# POLL: SSL for vpsBoard. Optional or forced site-wide?



## MannDude (Dec 2, 2013)

As per this thread: http://vpsboard.com/topic/2732-ssl-for-vpsb/

I ordered one, just waiting for the validation email and time to set aside to install.


----------



## willie (Dec 2, 2013)

I voted encrypt everything.  At minimum, the login form target (that receives the user password, it may actually be an ajax target) should always be encrypted, even if encryption for the rest of the site is optional.  Sending passwords in the clear is no longer an ok practice.

Added: if encryption is optional, it should be enabled by default, and if someone disables it, that should be displayed in their user profile for others to see.  Nobody with encryption enabled should send a PM with anything private in it if the recipient is going to read it without encryption.  So if a user has encryption turned off, potential PM senders should be notified of this. 

I think it's better to just make the encryption mandatory though, unless perhaps the Comcast story is checked out and confirmed to be real.  At the moment I don't see any persuasive evidence for it.  I see some anecdotes of slow transfers that to me have likelier explanations that don't involve Comcast slowing down ssl transfers.


----------



## wlanboy (Dec 2, 2013)

Voted for optional.

Should work if IPB is only using relative paths for everything.

The full approach does not have this precariousness, but https does only secure the content, not the call (target url) itself - so it's not needed .for a board.


----------



## willie (Dec 2, 2013)

wlanboy said:


> but https does only secure the content, not the call (target url) itself - so it's not needed .for a board.


I don't understand what you mean by that. 

1) the path component of the url (i.e. the part after the hostname) is sent through the SSL connection, so it's encrypted, though in some cases the length in bytes might allow inferring it (turn off the SEO-ified url's would make the lengths the same). 

2) It's relatively ok if it's visible that someone has just posted to the login form (i.e. they are logging in).  But the post contents (containing the user password) should always be encrypted.  Doing anything else is just inviting trouble in this world of wifi sniffers everywhere.


----------



## kaniini (Dec 2, 2013)

My opinion is simple -- force it and use HSTS to ensure it remains sticky in browsers.


----------



## wlanboy (Dec 2, 2013)

willie said:


> ...


What I wanted to say was:


