As per this thread: http://vpsboard.com/topic/2732-ssl-for-vpsb/
I ordered one, just waiting for the validation email and time to set aside to install.
I ordered one, just waiting for the validation email and time to set aside to install.
POLL: SSL for vpsBoard. Optional or forced site-wide?
- Thread starter MannDude
- Start date
I voted encrypt everything. At minimum, the login form target (that receives the user password, it may actually be an ajax target) should always be encrypted, even if encryption for the rest of the site is optional. Sending passwords in the clear is no longer an ok practice.
Added: if encryption is optional, it should be enabled by default, and if someone disables it, that should be displayed in their user profile for others to see. Nobody with encryption enabled should send a PM with anything private in it if the recipient is going to read it without encryption. So if a user has encryption turned off, potential PM senders should be notified of this.
I think it's better to just make the encryption mandatory though, unless perhaps the Comcast story is checked out and confirmed to be real. At the moment I don't see any persuasive evidence for it. I see some anecdotes of slow transfers that to me have likelier explanations that don't involve Comcast slowing down ssl transfers.
Added: if encryption is optional, it should be enabled by default, and if someone disables it, that should be displayed in their user profile for others to see. Nobody with encryption enabled should send a PM with anything private in it if the recipient is going to read it without encryption. So if a user has encryption turned off, potential PM senders should be notified of this.
I think it's better to just make the encryption mandatory though, unless perhaps the Comcast story is checked out and confirmed to be real. At the moment I don't see any persuasive evidence for it. I see some anecdotes of slow transfers that to me have likelier explanations that don't involve Comcast slowing down ssl transfers.
Last edited by a moderator:
I don't understand what you mean by that.
1) the path component of the url (i.e. the part after the hostname) is sent through the SSL connection, so it's encrypted, though in some cases the length in bytes might allow inferring it (turn off the SEO-ified url's would make the lengths the same).
2) It's relatively ok if it's visible that someone has just posted to the login form (i.e. they are logging in). But the post contents (containing the user password) should always be encrypted. Doing anything else is just inviting trouble in this world of wifi sniffers everywhere.
Last edited by a moderator:
wlanboy
Content Contributer
What I wanted to say was:
GET http://vpsboard.com/topic/2814-poll-ssl-for-vpsboard-optional-or-forced-site-wide/#entry41283 [HTTP/1.1 200 OK 577ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&f=public/style_css/css_6/footer.css,public/style_css/css_6/custom.css,public/style_css/css_6/calendar_select.css,public/style_css/css_6/ipb_common.css,public/style_css/css_6/ipb_styles.css,public/style_css/css_6/ipb_ckeditor.css,public/style_css/prettify.css [HTTP/1.1 304 Not Modified 281ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&g=js [HTTP/1.1 304 Not Modified 421ms]
GET http://vpsboard.com/public/min/index.php?ipbv=a72dbde1c284a4c592d0e6223223b5d0&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/2/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.board.js,public/js/ips.textEditor.bbcode.js,public/js/ips.textEditor.js,public/js/ips.topic.js,public/js/ips.like.js [HTTP/1.1 304 Not Modified 530ms]
GET http://vpsboard.com/public/style_css/css_6/ipb_print.css [HTTP/1.1 304 Not Modified 671ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/ckeditor.js?nck=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 936ms]
GET http://vpsboard.com/public/js/3rd_party/prettify/prettify.js [HTTP/1.1 304 Not Modified 1061ms]
GET http://vpsboard.com/public/js/3rd_party/prettify/lang-sql.js [HTTP/1.1 304 Not Modified 1310ms]
GET http://vpsboard.com/public/js/3rd_party/lightbox.js [HTTP/1.1 304 Not Modified 1201ms]
GET http://analytics.vpsboard.com/piwik.js [HTTP/1.1 304 Not Modified 515ms]
GET http://www.gravatar.com/avatar/c0bbe74bf5a4c938819a7bee4a7716e2?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 16ms]
GET http://vpsboard.com/public/style_images/6_logo.png [HTTP/1.1 304 Not Modified 687ms]
GET http://vpsboard.com/public/style_images/memory/useropts_arrow.png [HTTP/1.1 304 Not Modified 812ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1.jpg?_r=1385436768 [HTTP/1.1 304 Not Modified 1061ms]
