Thread Rating:
  • 1 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Private forum with https (SSL) possible?
#1
I wasn't able to find anything on that, are there any tutorials (or problems) known when trying to set up a MyBB forum using SSL (https://) connections?

That leads me to the question, how is the login-information (user, password) currently protected on the transport layer? When I logged into here, it didn't look like it went through https?

Has anyone tried that?

I have full control over my server, so editing Apache conf files etc. wouldn't be a problem. But will MyBB "just deal" with that? Or would I need to go through all the MyBB sources (or database) and replace http:// with https:// (not sure if there are any such "absolute URLs" anyway)?

Thanks for any pointers!
#2
I just use mod rewrite.

Although https on MyBB is rather pointless.
#3
(2012-07-05, 11:25 AM)Matt Fargo Wrote: I just use mod rewrite.

Although https on MyBB is rather pointless.

Why is https pointless on MyBB?
#4
(2012-07-05, 05:26 PM)SlutaTramsa Wrote:
(2012-07-05, 11:25 AM)Matt Fargo Wrote: I just use mod rewrite.

Although https on MyBB is rather pointless.

Why is https pointless on MyBB?

A forum is not a bank. Or typically a store.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#5
(2012-07-05, 05:55 PM)Josh H. Wrote:
(2012-07-05, 05:26 PM)SlutaTramsa Wrote:
(2012-07-05, 11:25 AM)Matt Fargo Wrote: I just use mod rewrite.

Although https on MyBB is rather pointless.

Why is https pointless on MyBB?

A forum is not a bank. Or typically a store.

If you logged on to here at an internet cafe it wouldn't be too hard for me to hijack your session. I don't know about you but I don't like the idea of people accessing my accounts without my prior knowledge and consent.

Providing you have an SSL certificate installed on the server, simply force it to be used via Apache and change the board URL protocol to https instead of http. AFAIK that's all that's required.
No longer involved in the MyBB project.
#6
(2012-07-05, 06:03 PM)Nathan Malcolm Wrote:
(2012-07-05, 05:55 PM)Josh H. Wrote:
(2012-07-05, 05:26 PM)SlutaTramsa Wrote:
(2012-07-05, 11:25 AM)Matt Fargo Wrote: I just use mod rewrite.

Although https on MyBB is rather pointless.

Why is https pointless on MyBB?

A forum is not a bank. Or typically a store.

If you logged on to here at an internet cafe it wouldn't be too hard for me to hijack your session. I don't know about you but I don't like the idea of people accessing my accounts without my prior knowledge and consent.

Providing you have an SSL certificate installed on the server, simply force it to be used via Apache and change the board URL protocol to https instead of http. AFAIK that's all that's required.
I know it's possible. But I just believe it's a little OTT. Sure, I want control of my accounts and who accesses them. But I just think most forum accounts are close to the lamest thing you can hack. Bank accounts, email accounts, shopping accounts, high-level website admin tools (cP/WHM, etc), are much more significant, IMO.

To each their own.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#7
Thank you very much for your inputs,

(2012-07-05, 06:03 PM)Nathan Malcolm Wrote: Providing you have an SSL certificate installed on the server, simply force it to be used via Apache and change the board URL protocol to https instead of http. AFAIK that's all that's required.

doesn't sound too hard.

(2012-07-05, 05:55 PM)Josh H. Wrote: A forum is not a bank. Or typically a store.

I do agree to some extent. But I also do know that many users are using the same username/password combination on many different sites, which is not secure but understandable from a user's perspective since it's harder to remember different logins for say 100 different sites.

And when users enter their passwords, no matter on what site, I think nowadays it is more or less expected that these passwords are handled (transmitted and stored) in a way which makes it at least very hard for someone else to get access to them. And the only way I know to do that on a website is to use https.

To be honest, I was very shocked when I registered at a mailing list and they automatically sent an email to me every month with my username and plaintext password. I think login information should really be handled more responsibly at a time where every script kid knows how to use network sniffers and packet analysers.
#8
SSL is pointless on a forum, all it does is encrypting the traffic between the client and the server, as someone else said earlier in this thread, "A forum is not a bank".

