SSL option for Chat essential

[Ozpicious]

Am I missing a setting somewhere or something as I cannot find anywhere an option to run the chat through an ssl connection to the invision chat servers?? Can someone please point me in the right direction or if the option isn't there please explain why not, as in this day and age a chat without an SSL option is absurd especially a paid one....

[Rhett]

Hello, SSL for chat is not an option currently I'm afraid.

Thank you

[Joriz]

I also send a ticket to IPS to make clear that SSL needs to be added to IP.Chat. It is a shame that not everything of IPS works via SSL to comply with EU privacy regulation. The EU privacy regulation says that all personal details such as name and address should be send encrypted.

[bfarber]

Your name and address are not sent to the chat servers, FYI. Neither are cookies. What personal details are sent to the chat service that are covered by this regulation?

[Joriz]

Here in Europe there are more strict privacy and human rights laws which protect the privacy of the citizen. It might have something to do with world war two and the cold war where personal details were heavily misused.

The following information are personal details according to Dutch law:

• Direct personal details: name, birthday, address, sex …
• Indirect personal details: For example the profit of my business can indirectly say if I am rich.
• Special details: Race, believe, political party, health, crime records etc… (These are forbidden to be collected in most cases)

An IP address can also been seen as a personal detail, but it depends on the case and it is up to a judge to decide if you are handling personal data the right way.

Because of the Dutch privacy law in most cases a registration at the Dutch Data Protection Authority is needed if you store, transfer or make use of these data, but this is not important for this discussion.

The point is that except from most nonsense in the chat personal details are shared within the chat by users and is certainly shared if someone is in a private chat with someone else. Also the forum name of a person can be his/her own name and so be a direct personal detail.

I find it very important to try to comply with EU/Dutch law, but I find it more important that chat details can’t be intercepted by criminals, government or other third parties.

There are since a few years American/EU laws which makes it easier to comply with European laws. For more information see:

• US-EU Safe Harbor
• Data Protection Directive (Directive 95/46/EC)

[Cyrem]

It might have something to do with world war two and the cold war where personal details were heavily misused.

Thats hardly the reason.

[bfarber]

Here in Europe there are more strict privacy and human rights laws which protect the privacy of the citizen. It might have something to do with world war two and the cold war where personal details were heavily misused.

The following information are personal details according to Dutch law:

• Direct personal details: name, birthday, address, sex …
• Indirect personal details: For example the profit of my business can indirectly say if I am rich.
• Special details: Race, believe, political party, health, crime records etc… (These are forbidden to be collected in most cases)

An IP address can also been seen as a personal detail, but it depends on the case and it is up to a judge to decide if you are handling personal data the right way.

Because of the Dutch privacy law in most cases a registration at the Dutch Data Protection Authority is needed if you store, transfer or make use of these data, but this is not important for this discussion.

The point is that except from most nonsense in the chat personal details are shared within the chat by users and is certainly shared if someone is in a

private chat

with someone else. Also the forum name of a person can be his/her own name and so be a direct personal detail.

I find it very important to try to comply with EU/Dutch law, but I find it more important that chat details can’t be intercepted by criminals, government or other third parties.

There are since a few years American/EU laws which makes it easier to comply with European laws. For more information see:

• US-EU Safe Harbor
• Data Protection Directive (Directive 95/46/EC)

By your logic, ANY transmission of any data on the internet should automatically be assumed to be personal details?

The chat software does not collect name, birthday, address, age, etc. It does not collect any information from the user, nor is any profile information beyond the username sent to our servers. No indirect personal details are sent either. You can watch your browser network calls using a tool like Firebug to see exactly what is passed back and forth. No special details are sent or included either. No IP address is included in the transmission (however by the very nature of network transmissions, an IP address is known - this is simply how networking works...that said, your site is not transmitting it to our services and we do not store it).

The very basic reality is...the only that is sent to our servers is (1) the username, and (2) what the user types out. It is a chat service. By it's very nature, the message that the user is submitting HAS to be transmitted across the internet in order to reach the recipient. If they choose to include personal details in that message, that's fine, but there is literally no way to stop that. That would be akin to someone emailing personal details to someone else - there is no way for the email provider to not transmit them if that is what the user is emailing.

Nevertheless, you should comply with any local laws of course, and if you feel IP.Chat might be in violation of your laws I can only recommend you find a service that doesn't. I am unsure of any chat services that can transmit chat messages without...transmitting the chat message...however.

Do you run your entire site in SSL? What happens if someone makes a post that includes personal details in it? If all personal details must be encrypted and you are mentioning someone sending a chat message that they happened to type these details out in violating the privacy laws, surely if a user posted them to a forum it is the same scenario. Under such a situation, every EU site that accepts any textual submission must always be run under SSL in that case?

[Ryan H.]

What about sites that are full-SSL? Chat users just have to live with a 'unsecure elements' warning (if it works at all)?

I don't use chat, I could hardly care less about it, and I don't know what intricacies might be involved in implementing SSL support on the master side... but this seems a bit short-sighted.

[bfarber]

What about sites that are full-SSL? Chat users just have to live with a 'unsecure elements' warning (if it works at all)?

I don't use chat, I could hardly care less about it, and I don't know what intricacies might be involved in implementing SSL support on the master side... but this seems a bit short-sighted.

That is secondary to this issue. Supporting SSL when the site is fully SSL is one thing. I'm trying to gauge the need for an option that would force chat under SSL but no where else.