GET http://vpsboard.com/public/style_images/memory/profile/default_large.png [HTTP/1.1 304 Not Modified 1202ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-7.gif?_r=1369209518 [HTTP/1.1 304 Not Modified 1326ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1059.jpg?_r=1383319092 [HTTP/1.1 304 Not Modified 1685ms]
GET http://vpsboard.com/uploads/profile/photo-472.png?_r=1371599877 [HTTP/1.1 304 Not Modified 1810ms]
GET http://www.gravatar.com/avatar/4d58bf5c1597ebd6beb25719b50f9d6d?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 302 Found 47ms]
GET http://www.gravatar.com/avatar/87d740fd1a8d50efefe18cae5c2143f2?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 63ms]
GET http://vpsboard.com/uploads/profile/photo-thumb-1072.jpg?_r=1384833197 [HTTP/1.1 304 Not Modified 1950ms]
GET http://www.gravatar.com/avatar/2b1b5b56fdb3c8bfde7a08b24c0ccc31?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 304 Not Modified 63ms]
GET http://ac1.vpsboard.com/data/sides/ [HTTP/1.1 200 OK 968ms]
GET http://vpsboard.com/public/style_images/memory/icon_users.png [HTTP/1.1 304 Not Modified 2060ms]
GET http://vpsboard.com/public/style_images/memory/bullet_star_rated.png [HTTP/1.1 304 Not Modified 2200ms]
GET http://vpsboard.com/public/style_images/memory/icon_share.png [HTTP/1.1 304 Not Modified 2309ms]
GET http://vpsboard.com/public/style_extra/team_icons/admin.png [HTTP/1.1 304 Not Modified 2559ms]
GET http://www.gravatar.com/avatar/cb4d190c5756002d12484d96d81a9f29?s=100&d=http%3A%2F%2Fvpsboard.com%2Fpublic%2Fstyle_images%2Fmemory%2Fprofile%2Fdefault_large.png [HTTP/1.1 302 Found 78ms]
GET http://vpsboard.com/public/style_images/memory/bullet_black.png [HTTP/1.1 304 Not Modified 2699ms]
GET http://vpsboard.com/public/style_images/memory/icon_quicknav.png [HTTP/1.1 304 Not Modified 2792ms]
GET http://vpsboard.com/public/style_images/memory/icon_inbox.png [HTTP/1.1 304 Not Modified 2917ms]
GET http://vpsboard.com/public/style_images/memory/icon_notify.png [HTTP/1.1 304 Not Modified 3042ms]
GET http://vpsboard.com/public/style_images/memory/header_dropdown.png [HTTP/1.1 304 Not Modified 3167ms]
GET http://vpsboard.com/public/style_images/memory/bg.png [HTTP/1.1 304 Not Modified 3432ms]
GET http://vpsboard.com/public/style_images/memory/advanced_search.png [HTTP/1.1 304 Not Modified 3541ms]
GET http://vpsboard.com/public/style_images/memory/search_icon.png [HTTP/1.1 304 Not Modified 3666ms]
GET http://vpsboard.com/public/style_images/memory/topic_button.png [HTTP/1.1 304 Not Modified 3791ms]
GET http://vpsboard.com/public/style_images/memory/maintitle.png [HTTP/1.1 304 Not Modified 3916ms]
GET http://vpsboard.com/public/style_images/memory/gradient_bg.png [HTTP/1.1 304 Not Modified 4181ms]
GET http://vpsboard.com/public/style_images/memory/like_button.png [HTTP/1.1 304 Not Modified 4290ms]
GET http://vpsboard.com/public/style_images/memory/icon_warning.png [HTTP/1.1 304 Not Modified 4415ms]
GET http://i2.wp.com/vpsboard.com/public/style_images/memory/profile/default_large.png [HTTP/1.1 304 Not Modified 16ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/ips_config.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 1046ms]
GET http://analytics.vpsboard.com/piwik.php?action_name=POLL...................................... [HTTP/1.1 200 OK 983ms]
GET http://vpsboard.com/public/style_images/memory/top.png [HTTP/1.1 304 Not Modified 4087ms]
GET http://vpsboard.com/public/style_images/memory/feed.png [HTTP/1.1 304 Not Modified 4196ms]
GET http://vpsboard.com/public/style_images/memory/cal_weekday.png [HTTP/1.1 304 Not Modified 4321ms]
GET http://vpsboard.com/public/style_images/memory/snapback.png [HTTP/1.1 304 Not Modified 4337ms]
GET http://vpsboard.com/public/style_images/memory/lightbox/loading.gif [HTTP/1.1 304 Not Modified 4602ms]
GET http://vpsboard.com/public/style_images/memory/lightbox/closelabel.gif [HTTP/1.1 304 Not Modified 4727ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/skin.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 983ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/editor.css?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 843ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/lang/ipb.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 1591ms]
GET http://vpsboard.com/public/style_images/memory/editor/toolbar_bg.png [HTTP/1.1 304 Not Modified 1248ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/skins/ips/images/sprites.png [HTTP/1.1 304 Not Modified 1358ms]
GET http://vpsboard.com/public/js/3rd_party/ckeditor/plugins/styles/styles/default.js?t=393844341de5ef1f95b315754bc263c6 [HTTP/1.1 304 Not Modified 749ms]
If someone really wants to have the "full approach" everything has to be done through SSL:
- http://i2.wp.com/vpsboard.com/public/style_images/memory/profile/default_large.png
- http://analytics.vpsboard.com/piwik.php
- http://www.gravatar.com/avatar/...............
