http > https

[marklcfc]

What is the process for transferring from http to https? My hosts said they can set it up on their side but then said:

Quote

you will need to update your website code to use https instead of http for each and every local & remote resource which depending on how well your website is coded

Also is it necessary?

I've been thinking about it for some time and had an email this morning from google which mentioned: 

Quote

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

 

[AndyF]

 

[marklcfc]

What's the difference between https for logins only and 100% https? Which is recommended here?

[Jacques Corby-Tuech]

19 hours ago, marklcfc said:

What's the difference between https for logins only and 100% https? Which is recommended here?

 

There's really no reason NOT to be serving the entire website over https these days.

[PPlanet]

13 minutes ago, Jacques Corby-Tuech said:

 

There's really no reason NOT to be serving the entire website over https these days.

Well, I tried the other day and the site gradually turned so slow that it almost came to a halt; I reverted it back to http:// (So, I guess that's a reason, and yes I should probably get it seen as to where the problem lies, and eventually I will).

And sorry, while on this topic, is there a way (even via .htaccess) to implement https:// for logins and admin only for IPB 3.4? I would love to try that in the meantime.

[Joy Rex]

51 minutes ago, PPlanet said:

Well, I tried the other day and the site gradually turned so slow that it almost came to a halt; I reverted it back to http:// (So, I guess that's a reason, and yes I should probably get it seen as to where the problem lies, and eventually I will).

And sorry, while on this topic, is there a way (even via .htaccess) to implement https:// for logins and admin only for IPB 3.4? I would love to try that in the meantime.

https:// shouldn't be slowing down your page loading - I would turn it on again, and use Chrome's Developer Tools to determine where the bottleneck is occurring.

[opentype]

2 hours ago, Jacques Corby-Tuech said:

There's really no reason NOT to be serving the entire website over https these days.

I serve 2 IPS sites over SSL and 2 other not. What’s holding me back on these 2 sites:

• no stock option to convert the embedded non-SSL content in tens of thousands of posts to SSL
• the costs of SSL if the the provider doesn’t allow free/external certificates

[PPlanet]

9 hours ago, Joy Rex said:

https:// shouldn't be slowing down your page loading - I would turn it on again, and use Chrome's Developer Tools to determine where the bottleneck is occurring.

Yes, I'm not really sure what was it. I'm not very good at troubleshooting this sort of thing either. For a few hours it went well (even when I think each page load took a tiny bit more in loading probably while the secure connection was negotiated), then when I thought all was fine, I forced the https via .htaccess and submitted it as a new site, new sitemap to Google Webmasters Tools, so unfortunately two things may have happened at once as my site approached peak activity hour. For all I know it could have been Google bots re-indexing the pages.

I use one of those shared Cloudflare certificates, not sure if that matters. I even bought 3 certificates (1 for domain and 2 for subdomains) got my host to install them, just to realise later that Cloudflare only allows you to use your own if you upgrade to their business plan ($200 per month, so that's not an option). I could also buy a certificate from them if I knew it was any better than the shared one they let you use for free. (Does anyone know if it's worth it? It's not that expensive, it costs something like 60 bucks or so a year, and it would cover domain and subdomains)

In any case, as I asked above, does anyone know how to achieve SSL for logins and admin only using .htaccess? (As I'm still using IPB 3.4)

Also using chat for 3.4 will force me to get a way around to connect if I was to have the whole site using SSL (but sadly that problem will be over by May ;))

[sweethoney]

do you want your hole website on sll

[PPlanet]

32 minutes ago, sweethoney said:

do you want your hole website on sll

Are you asking me or the OP? If it's me, then no; at this stage I'd like to try logins and admin only (but since I'm using IPB 3.4 I can't do it so easily from the ACP). If you are asking the OP, my apologies for crashing his thread (but we both have the same needs anyway).

[Tarun]

Having your entire site using https helps to protect visitors from MITM, XSS and other issues. You can add several layers of additional protection, and also get onto the HSTS preload list as well.

https has a very minimal slowdown on page loads. It's worth it, really.

[marklcfc]

My host said

Quote

A basic (free) temporary SSL is already in place and as such, you can already manually navigate to your forum via https:// which currently gives a warning due to there being non secure (non https) resources being called - you'll need to go through these and correct before forcing https as many browsers will refuse to load non secure resources on a secure website.

Does that mean I can turn on ssl for logins only? Or is there other things I need to do?

[opentype]

22 minutes ago, marklcfc said:

Does that mean I can turn on ssl for logins only?

Yes. Not sure what they mean with “temporary” though. 

Quote

Or is there other things I need to do?

You need to check what they said: Once you turn on SSL, you need to be sure that on the affected pages no non-secure content is delivered, e.g. logos, banners and things like that. 