[Dmacleo]

That is secondary to this issue. Supporting SSL when the site is fully SSL is one thing. I'm trying to gauge the need for an option that would force chat under SSL but no where else.

my impression was he was ssl except for chat.

however if some run ssl and some don't wouldn't you have to account for both methods and add complexity?

basically a site on ssl on one domain would look to connect to chat server ssl on another domain (really it is) also but how would the chain work there?

and multiserver certs are expensive.

[Ozpicious]

Yes we do run ours in full SSL as do many others now days and most users seem to want it that way which is perfectly understandable imo and I'm sure plenty would agree. Whats the issue with purchasing an SSL cert for the chat server/s? I'm sure the invision budget could allow for it somewhere especially given that as previously mentioned it seems absurd the option isn't there... In fact the option to run most live chat services through ssl has been a part of them for as long I can remember, the IP.CHat would have to be one of the only chats I know that doesn't have this option but we are restricted to using any other chats as invision no longer integrates easily with them and extra coding is required for most.

Please provide the option it's a feature long long overdue for the IP.Chat and would no doubt ensure more sales of it and happy reports as currently I have to admit IP.Chat is the last chat I recommend anyone use unless they absolutely have no other choice...

[bfarber]

Ok, I misunderstood. Supporting SSL inherently when your site is already SSL is one thing - and something we can explore down the road. I thought you were asking for an option to use SSL ONLY for IP.Chat pages (i.e. and not IP.Board pages), which seemed to make little sense to me.

For the record, there are several other chat solutions available in the marketplace. We don't restrict anyone to using our solution if it's not what best suits their purposes. :) Updates to IP.Chat will be forthcoming however.

[Joriz]

SSL as optional feature in IP.Chat would be great.

Currently some of our usergroups can visit our website 100% over SSL (except the chat). We try to make our website 100% available for all user groups over SSL.

Because personal details are also sometimes discussed in (private) chats we would like to see that IP.Chat supports SSL as extra feature.

[Ozpicious]

Would be fantastic if the chat got this option made available in the coming 4.0 suite

[Jelly Belly™]

SSL as optional feature in IP.Chat would be great.

SSL as an optional feature across the whole suite would be even better

[Christian M.]

SSL as an optional feature across the whole suite would be even better

it would be a pain, because then there would be 3rd party mods that would have to convert to some extent.

[Ozpicious]

SSL as an optional feature across the whole suite would be even better

I agree and have also added to your other topic here '?do=embed' frameborder='0' data-embedContent>> regarding the suite and SSL

[bfarber]

You can already implement SSL across the full suite (except some external communications) by changing your board_url in conf_global.php. Just make it https:// instead of http://, and then update any URLs in the ACP as well (upload url, etc.).

[Joriz]

Since today Firefox 23.0 doesn't show unprotected content anymore on secured websites. This means that a part of our members who visit our website secure can't use the chat. I see this as a problem and I hope that Invision Power Baord can add SSL support to the chat service soon. My experience tells me that this can be done without much work and cost. Thanks very much for adding SSL support :smile:

The chat now only tells secure visitors to please wait while we load the chatroom ..

Only when you press the small shield icon (see image) you can unblock the unsecure content (chat service) for once. So every time a visitor has to use this function in Firefox (if they are even able to find it)

[Hyphae.Network]

It sounds like this topic has already been beat to death, so I'll toss my pennies in and HOPE it gets added ASAP.

SSL is not an option anymore, it's a requirement. I have 3 letters: NSA.

It doesn't matter what you're discussing, what information gets sent, what doesn't - when you have plain text traversing a network ANYONE can see what's being sent. With all the drag netting going on lately I feel SSL should be a required standard on ALL web traffic regardless of content.

This isn't a conspiracy theory, it's common sense, and not supporting it is just lazy imho. What do we need? Some configuration changes on the server and an SSL cert? For a product that we're all paying extra for any way I would think cost isn't a factor as we the customers are footing the bill, and clearly SSL is something people want across the board.

If this were a free value added service I could see the pushback, but it isn't. So please find the time to add support for this. Thank you.

[Dmacleo]

it is free service as long as only 5 online.

[bfarber]

1) Chat is, in fact, a free value added service for the vast majority of our clients. Every client gets a free 5 user chat room, which is of course the most popular usage of IP.Chat.

2) There isn't any push back. :) Perhaps you have misinterpreted my responses (or someone else's). An option was requested (or seemed to be) to allow *just* IP.Chat to run under SSL when the rest of the site does not. I indicated that this seemed to make little sense to me, however that allowing chat itself to run under SSL when the site is also running under SSL is something we can explore in an upcoming version. I'm not sure what else we can say about that right now.

[Hyphae.Network]

I apologize then as I was unaware of your usage statistics - my assumption was that more people pay for additional users, especially those with a very large forum base. For those of us who are paying for more, speaking for my limited IPB customers only of course, I would love to have the chat application fall in line with the rest of the applications - in that they all work under SSL except the ip.chat app. For those of us who run 100% SSL sites it would increase the trust and usability in your full product line.

[Ozpicious]

2) ... SSL is something we can explore in an upcoming version. I'm not sure what else we can say about that right now.

Excellent I and obviously plenty of others hope SSL is a part of the next chat update and look forward to it, in the meantime however I continue to look for a decent alternative that integrates with Invision and allows the chat to connect via SSL.

This issue has increased lately due to recent browser updates which now automatically block insecure page elements and as in the case of firefox don't make it obvious to the user leaving them to hunt out a shield in the address bar. >

[Ozpicious]

When is this happening??? Meanwhile any of us who care about our members privacy and use SSL continue to lose chat members... Surely you could fix this with a simple update. Its gone beyond unacceptable the time we've all had to wait for this to be rectified. :mad: