I think that MyBB 2.0 should refuse to install if the connection is not over HTTPS. It should also disallow any use of HTTP (including edits to templates trying to link to HTTP resource). For maximum enforcement the software should check that the certificate is valid and the enforced HTTPS works as expected and show a "denied - admin fix https to continue", it should check the SSL labs and deny if the score is below A+. This would result in a more secure web since every forum only is required to use HTTPS. Thoughts?
(2017-07-07, 10:46 PM)Lunorian Wrote: [ -> ]I think that MyBB 2.0 should refuse to install if the connection is not over HTTPS. It should also disallow any use of HTTP (including edits to templates trying to link to HTTP resource). For maximum enforcement the software should check that the certificate is valid and the enforced HTTPS works as expected and show a "denied - admin fix https to continue", it should check the SSL labs and deny if the score is below A+. This would result in a more secure web since every forum only is required to use HTTPS. Thoughts?
we should make using https as easy as possible within mybb, but forcing it on users is a bad idea, especially if it calls on a 3rd party service to check its configuration. what if SSL Labs goes down or changes a config or something?
MyBB usually values preserving high extensibility over enforcing anything on board administrators (recent example:
https://github.com/mybb/mybb/issues/2691) and these suggestions sound extreme to say the least.
Beside making sure 2.x follows best practices out of the box we will put emphasis on security and HTTPS usage on the support side, however.
(2017-07-07, 10:46 PM)Lunorian Wrote: [ -> ]I think that MyBB 2.0 should refuse to install if the connection is not over HTTPS.
No. Simply, no.
I want to install MyBB on my localhost. How the hell do I do that? There's absolutely no reason why I should use SSL on my own computer for connections that are not over the internet.
Make it easy to switch to HTTPS, yes. But do not force it.
An https web is well on its way, thanks to Lets Encrypt. No need to enforce anything.
But some board owners are lazy and won't enable HTTPS. We could build in our own version of SSLLabs but if we force owners to use HTTPS then the web will be more safe.
(2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]But some board owners are lazy and won't enable HTTPS. We could build in our own version of SSLLabs but if we force owners to use HTTPS then the web will be more safe.
being lazy is not something the mybb staff should have to contend with. if someone wants to run a forum without https, that's on them and their visitors.
also, the mybb team is small enough. the amount of overhead that would be involved with 'forcing https' would be staggering for us. on top of that, there's no need to reinvent the SSL Labs wheel...
(2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]if we force owners to use HTTPS then the web will be more safe.
How? All TLS does is to encrypt the connection between a client and server. Having HTTPS on your forum prevents someone sitting on the same network as your users and sniffing credentials as they are sent through the wire. Facebook only started using TLS to stop people sitting in coffee shops running Wireshark as a method to hack accounts.
It doesn't increase the actual security of your website or server. TLS does nothing to protect against SQLi, XSS or RCE. We should be pushing for software developers to be properly auditing their code rather than 'force boards to use HTTPS'.
Did I mention that OpenSSL and it's associated libraries have had 5 major vulnerabilities themselves in the last few years? Of course I'm going to continue using TLS on my own websites and would always recommend other people to do the same but that's all it would ever be, a recommendation.
Modern web browsers such as Firefox (and Chrome?) already warn users when entering credentials on a login page that the connection is not secure. That alone puts the choice solely in the users hands whether or not they wish to continue using the service/website in question.
(2017-07-08, 07:10 PM)kawaii Wrote: [ -> ] (2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]if we force owners to use HTTPS then the web will be more safe.
How? All TLS does is to encrypt the connection between a client and server. Having HTTPS on your forum prevents someone sitting on the same network as your users and sniffing credentials as they are sent through the wire. Facebook only started using TLS to stop people sitting in coffee shops running Wireshark as a method to hack accounts.
It doesn't increase the actual security of your website or server. TLS does nothing to protect against SQLi, XSS or RCE. We should be pushing for software developers to be properly auditing their code rather than 'force boards to use HTTPS'.
Did I mention that OpenSSL and it's associated libraries have had 5 major vulnerabilities themselves in the last few years? Of course I'm going to continue using TLS on my own websites and would always recommend other people to do the same but that's all it would ever be, a recommendation.
Modern web browsers such as Firefox (and Chrome?) already warn users when entering credentials on a login page that the connection is not secure. That alone puts the choice solely in the users hands whether or not they wish to continue using the service/website in question.
I get that but we should be forcing people to participate in a more secure web. Also please don't say not everyone can afford certificates, there's let's encrypt, and cloudflare who will provide you with them for free.
(2017-07-08, 10:50 PM)Lunorian Wrote: [ -> ] (2017-07-08, 07:10 PM)kawaii Wrote: [ -> ] (2017-07-08, 03:49 PM)Lunorian Wrote: [ -> ]if we force owners to use HTTPS then the web will be more safe.
How? All TLS does is to encrypt the connection between a client and server. Having HTTPS on your forum prevents someone sitting on the same network as your users and sniffing credentials as they are sent through the wire. Facebook only started using TLS to stop people sitting in coffee shops running Wireshark as a method to hack accounts.
It doesn't increase the actual security of your website or server. TLS does nothing to protect against SQLi, XSS or RCE. We should be pushing for software developers to be properly auditing their code rather than 'force boards to use HTTPS'.
Did I mention that OpenSSL and it's associated libraries have had 5 major vulnerabilities themselves in the last few years? Of course I'm going to continue using TLS on my own websites and would always recommend other people to do the same but that's all it would ever be, a recommendation.
Modern web browsers such as Firefox (and Chrome?) already warn users when entering credentials on a login page that the connection is not secure. That alone puts the choice solely in the users hands whether or not they wish to continue using the service/website in question.
I get that but we should be forcing people to participate in a more secure web. Also please don't say not everyone can afford certificates, there's let's encrypt, and cloudflare who will provide you with them for free.
Ben already pointed out that many people, myself included, develop on localhost with no need for an SSL cert. Forcing SSL would make developing MyBB plugins waaaaay more difficult for me for absolutely no reason.
Also how would you even implement this? In what way could you stop someone from installing this FROM SOURCE? It is 100% impossible. This isn't a compiled executable. It's literally a zip file. The source code is viewable online in its entirety for free. How exactly do you think that these files could force cancel their installation if someone just deletes the if statement from the source?
All this would do is create confusion and make tons of people just refuse to install MyBB. Why do i need SSL if I just want to install a bunch of different forum frameworks at once to test out how they all work?
I'm with you that everyone should be using HTTPS, but forcing anyone to do anything is exactly the opposite of the point of an open-source project like MyBB imo. Just not something that will or should ever happen, and even if it did it's impossible to enforce. A little textbox that pops up in the ACP if MyBB detects an insecure connection could show admins a helpful little link to Let'sEncrypt and list a few of the benefits of using SSL would be way more effective and way less invasive.