You are not secure just because SSL is enabled on your server, if someone wants to get hold of your users passwords then they would probably do some sort of brute force.

Instead of SSL, use more sophisticated passwords, and preferably not the same password for all the different services (ftp, ssh, mysql, phpmyadmin etc). Also encourage your users to use more difficult characters in their passwords, like ASCII characters mixed with capitalized letters as well as numbers. You will be more secure by doing that than using a SSL connection on your server, it would spare you both time and money, as SSL requires it's own ip address to work properly.
#9
(2012-07-09, 06:30 AM)bowkilled Wrote: all it does is encrypting the traffic between the client and the server...

That's my whole point. Of course educating people to use strong passwords is good. But even if they use strong passwords, anywhere between the client and the server, someone could easily analyse the traffic and get the (strong or not) passwords to do all sorts of evil things.

As I understand SSL (correct me if I'm wrong), that makes these sorts of attacks almost impossible.

(2012-07-09, 06:30 AM)bowkilled Wrote: You are not secure just because SSL is enabled on your server, if someone wants to get hold of your users passwords then they would probably do some sort of brute force.

I do understand that SSL does not protect against brute force, social engineering or other attacks. But at least it transmits the login info and the private (sic!) messages of my forum's users, the contents of the Admin CP, etc, etc securely across the internet.

(2012-07-09, 06:30 AM)bowkilled Wrote: Instead of SSL, use more sophisticated passwords, and preferably not the same password for all the different services (ftp, ssh, mysql, phpmyadmin etc).

I already did that. But intercepting more sophisticated passwords is as easy as intercepting dumb passwords.

(2012-07-09, 06:30 AM)bowkilled Wrote: ...it would spare you both time and money, as SSL requires it's own ip address to work properly.

I'll investigate on that... yesterday I switched my forum to SSL and it seemed to work fine. I haven't tried having non-HTTPS sites on the same IP address, maybe I never will Smile
#10
(2012-07-10, 01:27 AM)FriendFX Wrote:
(2012-07-09, 06:30 AM)bowkilled Wrote: all it does is encrypting the traffic between the client and the server...

That's my whole point. Of course educating people to use strong passwords is good. But even if they use strong passwords, anywhere between the client and the server, someone could easily analyse the traffic and get the (strong or not) passwords to do all sorts of evil things.

As I understand SSL (correct me if I'm wrong), that makes these sorts of attacks almost impossible.

(2012-07-09, 06:30 AM)bowkilled Wrote: You are not secure just because SSL is enabled on your server, if someone wants to get hold of your users passwords then they would probably do some sort of brute force.

I do understand that SSL does not protect against brute force, social engineering or other attacks. But at least it transmits the login info and the private (sic!) messages of my forum's users, the contents of the Admin CP, etc, etc securely across the internet.

(2012-07-09, 06:30 AM)bowkilled Wrote: Instead of SSL, use more sophisticated passwords, and preferably not the same password for all the different services (ftp, ssh, mysql, phpmyadmin etc).

I already did that. But intercepting more sophisticated passwords is as easy as intercepting dumb passwords.

(2012-07-09, 06:30 AM)bowkilled Wrote: ...it would spare you both time and money, as SSL requires it's own ip address to work properly.

I'll investigate on that... yesterday I switched my forum to SSL and it seemed to work fine. I haven't tried having non-HTTPS sites on the same IP address, maybe I never will Smile

SSL will ensure you and your visitors that they will remain safe from MITM attacks and phishing, however, if your site gets DNS poisoned then SSL wouldn't help against it since a DNS hijacking tricks the domain to serve the traffic over to another ip-address.

If you had a site which served ecommerce, then a SSL solution would be more appealing since there are more sensitive data that is being sent over the server.

WHMCS were attacked this year, pretty early i think, WHMCS systems store their customers bank details, credit card numbers in a db (encrypted), i believe there was around 500.000 customer details that were stolen.

What i am saying here is that you are never safe from any attack, the only protection you have is to predict and prevent the attack from happening.


Forum Jump:


Users browsing this thread: 1 Guest(s)