GET http://vpsboard.com/topic/2814-poll-ssl-for-vpsboard-optional-or-forced-site-wide/#entry41283 [HTTP/1.1 200 OK 577ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&f=public/style_css/css_6/footer.css,public/style_css/css_6/custom.css,public/style_css/css_6/calendar_select.css,public/style_css/css_6/ipb_common.css,public/style_css/css_6/ipb_styles.css,public/style_css/css_6/ipb_ckeditor.css,public/style_css/prettify.css [HTTP/1.1 304 Not Modified 281ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&g=js [HTTP/1.1 304 Not Modified 421ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/2/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.board.js,public/js/ips.textEditor.bbcode.js,public/js/ips.textEditor.js,public/js/ips.topic.js,public/js/ips.like.js [HTTP/1.1 304 Not Modified 530ms]
GET http://vpsboard.com/public/style_css/css_6/ipb_print.css [HTTP/1.1 304 Not Modified 671ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/ckeditor.js?nck=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 936ms]
GET http://vpsboard.com/public/js/3rd_party/prettify/prettify.js [HTTP/1.1 304 Not Modified 1061ms]
GET http://vpsboard.com/public/js/3rd_party/prettify/lang-sql.js [HTTP/1.1 304 Not Modified 1310ms]
GET http://vpsboard.com/public/js/3rd_party/lightbox.js [HTTP/1.1 304 Not Modified 1201ms]
GET http://analytics.vpsboard.com/piwik.js [HTTP/1.1 304 Not Modified 515ms]
GET http://www.gravatar.com/avatar/c0bbe74bf5a4c938819a7bee4a7716e2?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 16ms]
GET http://vpsboard.com/public/style_images/6_logo.png [HTTP/1.1 304 Not Modified 687ms]
GET http://vpsboard.com/public/style_images/memory/useropts_arrow.png [HTTP/1.1 304 Not Modified 812ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1.jpg?_r=1385436768 [HTTP/1.1 304 Not Modified 1061ms]
GET http://vpsboard.com/public/style_images/memory/profile/default_large.png [HTTP/1.1 304 Not Modified 1202ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-7.gif?_r=1369209518 [HTTP/1.1 304 Not Modified 1326ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1059.jpg?_r=1383319092 [HTTP/1.1 304 Not Modified 1685ms]
GET http://vpsboard.com/uploads/profile/photo-472.png?_r=1371599877 [HTTP/1.1 304 Not Modified 1810ms]
GET http://www.gravatar.com/avatar/4d58bf5c1597ebd6beb25719b50f9d6d?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 302 Found 47ms]
GET http://www.gravatar.com/avatar/87d740fd1a8d50efefe18cae5c2143f2?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 63ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1072.jpg?_r=1384833197 [HTTP/1.1 304 Not Modified 1950ms]
GET http://www.gravatar.com/avatar/2b1b5b56fdb3c8bfde7a08b24c0ccc31?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 63ms]
GET http://ac1.vpsboard.com/data/sides/ [HTTP/1.1 200 OK 968ms]
GET http://vpsboard.com/public/style_images/memory/icon_users.png [HTTP/1.1 304 Not Modified 2060ms]
GET http://vpsboard.com/public/style_images/memory/bullet_star_rated.png [HTTP/1.1 304 Not Modified 2200ms]
GET http://vpsboard.com/public/style_images/memory/icon_share.png [HTTP/1.1 304 Not Modified 2309ms]
GET http://vpsboard.com/public/style_extra/team_icons/admin.png [HTTP/1.1 304 Not Modified 2559ms]
GET http://www.gravatar.com/avatar/cb4d190c5756002d12484d96d81a9f29?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 302 Found 78ms]
GET http://vpsboard.com/public/style_images/memory/bullet_black.png [HTTP/1.1 304 Not Modified 2699ms]
GET http://vpsboard.com/public/style_images/memory/icon_quicknav.png [HTTP/1.1 304 Not Modified 2792ms]
GET http://vpsboard.com/public/style_images/memory/icon_inbox.png [HTTP/1.1 304 Not Modified 2917ms]
GET http://vpsboard.com/public/style_images/memory/icon_notify.png [HTTP/1.1 304 Not Modified 3042ms]
GET http://vpsboard.com/public/style_images/memory/header_dropdown.png [HTTP/1.1 304 Not Modified 3167ms]
GET http://vpsboard.com/public/style_images/memory/bg.png [HTTP/1.1 304 Not Modified 3432ms]
GET http://vpsboard.com/public/style_images/memory/advanced_search.png [HTTP/1.1 304 Not Modified 3541ms]
GET http://vpsboard.com/public/style_images/memory/search_icon.png [HTTP/1.1 304 Not Modified 3666ms]
GET http://vpsboard.com/public/style_images/memory/topic_button.png [HTTP/1.1 304 Not Modified 3791ms]
GET http://vpsboard.com/public/style_images/memory/maintitle.png [HTTP/1.1 304 Not Modified 3916ms]
GET http://vpsboard.com/public/style_images/memory/gradient_bg.png [HTTP/1.1 304 Not Modified 4181ms]
GET http://vpsboard.com/public/style_images/memory/like_button.png [HTTP/1.1 304 Not Modified 4290ms]
GET http://vpsboard.com/public/style_images/memory/icon_warning.png [HTTP/1.1 304 Not Modified 4415ms]
GET http://i2.wp.com/vpsboard.com/public/style_images/memory/profile/default_large.png [HTTP/1.1 304 Not Modified 16ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/ips_config.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 1046ms]
GET http://analytics.vpsboard.com/piwik.php?action_name=POLL...................................... [HTTP/1.1 200 OK 983ms]
GET http://vpsboard.com/public/style_images/memory/top.png [HTTP/1.1 304 Not Modified 4087ms]
GET http://vpsboard.com/public/style_images/memory/feed.png [HTTP/1.1 304 Not Modified 4196ms]
GET http://vpsboard.com/public/style_images/memory/cal_weekday.png [HTTP/1.1 304 Not Modified 4321ms]
GET http://vpsboard.com/public/style_images/memory/snapback.png [HTTP/1.1 304 Not Modified 4337ms]
GET http://vpsboard.com/public/style_images/memory/lightbox/loading.gif [HTTP/1.1 304 Not Modified 4602ms]
GET http://vpsboard.com/public/style_images/memory/lightbox/closelabel.gif [HTTP/1.1 304 Not Modified 4727ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/skin.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 983ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/editor.css?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 843ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/lang/ipb.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 1591ms]
GET http://vpsboard.com/public/style_images/memory/editor/toolbar_bg.png [HTTP/1.1 304 Not Modified 1248ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/images/sprites.png [HTTP/1.1 304 Not Modified 1358ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/plugins/styles/styles/default.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 749ms]

If someone really wants to have the "full approach" everything has to be done through SSL:


http://i2.wp.com/vpsboard.com/public/style_images/memory/profile/default_large.png

http://analytics.vpsboard.com/piwik.php
http://www.gravatar.com/avatar/...............
http://ac1.vpsboard.com/data/sides/
So that 4 calls too.


Switching the profile pix to another url
Decide to turn of gravatar
Buy a wildcard SSL cert for analytics and the ads
Right just because the piwik call does include quite a lot of information.


----------



## Coastercraze (Dec 3, 2013)

Other / doesn't matter to me. If it helps people with their overzealous firewalls at work, then have at it.


----------



## Shados (Dec 3, 2013)

wlanboy said:


> What I wanted to say was:
> 
> 
> 
> ...


Or instead of turning off Gravatar, just use their HTTPS URL...?


----------



## willie (Dec 3, 2013)

Wlanboy, ok, I see what you mean about those urls now, good point.  IMHO Gravatar should be shut off altogether, since it's invasive (receives referer urls of every page you view) and slows down page loading miserably.  I adblocked it ages ago and forgot about it.  It looks like there's a static file from i2.wp.com that presumably should be served directly from vpsb.  That leaves analytics, which I'd get rid of if it were up to me, but using a wildcard cert or a second $5 cert seems like an ok alternative.  Or somehow put it on the same domain as the main site.


----------



## HalfEatenPie (Dec 3, 2013)

willie said:


> Wlanboy, ok, I see what you mean about those urls now, good point.  IMHO Gravatar should be shut off altogether, since it's invasive (receives referer urls of every page you view) and slows down page loading miserably.  I adblocked it ages ago and forgot about it.  It looks like there's a static file from i2.wp.com that presumably should be served directly from vpsb.  That leaves analytics, which I'd get rid of if it were up to me, but using a wildcard cert or a second $5 cert seems like an ok alternative.  Or somehow put it on the same domain as the main site.


if you dislike the analytic, then here you go:

http://vpsboard.com/privacypolicy/



> *Analytic Tracing*We track and collect non-identifiable data on visitors to determine browsing habits and traffic data. This information is never sold, and is only used to determine the growth of the site, peak times of traffic, areas of the world our visitors are coming from, etc. You may opt-out of tracking by following the URL here: http://analytics.vpsboard.com/index.php?module=CoreAdminHome&action=optOut&language=en


----------



## peterw (Dec 3, 2013)

Shados said:


> Or instead of turning off Gravatar, just use their HTTPS URL...?


Gravatar can be blocked on client side. He is right that ads and analytics have to switch to ssl too.



willie said:


> Wlanboy, ok, I see what you mean about those urls now, good point.  IMHO Gravatar should be shut off altogether, since it's invasive (receives referer urls of every page you view) and slows down page loading miserably.  I adblocked it ages ago and forgot about it.  It looks like there's a static file from i2.wp.com that presumably should be served directly from vpsb.  That leaves analytics, which I'd get rid of if it were up to me, but using a wildcard cert or a second $5 cert seems like an ok alternative.  Or somehow put it on the same domain as the main site.


Analytics do have a opt-out. But what about ads? Should be ssl too.


----------



## MannDude (Dec 3, 2013)

Yes, you can opt out of tracking via the privacy policy. No, I will not disable analytics, though. I removed Google analytics and moved everything in house for those worried about 3rd party tracking, but I still need to know where traffic is coming from and other website metrics. It's not 100% accurate as many have opted out, which is fine, but disabling sitewide is not an option I'm interested in. Knowing what sites are referring traffic here, knowing what pages/threads are popular a particular week, having graphs to measure growth, etc is something I don't want to live without. The only revealing information in analytics are IP addresses and geolocation, which I can see anyway from the backend for the forum.

I _may_be open to gravatar removal... but it'll have to go to vote. The site looks awful with those default avatars when you have a bunch in a row.