[marklcfc]

I've made the above changes but I'm seeing a few problems.

The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure.

[Simon Woods]

2 minutes ago, marklcfc said:

I've made the above changes but I'm seeing a few problems.

The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure.

Yep, sounds right, as your host said:

Quote

you can already manually navigate to your forum via https:// which currently gives a warning due to there being non secure (non https) resources being called

To fix this you need to do what they said next:

Quote

you'll need to go through these and correct before forcing https as many browsers will refuse to load non secure resources on a secure website.

I'm not sure if there is an easier way to do this or if it is only possible by going through each individual resource. This is actually the main reason why I am making this switch at a later point in this year, when I have more time on my hands.

[marklcfc]

I'm not sure what resources they are referring to? I looked at the source and all the http:// links were standard forum links, surely they should have changed to https?

[Nathan Explosion]

Clear forum cache via the support tool -  must be done after you change the URL in conf_global.php 

[marklcfc]

Yes I did that.

On board index for example there are 9 instances of http:// those are

Quote

itemscope itemtype="http://schema.org/WebSite">

itemtype="http://schema.org/SearchAction"

<a href="http://mysite.co.uk" data-navItem-id="1" data-navDefault>

<ul itemscope itemtype="http://schema.org/BreadcrumbList">

<li itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem">

<a title="Home" href='https://www.foxestalk.co.uk/forums/' itemscope itemtype="http://schema.org/Thing" itemprop="item">

<img src="http://abs.twimg.com/sticky/default_profile_images/default_profile_6_normal.png" alt="Innovindil" itemprop="image">

 

 

[ehren.]

5 minutes ago, marklcfc said:

Yes I did that.

On board index for example there are 9 instances of http:// those are

 

http in links and source code isn the issue. The issue is the http resource (the image being loaded from Twitter). That's the only thing you need to fix.

[marklcfc]

5 minutes ago, ehren. said:

http in links and source code isn the issue. The issue is the http resource (the image being loaded from Twitter). That's the only thing you need to fix.

Ok, in that case I assume this is the problem when viewing a forum

Quote

<img src="http://pbs.twimg.com/profile_images/808704406338371584/ZOLm4Azq_normal.jpg" alt="alex26kingpower" itemprop="image">

How do I prevent this being a problem? As I assume quite a few have twitter photos

[marklcfc]

Also when I log out and log back in my username and password is no longer filled out, I have to type it all out again. Is this normal? As it doesn't happen on here.

And adverts don't seem to load (more so on a mobile)

[Joy Rex]

13 hours ago, PPlanet said:

Yes, I'm not really sure what was it. I'm not very good at troubleshooting this sort of thing either. For a few hours it went well (even when I think each page load took a tiny bit more in loading probably while the secure connection was negotiated), then when I thought all was fine, I forced the https via .htaccess and submitted it as a new site, new sitemap to Google Webmasters Tools, so unfortunately two things may have happened at once as my site approached peak activity hour. For all I know it could have been Google bots re-indexing the pages.

I use one of those shared Cloudflare certificates, not sure if that matters. I even bought 3 certificates (1 for domain and 2 for subdomains) got my host to install them, just to realise later that Cloudflare only allows you to use your own if you upgrade to their business plan ($200 per month, so that's not an option). I could also buy a certificate from them if I knew it was any better than the shared one they let you use for free. (Does anyone know if it's worth it? It's not that expensive, it costs something like 60 bucks or so a year, and it would cover domain and subdomains)

In any case, as I asked above, does anyone know how to achieve SSL for logins and admin only using .htaccess? (As I'm still using IPB 3.4)

Also using chat for 3.4 will force me to get a way around to connect if I was to have the whole site using SSL (but sadly that problem will be over by May ;))

I'd advise going 100% SSL; Chrome 56 and other browsers will require it in future; otherwise users will get security warnings.

11 hours ago, Tarun said:

Having your entire site using https helps to protect visitors from MITM, XSS and other issues. You can add several layers of additional protection, and also get onto the HSTS preload list as well.

https has a very minimal slowdown on page loads. It's worth it, really.

Agreed.

2 hours ago, marklcfc said:

I've made the above changes but I'm seeing a few problems.

The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure.

If you allow your users to post images that are hosted on other sites that don't use HTTPS, this is what is causing the mixed content warnings.

[marklcfc]

Ok, any idea about the log in issue where username/password isn't filled out after the change

[opentype]

16 minutes ago, marklcfc said:

Ok, any idea about the log in issue where username/password isn't filled out after the change

Because http://something.com and https://something.com are completely different addresses. Your browser isn’t supposed to share login data across different addresses. That would be a huge security risk. 

[sweethoney]

It’s the magic of risking everything for a dream that nobody sees but you.”