HTTPS?

[RobParker]

We had one of our users message us with this:

Lack of HTTPS
Howdy, I was wondering why there is no HTTPS for the login page. That seems wildly insecure and a bit negligent. You can get a free SSL certificate from LetsEncrypt if price was an issue:
https://letsencrypt.org/

I'm a sys admin so I can give pointers or advice if you need assistance to install. There is a great community here but it's scary to think how many people's passwords are sent in clear text whenever they log in. Please consider adding an SSL certificate.

My understanding was that HTTPS was overkill and not really needed. Has that changed?

 

[snoopy5]

yes.

 

[RobParker]

Yes what?

 

[snoopy5]

Has that changed?

yes.

Google punishes you, if you do not use https and with the new GDPR you are not in line with law if you do not use SSL on your domainname.

 

[RobParker]

I don't particularly care about SEO in this instance. And SSL is not a requirement under GDPR (and I don't want another GDPR debate).

I'm purely asking about security. Is Xenforo's standard security "weak" and is the message above correct? I thought passwords were hashed and salted, making his comment factually incorrect.

 

[snoopy5]

And SSL is not a requirement under GDPR

It is. You need SSL for your contact form and your registration form. Since it is more work to make it only for those two things, it is easier to make the whole domain SSL.

There are free SSL services out there. It is a 30 second implementation. So not worth risking anythimg...

 

[Kirby]

I don't particularly care about SEO in this instance. And SSL is not a requirement under GDPR (and I don't want another GDPR debate).

It is whenevener PII is being transmitted, eg. at least for login and contact us, might also be the case for user profiles etc.
You really should put your whole site on HTTP/2, this also improves performance.

I'm purely asking about security. Is Xenforo's standard security "weak" and is the message above correct?

In order to support multiple authentication systems XenFor does transmit passwords in plaintext.

I thought passwords were hashed and salted, making his comment factually incorrect.

In the databae, not when the user logs in.

 

[RobParker]

GDPR discussion notwithstanding, is SSL considered a requirement to have XF secure?

 

[Brad Padgett]

I don't believe SSL is a requirement for xenforo security. The main security is going to come from LFD firewall, mod security, cloudflare, and xenforo is secure either way. But it doesn't mean a hacker could not get login details if you don't use SSL. It's definitely possible, just harder to do on a platform as well made as xenforo. It's not necessarily insecure either.

If your worried about traffic getting re-routed, I would still make the switch. With HTTPS rewrites or cloudflares https rewrite feature you should be okay. It is that time and age where everyone is starting to use SSL. Back a few years ago it was more common not to use it but in this day and age it's important to have it. I have heard things that traffic isn't as good when you first make the switch and I haven't experienced this to know if it's true but I'm sure after the first bit you should be okay. Just might take a little while.

 

[ge66]

Google likes SSL more and more, passwords get sent in plain text without it. I have waited a long time but changed to https a couple of days ago. My users either liked it or probably didn't care about the change. I partly did it to show I care about security.
I changed domain name at the same time, having to redirect anyway, most of my users did not even see the change.

 

[Kirby]

GDPR discussion notwithstanding, is SSL considered a requirement to have XF secure?

SSL? No. That is old, deprecated, unsecure technology. HTTPS eg. TLS? Yes, otherwise passwords are being transmitted in plaintext.

 

[Mr Lucky]

GDPR discussion notwithstanding, is SSL considered a requirement to have XF secure?

Notwithstanding any of the above, it seems to be a requirement of keeping your members happy and confident, as one of your members has already mentioned it with concern.

Browsers will be informing users the site is not secure, so you could lose active members and new signups.

 

[RobParker]

Notwithstanding any of the above, it seems to be a requirement of keeping your members happy and confident, as one of your members has already mentioned it with concern.

Browsers will be informing users the site is not secure, so you could lose active members and new signups.

Yeah I appreciate all of that.

I just want to be sure about the real security concerns vs all the other concerns (perception, GDPR, performance, SEO, etc).

 

[imno007]

Yeah I appreciate all of that.

I just want to be sure about the real security concerns vs all the other concerns (perception, GDPR, performance, SEO, etc).

Yeah, I ran a site for a decade without it and never had any problems, but because browsers are now by default scaring everyone into believing that they're in imminent danger.... Not saying it isn't more secure, just that probably no one is in any more danger than they were a couple years ago. But best to just get it over with and flow with the times.

 

[Evaelis]

The security issue is not for your infrastructure. HTTPS is not about adding a layer of security to your installation, it is about keeping the content secret (what the user is reading, what link he is on, the username and password he send) and ensure that your user receives what you send and not a modified version of it.

 

[motowebmaster]

Technologies like QUIC and HTTP/2 are good reasons for a site owner to implement SSL.

 

[ichpen]

Chrome is definitely now getting aggressive at scaring folks.
https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl

Though I laugh at the verbiage and implications that an https site is somehow more 'secure'. It is what it is.