Piano World Home Page Forums Our Most Popular Forums Adult Beginners Forum https

The PW forum is after all these years still completely unsecured.
* It does not use https, meaning all your communications with pianoworld INCLUDING YOUR PASSWORDS travel around the world for everyone (who has some knowledge) in plain view.
* It refuses connection with Tor ("Your IP address is currently listed in the Stop Forum Spam database as a known spammer/spambot"). But Tor is useless anyway as long as https is disabed.
* Strange thing is that the main pianoworld site IS using https.Nice but it's the wrong way round imho.

Anyone who knows how this can be fixed and push the right buttons? I'm pretty sure this is something that needs to be fixed on the PW website, not my computer/browser...

I know it's not the right subforum. But my posts about this in the general discussion forums have been ignored so far...

So that's why I get a warning every time I wrote a post (right now) in red ---"Not secure".

Send Frank a PM

I asked Frank about this quite a while back and he mentioned that it had something to do with the fact that if the server serves https: then all the images must also be served via https: and that was an issue with how the site is laid out.

But, yah, this has to be done server-side. Until then, make sure your pianoworld password is not used on any other sites.

Hopefully the actual passwords are sent securely. I don't think there's been a developer who was that inept in a long time. But you bring up a good reason to NEVER use a password at more than one site. You just don't know who's doing what with it.

>Hopefully the actual passwords are sent securely

It's extremely unlikely they are secure.

And this issue is bigger than "just" your password that can be compromised. It affects privacy, causes browser issues, etc.

I tried it in Firefox and you're right, the Login Name and Password fields are flagged as not secure.

I haven't noticed any browser issues but I'll defer to you on this one since I try to limit myself to only being completely wrong once per thread.

Chrome flags every URL I go to in the domain as insecure. Privacy here isn't that much of a concern to me but I hope it's not scaring others off. I learn a lot here. I certainly hope we're all at least using unique and secure passwords on every site.

dobperson, did you get a reply?

Sorry Wouter that I did make this clear.😢 I was recommending that if this is a concern to you, that you contact Frank by private message. This has been a long-standing issue with Pianoworld, and posting in the general feed will not get the attention nor resolution you need, there have been several similar threads.

I have taken my own security steps by choosing a password that is not used on any other site.

I sent a PM to Piano World himself, pointing him to this ticket.

Using a different password is not helping in any way to use Pianoworld in a privacy-save or secure way..

Privacy? It's a public bbs system, what privacy could there be?

Secure? If you use a unique password, what's the worst thing that could happen? Someone steals your identity on this forum and uses it to post spam is the only thing that I can think of. And if that happens I'm sure an email to Frank would straighten that out in short order.

So what am I not understanding?

The forums have been like this for twenty years.

As long as the password you use here is unique to the forums, it is of no value to anyone else.

The problem is the tens of thousands of images throughout the forums, many of them hosted somewhere else.
Because we have no control over images hosted outside our servers we can't make them secure.

Browsers would get even more cranked up if they see a mixture of secure and non secure.

This is one of the reasons I've always asked members to upload copies of the pictures they want to display onto our servers
so we could host them. (the other reason is images hosted elsewhere tend to disappear over time).

With 2,800,000+ posts and thousands upon thousands of images there is no easy answer.

BTW,
The reason the Piano World site is secure is because I had to rebuild the entire content when I moved it to the WordPress platform.
I spent untold hours changing all the images to https: .

If anyone would like to go through all 2,831,975 posts to fix every image (keeping in mind you will likely not be able to do anything about any images hosted outside our environment unless you get permission to download and upload a copy), feel free to let me know.

I wish we had a better solution.

Thanks Frank for replying on this.

I'm not an expert but I assume that my browser can figure it out if some picture links are not secure, and then either ignore them or show them depending on my security settings.

But at least my password would then be safe and also my privacy depending on my browser settings.

More advanced, you could do some automatic URL rewriting for externa links that converts non-secure picture links into a secure version that routes through the PW website.

Also, if you would fix the access rules plus https, that would allow me to use for instance Tor broswer to work around the security issues further.

>The reason the Piano World site is secure ...

I don't quite follow, pianoworld is NOT secure??

I’m pretty sure Frank knows his stuff and has investigated this thoroughly. Nothing more irritating in IT (or anywhere) than armchair experts 😉

Actually wouter79 is correct. The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.

I know :-) I'm just figuring there must be a good reason why Frank has not done this?

There are over 2,800,000 posts, my concern is the additional hits to the server that would slow things down, again.

I'm also not sure how the search engines would treat all these posts if they suddenly became https:// instead of http://
We took a serious hit when we moved from pianoworld.com/forum to forum.pianoworld.com, it took a while to crawl back up the rankings.

And finally, here are a few of the "simple" steps to making the conversion, not including Wouter79's suggestions...

