SSL disincentive

[DennisR]

I have a forum where the only URL published is via https and I would like to insure that http does not become the norm. There is a bug which encourages users to slip back into http. IMO any thing which works in http and fails in https is a security problem.

When inserting a video, I see (video=youtube)https://www.youtube.com/watch?v=WtPtxz3ef8U(/video)

where I edit the post. I have substituted parenthesis for square brackets to show the code. So, I definitely have specified an https url.

When displayed in the post and preview, the https url above is rendered as an http url and does not display.

Users can see the video if they access my forum via http but not https. This is absolutely the wrong behavior to facilitate.

[dragonexpert]

For now a temporary fix can be to go to the inc/class_parser.php file.

About 3/4 of the way down look for

switch($video)

Change all of the http to https.

[JordanMussi]

We should probably use https by default for the video codes if the sites support it...

[DennisR]

Change all of the http to https.

Did not work. On closer inspection, all of the http stings in that section are to the right of double slash -- meaning I was changing comments, not code.

---

We should probably use https by default for the video codes if the sites support it...

What should NOT happen is that a url entered by the user as https is silently changed to http. That is what happened here. Hence, part of the security issue.

[Rymax99]

This actually isn't a security issue in the slightest, it just displays the warning. You're only encrypting the video stream, not anything important. SSL on a forum is pretty useless in general, but everyone is their one.

On topic, you can fix this rather easily.
To fix it do the following:
-Navigate to the ACP
-Switch to the themes/templates tab
-Click into the templates of your theme(s)
-Go to the very bottom of the page and click 'ungrouped templates'
-Open all of the video_ templates in a new tab (video_dailymotion_embed, video_metacafe_embed, etc.)
-Change the http:// part to https:// as shown below:
Original:

<iframe frameborder="0" width="480" height="270" src="http://www.dailymotion.com/embed/video/{$id}"></iframe>

Replacement:

<iframe frameborder="0" width="480" height="270" src="https://www.dailymotion.com/embed/video/{$id}"></iframe>

You'd simply do that to every template with the video_ prefix replacing http with https.

[DennisR]

... every template with the video_ prefix replacing http with https.

Thank you. This works for me.

[StefanT]

Please note not all video providers support SSL. Therefor be careful when changing all these templates.

[Rymax99]

Please note not all video providers support SSL. Therefor be careful when changing all these templates.

Yeah, I think there was one that I just removed because it was very unpopular and didn't support SSL. I think one was MySpace, it might have been the only one.

[DennisR]

Please note not all video providers support SSL. Therefor be careful when changing all these templates.

I don't think being careful matters. Ordinary http connection simply does not display if the forum is accessed via https. Indeed, accessing a non-SSL video provider with SSL could actually improve things if an overt error is displayed.

It would be nice to be able to delete templates through the Admin CP. I didn't see how. Do I need to hack the data base to remove a template?

[JordanMussi]

Why do you want to delete templates? You can delete templates you've created yourself but not default ones IIRC.