll have to be in the 99%), we won't even have to think about this much.
There won't, for example, be a question of "can we swap all http to https links?" when we get to that point. If a server/service doesn't have it by that time years down the road... they will be the outlier. Some hosts have yet still to get with the program. I mean, honestly, for example, TinyPic still hasn't enabled https for their image uploads. And I don't get why because they operate out of literally a single domain name with subdomains. So in some cases you would need to reup the files that aren't available in https on the server they're hosted from.