Summary
1) Obtain a valid security certificate from your webhost or a reputable third-party seller. I've purchased many "PositiveSSL" certs from SSLs.com.
2) Install it using SHA-2 and make sure it is configured properly.
3) Update ALL your URLs in the Control Panel or manually in your config.ini file. This includes the Homepage URLs, Contact pages, Referer Check, any forum headers/footers, etc.
4) Run a SQL query on your posts, private messages, user avatars, profile comments tables to replace "http://www.YOURDOMAIN.COM" with "https://www.YOURDOMAIN.COM"
5) Set up HTTP to HTTPS 301 redirects in your .htaccess file to forward from http:// to https://
6) Update all external plugins to ensure they are HTTPS compliant (sharaholic, twitter, facebook, youtube, ubb custom-tags, and, if your website contains non-UBB.threads content, all those internal site links - trust me you won't find them all in a single pass)
7) Test your website.
BONUS: Update your URLs in google/bing webmaster tools. Update any ads placed on your website, such as Google Adsense. Update any website analytics code.


** MAKE A BACKUP BEFORE YOU BEGIN **


The SQL
** BE VERY CAREFUL OF "POST_DEFAULT_BODY" and "POST_BODY" USAGE - DO NOT INTERCHANGE THEM
• POST_DEFAULT_BODY - [BBcode] This is the original post. CONTENT REBUILDER > REBUILD POSTS takes this and converts it to POST_BODY [HTML]
• POST_BODY - [HTML] This is shown to the user. it is generated from POST_DEFAULT_BODY

To update your POSTS:
* ubbt_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_POSTS - POST_BODY
Code

UPDATE ubbt_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your PRIVATE MESSAGES:
* ubbt_PRIVATE_MESSAGE_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PRIVATE_MESSAGE_POSTS - POST_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER AVATARS and PROFILE COMMENTS:
* ubbt_USER_PROFILE - USER_AVATAR
Code

UPDATE ubbt_USER_PROFILE
SET USER_AVATAR = replace(USER_AVATAR, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PROFILE_COMMENTS - COMMENT_BODY
Code

UPDATE ubbt_PROFILE_COMMENTS
SET COMMENT_BODY = replace(COMMENT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER SIGNATURES:
* ubbt_USER_PROFILE - USER_DEFAULT_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_DEFAULT_SIGNATURE = replace(USER_DEFAULT_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_USER_PROFILE - USER_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_SIGNATURE= replace(USER_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');




HTTP to HTTPS 301 Redirects For Your .htaccess File
Code

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]





Notes and Further Reading
Full URLs (http:// and https://) vs relative URLs (//):
If you want to correctly FULLY go SSL, use the full protocol name of "http://www.YOURDOMAIN.COM" instead of just "//www.YOURDOMAIN.COM"
The reason to use just double slashes instead of the HTTPS protocol declaration, is if you intend to have your secure urls (https) distribute different content than your open urls (http), since both are seen as separate urls on search engines.

If you are switching to HTTPS, it is advised to fully replace all your http protocol references with https, and forward all calls from http to https. Do not allow the browser/end-user to choose http by leaving your protocol blank with an open "//" url.

If the asset you need is available on SSL, then always use the https:// asset:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/27999789#27999789

Why omitting the protocol scheme might not be a good idea:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/37654145#37654145

Sometimes IE7 and IE8 do not correctly handle "//" assets. They look at this as being a file transfer, and will attempt to download the page through a download window. Even though the "//" asset is a spec from 1996/1998
https://www.paulirish.com/2010/the-protocol-relative-url/

Google deprecates protocol relative URLs in place of full protocol URLs for the html5 spec:
https://github.com/h5bp/html5-boilerplate/pull/1694/commits/045a1676c4c8cf4bdd23374b5b049507101f5043

Additional discussions:
http://stackoverflow.com/questions/...h-in-a-script-src-http/37609402#37609402


Google SEO HTTPS Migration Checklist (for the ad and SEO focused)
Source: Search Engine Roundtable
• Update all your ad code to support HTTPS
• Ensure your analytics will work on the new HTTPS URLs
• Update your site search (if not using the inbuilt UBB.threads search methods) to support HTTPS and discover new URLs sooner
• Create and submit your new HTTPS XML sitemaps
• Review the Google site move article
• Verify the new HTTPS site with Google Webmaster Tools and track indexation, crawling, search queries, etc.


Final Steps
• Test your site using the Qualys Lab tool
• Followup by searching for, and reading additional articles on "http to https site moves," to know what to expect

Seems like a reasonably straightforward process.

I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?

I pay him, monthly. I used to do IT before I retired. My take on this, is that the longer you delay taking care of it, the worse it will be. And it's not good to get security warnings whenever you visit the forums...

Sam