Anything else? Should I use the certificate I recently purchased for something else since it's not a wildcard one?

Tell me what you want.


----------



## peterw (Dec 3, 2013)

MannDude said:


> Tell me what you want.


What about the comunity projects? Git, Imagehosting a.s.o.?


----------



## Asad (Dec 3, 2013)

YES


----------



## Damian (Dec 3, 2013)

I will admit that I don't really see what the big deal is that we need to have discussion, then a vote about it? We're not running websites on a Pentium III anymore (I hope...), the 'additional CPU load' is negligible.

Do it and make the clients (including me) happy.


----------



## MannDude (Dec 3, 2013)

peterw said:


> What about the comunity projects? Git, Imagehosting a.s.o.?


If there is a concern for those too, then sure. Novacha manages the Git server, wlanboy manages the image hosting one... not sure what ASO is but I'll supply the certificates.


----------



## GIANT_CRAB (Dec 3, 2013)

EV SSL or gtfo.


----------



## MannDude (Dec 3, 2013)

Damian said:


> I will admit that I don't really see what the big deal is that we need to have discussion, then a vote about it? We're not running websites on a Pentium III anymore (I hope...), the 'additional CPU load' is negligible.
> 
> Do it and make the clients (including me) happy.


My main concern has been performance, but I am hearing it shouldn't be an issue.

I've already got enough performance issues over the past several months and have been hesitant to add something else on top of that. Was going to move to BuyVM's east coast location as it's best, geographically, for the user base. Have been planning the SSL stuff for a while, but and was going to only do it after I migrated data, swapped Lighttpd for nginx and just rebuilt the server. But my invoice was due and I went ahead and paid another 3 months in Vegas since I had nowhere else to go.

I just seriously never realized how urgent the matter was to everyone, so I had no problem delaying it until I set aside a day to do the migration. But I see now that it's been brought up, it's very important that it gets done ASAP. I'll do it tonight after work.


----------



## mikho (Dec 3, 2013)

For me it could be optional but I'll follow the flow.


----------



## InertiaNetworks-John (Dec 3, 2013)

One problem that might cause some things to break is that you allow users to embed images from external sites, that do not have to be secure.

This problem could be solved by making them upload them to vpsBoard or making it be from a https enabled server.


----------



## peterw (Dec 3, 2013)

InertiaNetworks-John said:


> One problem that might cause some things to break is that you allow users to embed images from external sites, that do not have to be secure.
> 
> This problem could be solved by making them upload them to vpsBoard or making it be from a https enabled server.


True. Want to upload my avatar on a secure page.


----------



## willie (Dec 3, 2013)

MannDude said:


> My main concern has been performance, but I am hearing it shouldn't be an issue....
> 
> I just seriously never realized how urgent the matter was to everyone, so I had no problem delaying it until I set aside a day to do the migration. But I see now that it's been brought up, it's very important that it gets done ASAP. I'll do it tonight after work.


As one of the more vocal supporters, I don't think it's terribly urgent, in the sense of "OMG drop everything and do it right now".  I think it's important as a general practice and as a statement about who we are.  But we've done without it for many months and a few more days won't make enough difference to be worth causing a lot of extra hassle for you.  Anything reasonably timely is fine.  Relax!  We all appreciate the work you are doing for this site.  There's no need to get overextended.

There shouldn't be much performance issue especially with more recent OpenSSL's that use the AESNI hardware for the bulk encryption.  Encryption is fast these days.  Gzip encoding costs much more cpu than encryption.  One request if I may: be sure to configure the SSL for forward secrecy, i.e. using one of the DHE-prefixed cipher suites.  There are still some subtler configuration issues after that, but DHE goes a long way.


----------



## eva2000 (Dec 3, 2013)

MannDude said:


> As per this thread: http://vpsboard.com/topic/2732-ssl-for-vpsb/
> 
> I ordered one, just waiting for the validation email and time to set aside to install.


