HTTPS?

R

RobParker

Well-known member
We had one of our users message us with this:

Lack of HTTPS
Howdy, I was wondering why there is no HTTPS for the login page. That seems wildly insecure and a bit negligent. You can get a free SSL certificate from LetsEncrypt if price was an issue:
https://letsencrypt.org/

I'm a sys admin so I can give pointers or advice if you need assistance to install. There is a great community here but it's scary to think how many people's passwords are sent in clear text whenever they log in. Please consider adding an SSL certificate.
Click to expand...

My understanding was that HTTPS was overkill and not really needed. Has that changed?




 
I don't particularly care about SEO in this instance. And SSL is not a requirement under GDPR (and I don't want another GDPR debate).

I'm purely asking about security. Is Xenforo's standard security "weak" and is the message above correct? I thought passwords were hashed and salted, making his comment factually incorrect.
 
RobParker said:
And SSL is not a requirement under GDPR
Click to expand...

It is. You need SSL for your contact form and your registration form. Since it is more work to make it only for those two things, it is easier to make the whole domain SSL.

There are free SSL services out there. It is a 30 second implementation. So not worth risking anythimg...
 
RobParker said:
I don't particularly care about SEO in this instance. And SSL is not a requirement under GDPR (and I don't want another GDPR debate).
Click to expand...
It is whenevener PII is being transmitted, eg. at least for login and contact us, might also be the case for user profiles etc.
You really should put your whole site on HTTP/2, this also improves performance.

I'm purely asking about security. Is Xenforo's standard security "weak" and is the message above correct?
Click to expand...
In order to support multiple authentication systems XenFor does transmit passwords in plaintext.

I thought passwords were hashed and salted, making his comment factually incorrect.
Click to expand...
In the databae, not when the user logs in.
 
I don't believe SSL is a requirement for xenforo security. The main security is going to come from LFD firewall, mod security, cloudflare, and xenforo is secure either way. But it doesn't mean a hacker could not get login details if you don't use SSL. It's definitely possible, just harder to do on a platform as well made as xenforo. It's not necessarily insecure either.

If your worried about traffic getting re-routed, I would still make the switch. With HTTPS rewrites or cloudflares https rewrite feature you should be okay. It is that time and age where everyone is starting to use SSL. Back a few years ago it was more common not to use it but in this day and age it's important to have it. I have heard things that traffic isn't as good when you first make the switch and I haven't experienced this to know if it's true but I'm sure after the first bit you should be okay. Just might take a little while.
 
Google likes SSL more and more, passwords get sent in plain text without it. I have waited a long time but changed to https a couple of days ago. My users either liked it or probably didn't care about the change. I partly did it to show I care about security.
I changed domain name at the same time, having to redirect anyway, most of my users did not even see the change.
 
RobParker said:
GDPR discussion notwithstanding, is SSL considered a requirement to have XF secure?
Click to expand...
SSL? No. That is old, deprecated, unsecure technology. HTTPS eg. TLS? Yes, otherwise passwords are being transmitted in plaintext.
 
Last edited:
Mr Lucky said:
Notwithstanding any of the above, it seems to be a requirement of keeping your members happy and confident, as one of your members has already mentioned it with concern.

Browsers will be informing users the site is not secure, so you could lose active members and new signups.
Click to expand...

Yeah I appreciate all of that.

I just want to be sure about the real security concerns vs all the other concerns (perception, GDPR, performance, SEO, etc).
 
RobParker said:
Yeah I appreciate all of that.

I just want to be sure about the real security concerns vs all the other concerns (perception, GDPR, performance, SEO, etc).
Click to expand...

Yeah, I ran a site for a decade without it and never had any problems, but because browsers are now by default scaring everyone into believing that they're in imminent danger.... Not saying it isn't more secure, just that probably no one is in any more danger than they were a couple years ago. But best to just get it over with and flow with the times. ;)
 
The security issue is not for your infrastructure. HTTPS is not about adding a layer of security to your installation, it is about keeping the content secret (what the user is reading, what link he is on, the username and password he send) and ensure that your user receives what you send and not a modified version of it.
 
You must log in or register to reply here.

Similar threads

AndyB
Duplicate https://xenforo.com/community/featured/index.rss
Replies
3
Views
70
Jeremy P
Jeremy P
MapleOne
  • Question Question
XF 2.2 Auto Linkify domain names or addresses without the https present.
Replies
1
Views
30
Mr Lucky
Mr Lucky
Marcus
  • Question Question
XF 2.3 BB Code Media Site changes {$id}: https://www to https%3A%2F%2Fwww
Replies
4
Views
90
Marcus
Marcus
Krysteo
  • Question Question
XF 1.1 https and embedded videos
Replies
0
Views
338
Krysteo
Krysteo
K
  • Suggestion Suggestion
Use HTTPS instead of HTTP as fallback / default protocol
Replies
3
Views
365
Kirby
K
Back
Top Bottom