- http://ac1.vpsboard.com/data/sides/
- Switching the profile pix to another url
- Decide to turn of gravatar
- Buy a wildcard SSL cert for analytics and the ads
Other / doesn't matter to me. If it helps people with their overzealous firewalls at work, then have at it. 
Shados
Professional Snake Miner
Or instead of turning off Gravatar, just use their HTTPS URL...?
Wlanboy, ok, I see what you mean about those urls now, good point. IMHO Gravatar should be shut off altogether, since it's invasive (receives referer urls of every page you view) and slows down page loading miserably. I adblocked it ages ago and forgot about it. It looks like there's a static file from i2.wp.com that presumably should be served directly from vpsb. That leaves analytics, which I'd get rid of if it were up to me, but using a wildcard cert or a second $5 cert seems like an ok alternative. Or somehow put it on the same domain as the main site.
peterw
New Member
Gravatar can be blocked on client side. He is right that ads and analytics have to switch to ssl too.
Analytics do have a opt-out. But what about ads? Should be ssl too.
Yes, you can opt out of tracking via the privacy policy. No, I will not disable analytics, though. I removed Google analytics and moved everything in house for those worried about 3rd party tracking, but I still need to know where traffic is coming from and other website metrics. It's not 100% accurate as many have opted out, which is fine, but disabling sitewide is not an option I'm interested in. Knowing what sites are referring traffic here, knowing what pages/threads are popular a particular week, having graphs to measure growth, etc is something I don't want to live without. The only revealing information in analytics are IP addresses and geolocation, which I can see anyway from the backend for the forum.
I maybe open to gravatar removal... but it'll have to go to vote. The site looks awful with those default avatars when you have a bunch in a row.
Anything else? Should I use the certificate I recently purchased for something else since it's not a wildcard one?
Tell me what you want.
I maybe open to gravatar removal... but it'll have to go to vote. The site looks awful with those default avatars when you have a bunch in a row.
Anything else? Should I use the certificate I recently purchased for something else since it's not a wildcard one?
Tell me what you want.
peterw
New Member
What about the comunity projects? Git, Imagehosting a.s.o.?
I will admit that I don't really see what the big deal is that we need to have discussion, then a vote about it? We're not running websites on a Pentium III anymore (I hope...), the 'additional CPU load' is negligible.
Do it and make the clients (including me) happy.
Do it and make the clients (including me) happy.
If there is a concern for those too, then sure. Novacha manages the Git server, wlanboy manages the image hosting one... not sure what ASO is but I'll supply the certificates.
GIANT_CRAB
New Member
EV SSL or gtfo.
My main concern has been performance, but I am hearing it shouldn't be an issue.
I've already got enough performance issues over the past several months and have been hesitant to add something else on top of that. Was going to move to BuyVM's east coast location as it's best, geographically, for the user base. Have been planning the SSL stuff for a while, but and was going to only do it after I migrated data, swapped Lighttpd for nginx and just rebuilt the server. But my invoice was due and I went ahead and paid another 3 months in Vegas since I had nowhere else to go.
I just seriously never realized how urgent the matter was to everyone, so I had no problem delaying it until I set aside a day to do the migration. But I see now that it's been brought up, it's very important that it gets done ASAP. I'll do it tonight after work.
One problem that might cause some things to break is that you allow users to embed images from external sites, that do not have to be secure.
This problem could be solved by making them upload them to vpsBoard or making it be from a https enabled server.
This problem could be solved by making them upload them to vpsBoard or making it be from a https enabled server.