MyBB Community Forums

Full Version: Force boards to use HTTPS
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
(2017-07-08, 11:04 PM)fizz Wrote: [ -> ]
(2017-07-08, 10:50 PM)Lunorian Wrote: [ -> ]
(2017-07-08, 07:10 PM)kawaii Wrote: [ -> ]
(2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]if we force owners to use HTTPS then the web will be more safe.

How? All TLS does is to encrypt the connection between a client and server. Having HTTPS on your forum prevents someone sitting on the same network as your users and sniffing credentials as they are sent through the wire. Facebook only started using TLS to stop people sitting in coffee shops running Wireshark as a method to hack accounts.

It doesn't increase the actual security of your website or server. TLS does nothing to protect against SQLi, XSS or RCE. We should be pushing for software developers to be properly auditing their code rather than 'force boards to use HTTPS'.

Did I mention that OpenSSL and it's associated libraries have had 5 major vulnerabilities themselves in the last few years? Of course I'm going to continue using TLS on my own websites and would always recommend other people to do the same but that's all it would ever be, a recommendation.

Modern web browsers such as Firefox (and Chrome?) already warn users when entering credentials on a login page that the connection is not secure. That alone puts the choice solely in the users hands whether or not they wish to continue using the service/website in question.

I get that but we should be forcing people to participate in a more secure web. Also please don't say not everyone can afford certificates, there's let's encrypt, and cloudflare who will provide you with them for free.
Ben already pointed out that many people, myself included, develop on localhost with no need for an SSL cert. Forcing SSL would make developing MyBB plugins waaaaay more difficult for me for absolutely no reason.

Also how would you even implement this? In what way could you stop someone from installing this FROM SOURCE? It is 100% impossible. This isn't a compiled executable. It's literally a zip file. The source code is viewable online in its entirety for free. How exactly do you think that these files could force cancel their  installation if someone just deletes the if statement from the source?

All this would do is create confusion and make tons of  people just refuse to install MyBB. Why do i need SSL if I just want to install a bunch of different forum frameworks at once to test out how they all work?

I'm with you that everyone should be using HTTPS, but forcing anyone to do anything is exactly the opposite of the point of an open-source project like MyBB imo. Just not something that will or should ever happen, and even if it did it's impossible to enforce. A little textbox that pops up in the ACP if MyBB detects an insecure connection could show admins a helpful little link to Let'sEncrypt and list a few of the benefits of using SSL would be way more effective and way less invasive.

Add an exception for localhost AND use a bunch of if statements than just a single one, it'd make it a lot harder for a newbie. Invasive is the best way to force SSL though.
Invasive is irritating.

It's like forcing pop up ads on someone.
(2017-07-09, 09:39 PM)Ben Cousins Wrote: [ -> ]Invasive is irritating.

It's like forcing pop up ads on someone.

Get Adblock problem solved.
(2017-07-09, 11:16 PM)Lunorian Wrote: [ -> ]
(2017-07-09, 09:39 PM)Ben Cousins Wrote: [ -> ]Invasive is irritating.

It's like forcing pop up ads on someone.

Get Adblock problem solved.

You've missed my point.
It is not within MyBB's remit, or really our capabilities, to force people to use SSL/TLS encryption on their boards. We can advise that it is used, we can make it as easy to use as possible (ie: protocol agnostic resource loading in templates), but we should not, and will not, FORCE people to use it.

If people want to run test boards on random URLs on their own server (and not have them crawled or visited) then they should be able to do so without jumping through HTTPS hoops. If people want to develop locally (not everyone uses localhost, if you have a local domain setup) then they should be able to.

We could, perhaps, add a message in the ACP saying "your site is running without SSL/TLS" but that is probably as far as we would go.
We're not going to be forcing people to use SSL. What next, we force people to use Nginx rather than Apache?

Your MyBB 2.0 suggestion has unfortunately been rejected. Your suggestion does not fit with the direction that MyBB is heading in as a project at this time.
Pages: 1 2