Implemented SSL / HTTPS Integration

This suggestion has been implemented. Votes are no longer accepted.
After thinking about this more, there is one major problem that we have experienced with running sites across a SSL that others would experience if they ran the whole xenForo site on SSL. Any user content that's embedded in a post that's on a non-secure server will generate an alert that the user would have to confirm. (or it wouldn't load at all) It's a "feature" of the browser that results in a horrible user experience. That's why tools like Google Analytics and other JavaScript tools check the url to see if they need to deliver their content across port 80 or 443 to avoid this problem.

Code: 
g.src = ('https:' == d.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';


--Ed
 
rEd86 said:
After thinking about this more, there is one major problem that we have experienced with running sites across a SSL that others would experience if they ran the whole xenForo site on SSL. Any user content that's embedded in a post that's on a non-secure server will generate an alert that the user would have to confirm. (or it wouldn't load at all) It's a "feature" of the browser that results in a horrible user experience. That's why tools like Google Analytics and other JavaScript tools check the url to see if they need to deliver their content across port 80 or 443 to avoid this problem.

Code: 
g.src = ('https:' == d.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';


--Ed
Click to expand...

This.

SSL can only really be used in places where users can't link to external content, such as the login/registration page and perhaps when posting messages.
 
I have been using HTTPS on XenForo for a few weeks now and it works fine, with no noticable slow downs.
Internet Explorer grumbles the most about mixing HTTP and HTTPS content, but you can disable the warning.
Firefox isn't as fussy and is working fine on my SSL secured site, although I am having to leave HTTP open for use with ForumRunner, as it doesn't support HTTPS.

To get Chrome to not show the crossed out HTTPS icon, I have had to do some template edits and phrase edits to turn any embedded HTTP:// references into HTTPS:// version, which may not work of course.
I don't use the Facebook, Twitter or google analytics featuers, so it's not a problem for me.

If you paste YouTube links (which use HTTP), it brings back the warning about mixing HTTPS and HTTP, but you get used to ignoring any warnings.

I haven't made my mind up yet about using HTTPS yet, but it's not looking too bad, I just hope ForumRunner works with HTTPS in future and I can then enforce SSL for everything.
 
I'm not just talking server content that can be modified. (javascript files, etc) You'll also get the warning for any external photos that are embedded on a post. (sites like Flickr, etc)

While it's not as much an issue for a savvy user, try getting a novice user to disable the warnings - it's never going to happen. Same thing with expecting them to "get used to ignoring any warnings" on a site. This might be acceptable to some sites, but for our circumstances it isn't. When we went through our audit with PWC and enabled security, we initially had mixed content. (secured and unsecured content on pages delivered via HTTPS) The amount of emails our support group got in two days was incredible. (which is why we stripped out all external branding on the login/registration pages) One would think that it isn't an issue and people would read the messages that appear but they don't.

Sadly people are not very patient with this type of stuff and will get frustrated and leave if the experience is bad. (these are general web users, not fans in a particular vertical - which are more tolerant of issues) If the core product doesn't support it at some point I'll have to look into creating a plugin that does since this functionality is a requirement for my clients.

-Ed
 
Darkimmortal said:
This.

SSL can only really be used in places where users can't link to external content, such as the login/registration page and perhaps when posting messages.
Click to expand...

But doesn't the editor have the insert image button? If external content pops up a warning ( you also get a warning popup when embedding password protected content ) I would think you would get the same warning if an image in a post submission is from a remote server.
 
Sorry to resurrect this older thread, which seems to have fallen by the wayside, but I'm planning to run XenForo on a domain for which I've purchased an SSL certificate, and am interested in the possibility of using SSL.
EQnoble said:
But doesn't the editor have the insert image button? If external content pops up a warning ( you also get a warning popup when embedding password protected content ) I would think you would get the same warning if an image in a post submission is from a remote server.
Click to expand...

Has anyone tested this? I would guess that if XenForo tries to display the image being embedded in the post submission, the poster's browser would probably warn him about the insecure content. (If it only displays the URL, then the warning won't appear.) The problem here is that the poster may ignore the warning (or disable it as gib mentioned) and thereby inflict similar warnings on anyone else who views the thread in question. Those folks may not wish to disable their warnings; worse, they may not understand what the warning means, and may even by frightened by it.

Do we want people to stop visiting our forums because their browser said they're insecure? I don't think so.

One good solution to this would be to globally disallow the embedding of content from other sites. (Is there an admin setting that will do this?) I think I'd prefer to do this anyway, as it will protect my forums from accusations of bandwidth leaching. Making sure all images are hosted locally would also prevent links from breaking down the road. I tend to get really irritated when visiting forums that are riddled with broken links, and I'd like to prevent that sort of thing from happening in my own forums.

If it's possible to globally disallow embedding of external content, then I'm with Mike and Kier: I don't see why I shouldn't restrict the forum site to https only. But if there's an unavoidable possibility that my forum visitors will be showered with warnings about insecure content, I might want to lobby for something analagous to the Force SSL Admin function they've built into WordPress.
 
That's an interesting idea, compwhizii. The security implications bear looking into, but it's certainly worth considering.

Thanks for the link!
 
I ended up having the entire forum set through SSL. Soon, the entire site will be processed through SSL. There is a little bit of memory consumption to cache the SSL sessions but nothing important.
 


Write your reply...

Similar threads

C
Not a bug Stripe Adaptive Pricing Not Working With XF Stock Integration
Replies
3
Views
71
CBPro
C
Netkreatif
  • Suggestion Suggestion
Not planned Google Index API Integration
Replies
2
Views
73
Forsaken
Forsaken
khachiko
  • Suggestion Suggestion
Add KLIPY as a Media Integration Option
Replies
0
Views
21
khachiko
khachiko
sdev
  • Suggestion Suggestion
Centralized AI API Framework for Enhanced Integration
Replies
3
Views
133
Alpha1
Alpha1
Ludachris
  • Suggestion Suggestion
AI-powered POST THREAD helper
Replies
0
Views
40
Ludachris
Ludachris
Back
Top Bottom