Noticed forums have switched to Nginx, so Nginx + SPDY SSL or go home 

Speed difference between SPDY SSL vs non-SPDY SSL https://spdy.centminmod.com/spdytest.html and background SPDY info http://centminmod.com/nginx_configure_https_ssl_spdy.html


----------



## MannDude (Dec 3, 2013)

eva2000 said:


> Noticed forums have switched to Nginx, so Nginx + SPDY SSL or go home
> 
> Speed difference between SPDY SSL vs non-SPDY SSL https://spdy.centminmod.com/spdytest.html and background SPDY info http://centminmod.com/nginx_configure_https_ssl_spdy.html


Nginx reverse proxy, the webserver is still lighttpd though.


----------



## eva2000 (Dec 3, 2013)

MannDude said:


> Nginx reverse proxy, the webserver is still lighttpd though.


Still should work fine for Nginx + SPDY SSL

example of Nginx + SPDY SSL


https://blog.centminmod.com (forced SSL)

example of Nginx + SPDY SSL as reverse proxy to Ghost Blog express node.js backend


https://ghost.centminmod.com (optional SSL)


----------



## MartinD (Dec 3, 2013)

I just...what.


----------



## drmike (Dec 3, 2013)

> GET http://i2.wp.com/vpsboard.com/public/style_images/memory/profile/default_large.png [HTTP/1.1 304 Not Modified 16ms]


WTF is that?

It's the damn placeholder head image for those that do not have an avatar.

That needs to be removed and hosted internally --- if it is something we have control over internally and not some gravatar doing it.

Gravatar, yeah, I've started blocking them manually on my end.

The SSL stuff, definitely need a wildcard domain level SSL cert and they aren't low end money.   $50 a year minimum I'd guess.

Unsure what/how x4b handles SSL, but I'd be looking up there first before investing time/money on certs.


----------



## XFS_Duke (Dec 3, 2013)

drmike said:


> $50 a year minimum I'd guess.


I can beat that price


----------



## MannDude (Dec 3, 2013)

MartinD said:


> I just...what.


?


----------



## MannDude (Dec 3, 2013)

http://www.alphassl.com/ssl-certificates/wildcard-ssl.html I ordered that.

Thanks XFS_Duke for reselling these at a discounted rate!


----------



## MannDude (Dec 4, 2013)

Second SSL ordered. Email verification? Nope. Meta tag verification? Nope, didn't work. TXT record verification? Nope, didn't work.

Y'all gonna have to live without SSL for another day.


----------



## XFS_Duke (Dec 4, 2013)

Yea, email doesn't like you... They're working on it... I'll have it for you soon.


----------



## budi1413 (Dec 5, 2013)

I vote optional since some people have problem with it.


----------



## XFS_Duke (Dec 5, 2013)

People shouldn't have problems with it... If they do, then they need to contact their ISP... There should be no reason an ISP is slowing traffic down to SSL protected websites. Hell, anything you do financially is protected by an SSL... So, why slow you down?


----------



## MannDude (Dec 5, 2013)

I've not forgotten about this. Finally got the cert delivered today, but some kinks on x4b's end need ironed out to allow it to be used properly across the subdomains needed.

I'm hoping it'll be ready soon, however.


----------



## XFS_Duke (Dec 5, 2013)

Yea, you'll get it... Delays suck... Sorry about that...


----------



## Francisco (Dec 8, 2013)

Is that...SSL? 

Looks like a single broken link but the rest is serving up nicely.

Francisco


----------



## MannDude (Dec 8, 2013)

I'm working on it.

Is it just me or are the iframes acting wonky? In Chrome, I see the ads. In Firefox, I see an vpsBoard error page. Weird.


----------



## Francisco (Dec 8, 2013)

MannDude said:


> I'm working on it.
> 
> Is it just me or are the iframes acting wonky? In Chrome, I see the ads. In Firefox, I see an vpsBoard error page. Weird.


You go girl.

Francisco


----------



## MannDude (Dec 8, 2013)

Well it's all green and sexy in Chrome, but unsure if it's working properly in Firefox yet... it should be, but for some reason on my end this is how it appears and I've got no green https:// in the address bar:


----------



## Leyton (Dec 8, 2013)

MannDude said:


> <SNIP: Quoted wrong post /> [Regarding the ads]


Not having that issue here with Chrome vs FF.


----------



## MannDude (Dec 8, 2013)

Everything should be all good now. 

Sorry for the delay everyone. Let me know if you experience any problems.


----------



## danni (Dec 8, 2013)

MannDude said:


> Everything should be all good now.
> 
> Sorry for the delay everyone. Let me know if you experience any problems.


