Jump to content

IPBoard 4.0 HTTPS/SSL Related Requests

MGBrose

By MGBrose
in Feedback

Recommended Posts

MGBrose Collaborator

MGBrose

Posted
Posted

I fully acknowledge that both Full site ssl via https in the config file and the current toggle for "login using https/ssl" both work for 3.4, however we are missing a number of features in regards to both using CDN's and more granular control over SSL usage in IPBoard. I suspect that a lack of support for some of these features, especially CDN's, is making it more difficult for admins to utilize https/ssl for their communities.

High Priority:

  • SSL doesnt work properly with CDN's. Many CDN's now support SSL including amazon cloudfront. We should have alternate https/ssl cdn text fields in the backend. Which means we need an alternate ssl urls fields for the following items within general configuration: Images URL, Upload URLS, CSS URL, JS URL,
  • SSL on login shouldnt force inline stylesheet if SSL CDN urls are available (see above).
  • SSL for admin should have its own toggle via acp.

Slightly Lower Priority:

  • SSL isn't optional for the user(outside of login pages if thats enabled), this is nice functionality to have for users to control individually, if they want enhanced security perhaps they could click a special icon that toggles https/ssl mode (or a user profile setting)
  • IPS should consider making all https/ssl toggles (like ssl for logins, and ssl for admin) controllable via a config file to keep admins from potentially locking themselves out with those settings.
Link to comment
Share on other sites
MGBrose Collaborator

MGBrose

Posted
  • Author
Posted

interesting I didnt think that was possible.

Originally as an example of my setup for my site: I was thinking I could do 2 sets of urls

non https --> https (2 seperate urls)

but now that you mention that, as long as it works for me I can simply use
I'll 100% have to give that a shot! The other issue I'm seeing though is that will only work for full sitewide https encryption via config file, not via "use https for logins" because use https for logins still pulls from inline stylesheets.
Link to comment
Share on other sites
GreenLinks Collaborator

GreenLinks

Posted
Posted

interesting I didnt think that was possible.

Originally as an example of my setup for my site: I was thinking I could do 2 sets of urls

non https --> https (2 seperate urls)

but now that you mention that, as long as it works for me I can simply use
I'll 100% have to give that a shot! The other issue I'm seeing though is that will only work for full sitewide https encryption via config file, not via "use https for logins" because use https for logins still pulls from inline stylesheets.

It works flawlessly when you use https for logins also.

Though i also will like to see some improvements for https improvements.

We should be able to define Nexus , Admin and Mod area under SSL for additional security.

Link to comment
Share on other sites
MGBrose Collaborator

MGBrose

Posted
  • Author
Posted

It works flawlessly when you use https for logins also.

Though i also will like to see some improvements for https improvements.

We should be able to define Nexus , Admin and Mod area under SSL for additional security.

I'll have to try it out then. It seems like Nexus is a really popular request in regards to https.

Link to comment
Share on other sites
bfarber Grand Master

bfarber

Posted
Posted

Is there anything specifically in Nexus that should be under SSL but isn't when that setting is toggled to on?

I'm not sure that MOST admins have any real need to enable fine-grained control of SSL on specific pages or applications. Most either want it completely on or off, or want it on for sensitive pages and off on regular pages (to help with efficiency). I think configuring SSL toggles in a granular fashion is overkill and confusing for most of our clients.

Link to comment
Share on other sites
GreenLinks Collaborator

GreenLinks

Posted
Posted

Is there anything specifically in Nexus that should be under SSL but isn't when that setting is toggled to on?

I'm not sure that MOST admins have any real need to enable fine-grained control of SSL on specific pages or applications. Most either want it completely on or off, or want it on for sensitive pages and off on regular pages (to help with efficiency). I think configuring SSL toggles in a granular fashion is overkill and confusing for most of our clients.

It is actually for User Experience.

Facebook also offers an option for end user to run whole site under https for additional security. Offering this can be very beneficial.

Link to comment
Share on other sites
bfarber Grand Master

bfarber

Posted
Posted

It is actually for User Experience.

Facebook also offers an option for end user to run whole site under https for additional security. Offering this can be very beneficial.

This is different from what you suggested though (which was to allow all of Nexus to run under SSL or not). Offering to an end user the option to use the entire site under SSL or not is something we can/would consider separately.

Link to comment
Share on other sites
MGBrose Collaborator

MGBrose

Posted
  • Author
Posted

This is different from what you suggested though (which was to allow all of Nexus to run under SSL or not). Offering to an end user the option to use the entire site under SSL or not is something we can/would consider separately.

bfarber is offering an end user toggle to run the site under ssl possible via ipboard 3.4+ ? If so how would you create a toggle like this?

Seeing a end user toggle would be an amazing feature/capability! Especially with all of the security/government snooping news lately.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...