Have fucking https

[Binner]

Hi MCM,

I don't like sending non encrypted data at all - Especially when it's login stuff.

MCM is massive, so I'm wondering: Why the fuck is there not an SSL cert?

You can literally put a self signed ssl cert on the server then enable full ssl on cloudlfare

Please explain,

Jack

 

[Ajdin]

HTTPS is not just encrypting personal info. I was planning to make a very detailed suggestion on the reasons to get HTTPS, but I lacked the time to do all the proper research.
Cut very short, a main thing is that while on a HTTP connection, your ISP can see what you're doing on a site, and thus basically spy on you no matter what you're doing or whether or not you're in incognito mode (so yes, your ISP would know your tastes if they cared to check). This is not immediately obvious as a reason for MCM to have it, but in the hobbyist research I've been doing it seems a lot of the reasons to NOT get HTTPS (which I believe I agreed with in the past) are not actually true.

This is why my post would need to be so detailed, because it includes some research as well as quotes from public infosec experts. Expect it in the next week or so.

We don't need another suggestion thread similar to the 10 other ones.

The only "con" used to be that adsense revenue would drop however Mick has 0 optimizations (took him 9 months to fix this simple thing) on his adsense and is losing hundreds of dollars each month by not optimizing his ads properly. This wasn't the case when I managed the forum. Google Ads were properly setup and fully optimized thus adding SSL won't make a noticeable difference due to how bad it is at the moment.

The only thing I'd be concerned about is d3l3t3d being capable of setting this up? It's not as straightforward and the setup can cause irreversible issues if not done properly. - No offense btw

 

[andrew65952]

letting you know that a con is that any hacker can sniff your connection to the site because its an unencrypted port, meaning you password could be stolen, and ISP's can spy on you no matter what, as long as they have the budget... It should be a well known fact that the NSA have cracked HTTPS and can unscramble any data passed through it and sell it to 3rd party companies like your ISP

 

[poncethecat]

We don't need another suggestion thread similar to the 10 other ones.

The only "con" used to be that adsense revenue would drop however Mick has 0 optimizations (took him 9 months to fix this simple thing) on his adsense and is losing hundreds of dollars each month by not optimizing his ads properly. This wasn't the case when I managed the forum. Google Ads were properly setup and fully optimized thus adding SSL won't make a noticeable difference due to how bad it is at the moment.

The only thing I'd be concerned about is d3l3t3d being capable of setting this up? It's not as straightforward and the setup can cause irreversible issues if not done properly. - No offense btw

The issue that I have here is that McM is behind Cloudflare. Cloudflare is litterally one-click SSL. You can have a self-signed certificate and use TLS Authenticated Origin Pulls(https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/), and then just set your SSL settings in Cloudflare to "Full", and you're done. It's that simple, and it doesn't affect search engine optimizations because all you need to do is set a 302, and Google will start indexing the https version.[DOUBLEPOST=1504144541][/DOUBLEPOST]

letting you know that a con is that any hacker can sniff your connection to the site because its an unencrypted port, meaning you password could be stolen, and ISP's can spy on you no matter what, as long as they have the budget... It should be a well known fact that the NSA have cracked HTTPS and can unscramble any data passed through it and sell it to 3rd party companies like your ISP

My friend, TLS v1.2 uses SHA-256, which when you have a big cipher like an HTTP packet, is damn near impossible to crack. If the NSA decided that they wanted to try and crack it, they could only crack one packet at a time, with each one taking many years depending on the size of the packet. On top of this, even if the NSA HAD figured out how to crack SHA-256 easily, they would sure as hell not be wasting it on their own country, and they would take the knowledge and try to use it for counter-espionage. Please check your facts.[DOUBLEPOST=1504144593][/DOUBLEPOST]

With MCM being the site it is, it is not easy to add a SSL certificate for a small MC forums like mine and Fire https://kingmc.us it is easy to add it to as it's not tricky like it is for this site.

All he needs to do is hit a few settings in Cloudflare.

 

[Ivain]

We don't need another suggestion thread similar to the 10 other ones.

The only "con" used to be that adsense revenue would drop however Mick has 0 optimizations (took him 9 months to fix this simple thing) on his adsense and is losing hundreds of dollars each month by not optimizing his ads properly. This wasn't the case when I managed the forum. Google Ads were properly setup and fully optimized thus adding SSL won't make a noticeable difference due to how bad it is at the moment.

The only thing I'd be concerned about is d3l3t3d being capable of setting this up? It's not as straightforward and the setup can cause irreversible issues if not done properly. - No offense btw

The thing is that those 10 suggestion threads all contain roughly the same info as this one, instead of a detailed set of arguments as to why it should be, and debunking the previously given 'arguments' against it.

 

[MarkehMe]

letting you know that a con is that any hacker can sniff your connection to the site because its an unencrypted port, meaning you password could be stolen, and ISP's can spy on you no matter what, as long as they have the budget... It should be a well known fact that the NSA have cracked HTTPS and can unscramble any data passed through it and sell it to 3rd party companies like your ISP

This is extremely uneducated. Google I/O does a thing about HTTPS just about every year! This is a good one from 2014. Here are two extremely smart people who know what they are talking about:

 

[Ajdin]

The issue that I have here is that McM is behind Cloudflare. Cloudflare is litterally one-click SSL. You can have a self-signed certificate and use TLS Authenticated Origin Pulls(https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/), and then just set your SSL settings in Cloudflare to "Full", and you're done. It's that simple, and it doesn't affect search engine optimizations because all you need to do is set a 302, and Google will start indexing the https version.

That's inaccurate. You need to proxy external non https data and links through a self hosted proxy to prevent security errors. That's a bit more complicated than just setting it to full.

Do you also realize that without installing certificate on the server itself makes the Cloudflare SSL pointless? You're essentially giving your users a fake HTTPS because the data between the cloudflare CDN and server isn't encrypted. Only between the client and cloudflare is.

Also, SSL puts more load on the server and bandwidth usage will increase heavily since you're tunneling a lot of traffic that doesn't have to do with the website.

The thing is that those 10 suggestion threads all contain roughly the same info as this one, instead of a detailed set of arguments as to why it should be, and debunking the previously given 'arguments' against it.

There's only 1 argument against SSL and that's adsense revenue. As stated before, Mick has done very little optimizations so I doubt he's even going to notice this.

The other 'arguments' against HTTPS are technical complications but for a site of this size, that shouldn't be an issue as I'm sure that there's a team of skilled people who can properly do an SSL implementation.

I don't think Mick needs convincing. I think he's just too lazy/scared to get things rolling due to the past issues with the server. There's roughly 7 pages of suggestions. The last thing he needs is another double post of something he's well aware of.

 

[Ivain]

That's inaccurate. You need to proxy external non https data and links through a self hosted proxy to prevent security errors. That's a bit more complicated than just setting it to full.

Do you also realize that without installing certificate on the server itself makes the Cloudflare SSL pointless? You're essentially giving your users a fake HTTPS because the data between the cloudflare CDN and server isn't encrypted. Only between the client and cloudflare is.

Also, SSL puts more load on the server and bandwidth usage will increase heavily since you're tunneling a lot of traffic that doesn't have to do with the website.




There's only 1 argument against SSL and that's adsense revenue. As stated before, Mick has done very little optimizations so I doubt he's even going to notice this.

The other 'arguments' against HTTPS are technical complications but for a site of this size, that shouldn't be an issue as I'm sure that there's a team of skilled people who can properly do an SSL implementation.

I don't think Mick needs convincing. I think he's just too lazy/scared to get things rolling due to the past issues with the server. There's roughly 7 pages of suggestions. The last thing he needs is another double post of something he's well aware of.

Well, hes gonna have to let himself get convinced eventually, since it's about to become the standard. And then MCM will be the archaic, "behind" site.[DOUBLEPOST=1504181308][/DOUBLEPOST]Just heard from Mick, it's planned to be implemented, and has been for a few weeks.

 

[poncethecat]

That's inaccurate. You need to proxy external non https data and links through a self hosted proxy to prevent security errors. That's a bit more complicated than just setting it to full.

Do you also realize that without installing certificate on the server itself makes the Cloudflare SSL pointless? You're essentially giving your users a fake HTTPS because the data between the cloudflare CDN and server isn't encrypted. Only between the client and cloudflare is.

Also, SSL puts more load on the server and bandwidth usage will increase heavily since you're tunneling a lot of traffic that doesn't have to do with the website.




There's only 1 argument against SSL and that's adsense revenue. As stated before, Mick has done very little optimizations so I doubt he's even going to notice this.

The other 'arguments' against HTTPS are technical complications but for a site of this size, that shouldn't be an issue as I'm sure that there's a team of skilled people who can properly do an SSL implementation.

I don't think Mick needs convincing. I think he's just too lazy/scared to get things rolling due to the past issues with the server. There's roughly 7 pages of suggestions. The last thing he needs is another double post of something he's well aware of.

I'm sure there are plugins that XenForo has to automatically proxy embedded links through itself to prevent mixed content errors. Also, I didn't say not to install a certificate on the server. I said that he should use a self-signed SSL certificate, in combination with TLS Authenticated Origin Pulls. That is 100% ample security, because nobody can access the server over the web unless it is Cloudflare giving it to them, and the connection is encrypted between McM and Cloudflare because of the self-signed certificate.

 

[Ajdin]

I'm sure there are plugins that XenForo has to automatically proxy embedded links through itself to prevent mixed content errors. Also, I didn't say not to install a certificate on the server. I said that he should use a self-signed SSL certificate, in combination with TLS Authenticated Origin Pulls. That is 100% ample security, because nobody can access the server over the web unless it is Cloudflare giving it to them, and the connection is encrypted between McM and Cloudflare because of the self-signed certificate.

I don't want to go in a lot of technical details.

First of all, XenForo has a built in proxy which can handle this. The complication with that is that it'll leak the server IP and Cloudflare will be rendered useless as people could use image link trackers to see from what IP the image is being loaded from. The solution for that is using an nginx passthrough proxy which will show a server IP which isn't the website but just the proxy. So if someone were to try something evil with the IP that he got from the proxy, it wouldn't affect the whole site but just the proxy. This is just one of the many things that have to be dealt with. You also have to be very careful with things like redirects and other mixed content which isn't handled by the proxy.

 

[BOBSburger]

Ye that is cool[DOUBLEPOST=1505247382][/DOUBLEPOST]

 

[Spoch]

Ye that is cool[DOUBLEPOST=1505247382][/DOUBLEPOST]

Post-farming is not allowed dude.

 

[BOBSburger]

Post-farming is not allowed dude.

Ok

 

[utaninja]

I agree, this should be added. It makes people feel safer. (Yes I'm serious, people have told me that before)

 

[FourBitPixel]

HTTPS is not just encrypting personal info. I was planning to make a very detailed suggestion on the reasons to get HTTPS, but I lacked the time to do all the proper research.
Cut very short, a main thing is that while on a HTTP connection, your ISP can see what you're doing on a site, and thus basically spy on you no matter what you're doing or whether or not you're in incognito mode (so yes, your ISP would know your tastes if they cared to check). This is not immediately obvious as a reason for MCM to have it, but in the hobbyist research I've been doing it seems a lot of the reasons to NOT get HTTPS (which I believe I agreed with in the past) are not actually true.

This is why my post would need to be so detailed, because it includes some research as well as quotes from public infosec experts. Expect it in the next week or so.

Shit, May wanna get off P*rn then haha.

 

[Mick]

We implemented SSL, but not because of this suggestion which was made as a shitpost.

So uh.. Denied.