Not a problem/issue, but /members/ is partly https due to

<img src='http://abs.twimg.com/


----------



## MannDude (Dec 8, 2013)

danni said:


> Not a problem/issue, but /members/ is partly https due to
> 
> <img src='http://abs.twimg.com/


Oh boy. Let me dig around and find what obscure file calls that.


----------



## XFS_Duke (Dec 8, 2013)

Hey,

http://vpsboard.com/public/style_images/memory/editor/toolbar_bg.png

That needs to be fixed.

It isn't showing as fully secured on my end.


----------



## MannDude (Dec 8, 2013)

Kk.

Keep them coming. I have to find all these things in whatever files exist that call them... None of these are in any template files as those have adjusted already.


----------



## willie (Dec 8, 2013)

Woo hoo, this seems to be working great.  Only minor snag I hit is that the Firefox password store didn't pre-fill the login form, I guess because the url changed (http to https).  I pasted it over and it should remember it now.  But we should probably all change passwords anyway, since the old one was sent without encryption.


----------



## clarity (Dec 8, 2013)

I am so happy!


----------



## MannDude (Dec 8, 2013)

willie said:


> Woo hoo, this seems to be working great.  Only minor snag I hit is that the Firefox password store didn't pre-fill the login form, I guess because the url changed (http to https).  I pasted it over and it should remember it now.  But we should probably all change passwords anyway, since the old one was sent without encryption.


Not a bad idea, good to rotate passwords frequently from time to time anyhow.



DifferentOpinionsNotWanted said:


> I am so happy!


Haha, good.


----------



## peterw (Dec 9, 2013)

Good work.


----------



## NodeBytes (Dec 9, 2013)

http://vpsboard.com/public/style_emoticons/default/smile.png

Emoticons are not https either.


----------



## hcjake (Dec 10, 2013)

not sure if its related to ssl but tapatalk cant connect to this forum anymore


----------



## Francisco (Dec 10, 2013)

hcjake said:


> not sure if its related to ssl but tapatalk cant connect to this forum anymore


At least on my virgin mobile data plan I can't connect either  I'll test in a little bit if it's all SSL or what.

Francisco


----------



## MannDude (Dec 11, 2013)

Apologies for the delay on some of the SSL stuff...

Looks like some of the URLs that is still using http:// on the site are stored in the DB. I'll adjust these when I get off work.

Tapatalk... unsure how that works exactly, is there a setting for you to specify httpS?


----------



## hcjake (Dec 11, 2013)

Did you update the URL in forum owner area on tapatalk.com to be https


----------



## MannDude (Dec 12, 2013)

SSL should work sitewide now, with no unecrypted bits... everything should be using HTTPS now.

About Tapatalk... I don't ever even remember configuring this in the past. Anyhow, I've reinstalled it and now their site is down. I'm trying to get that sorted but am getting errors on my phone as well.


----------



## MannDude (Dec 12, 2013)

Well, the Tapatalk thing may take a little while longer. I've reinstalled it, got everything configured properly on my end and on their site... though it's still not working. Because it's appearing in their search with a different description than what I've added, I believe it was installed/configured originally by the old admin (Nick) who is doing some stuff for the NZ Army now and is not around much... I'll ping him and have him shoot me over his account details for it or something... Else Tapatalk will have to remove the old one from their results so the new one I just setup is linked to it.


----------



## Francisco (Dec 12, 2013)

MannDude said:


> NZ Army


TIL


----------



## wlanboy (Dec 12, 2013)

Anyone noticed the ugly tapashit popups on mobile browsers?


----------



## MannDude (Dec 12, 2013)

wlanboy said:


> Anyone noticed the ugly tapashit popups on mobile browsers?


It's disabled. Didn't realize it was enabled, as it never appeared for me but I was using the mobile theme... only when I switched to the full site view did I see it. Thanks.


----------



## MannDude (Dec 13, 2013)

Tapatalk is fixed now, and now I own the account! Thanks to this dude: https://support.tapatalk.com/threads/how-to-remove-a-listing-from-tapatalk.22161/#post-118395


----------



## budi1413 (Dec 14, 2013)

Inspired by this, my incomplete website also fully using ssl now. 


Before, i just enable ssl in the admin area only.


----------

