2017-07-09, 03:39 PM
(2017-07-08, 11:04 PM)fizz Wrote: [ -> ](2017-07-08, 10:50 PM)Lunorian Wrote: [ -> ]Ben already pointed out that many people, myself included, develop on localhost with no need for an SSL cert. Forcing SSL would make developing MyBB plugins waaaaay more difficult for me for absolutely no reason.(2017-07-08, 07:10 PM)kawaii Wrote: [ -> ](2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]if we force owners to use HTTPS then the web will be more safe.
How? All TLS does is to encrypt the connection between a client and server. Having HTTPS on your forum prevents someone sitting on the same network as your users and sniffing credentials as they are sent through the wire. Facebook only started using TLS to stop people sitting in coffee shops running Wireshark as a method to hack accounts.
It doesn't increase the actual security of your website or server. TLS does nothing to protect against SQLi, XSS or RCE. We should be pushing for software developers to be properly auditing their code rather than 'force boards to use HTTPS'.
Did I mention that OpenSSL and it's associated libraries have had 5 major vulnerabilities themselves in the last few years? Of course I'm going to continue using TLS on my own websites and would always recommend other people to do the same but that's all it would ever be, a recommendation.
Modern web browsers such as Firefox (and Chrome?) already warn users when entering credentials on a login page that the connection is not secure. That alone puts the choice solely in the users hands whether or not they wish to continue using the service/website in question.
I get that but we should be forcing people to participate in a more secure web. Also please don't say not everyone can afford certificates, there's let's encrypt, and cloudflare who will provide you with them for free.
Also how would you even implement this? In what way could you stop someone from installing this FROM SOURCE? It is 100% impossible. This isn't a compiled executable. It's literally a zip file. The source code is viewable online in its entirety for free. How exactly do you think that these files could force cancel their installation if someone just deletes the if statement from the source?
All this would do is create confusion and make tons of people just refuse to install MyBB. Why do i need SSL if I just want to install a bunch of different forum frameworks at once to test out how they all work?
I'm with you that everyone should be using HTTPS, but forcing anyone to do anything is exactly the opposite of the point of an open-source project like MyBB imo. Just not something that will or should ever happen, and even if it did it's impossible to enforce. A little textbox that pops up in the ACP if MyBB detects an insecure connection could show admins a helpful little link to Let'sEncrypt and list a few of the benefits of using SSL would be way more effective and way less invasive.
Add an exception for localhost AND use a bunch of if statements than just a single one, it'd make it a lot harder for a newbie. Invasive is the best way to force SSL though.