2017 was our 20th year online!

Welcome to the Piano World Piano Forums
Over 2.9 million posts about pianos, digital pianos, and all types of keyboard instruments
Join the World's Largest Community of Piano Lovers (it's free)
It's Fun to Play the Piano ... Please Pass It On!

Shop our online store for music lovers
SEARCH
Piano Forums & Piano World
(ad)
Petrof Pianos
Petrof Pianos
(ad)
Pianoteq
PianoTeq Karsten Collection
(ad)
Piano Life Saver - Dampp Chaser
Dampp Chaser Piano Life Saver
Who's Online Now
35 members (Andymania, blue_view_laguna, AZNpiano, dbudde, clothearednincompo, CyberGene, AlphaBravoCharlie, clarinetist, chateauferret, 6 invisible), 433 guests, and 381 robots.
Key: Admin, Global Mod, Mod
(ad)
Estonia Pianos
Estonia Pianos
Previous Thread
Next Thread
Print Thread
Hop To
Page 1 of 3 1 2 3
https
#2850786 05/21/19 03:20 PM
Joined: Feb 2010
Posts: 5,361
W
5000 Post Club Member
OP Offline
5000 Post Club Member
W
Joined: Feb 2010
Posts: 5,361
The PW forum is after all these years still completely unsecured.
* It does not use https, meaning all your communications with pianoworld INCLUDING YOUR PASSWORDS travel around the world for everyone (who has some knowledge) in plain view.
* It refuses connection with Tor ("Your IP address is currently listed in the Stop Forum Spam database as a known spammer/spambot"). But Tor is useless anyway as long as https is disabed.
* Strange thing is that the main pianoworld site IS using https.Nice but it's the wrong way round imho.

Anyone who knows how this can be fixed and push the right buttons? I'm pretty sure this is something that needs to be fixed on the PW website, not my computer/browser...

I know it's not the right subforum. But my posts about this in the general discussion forums have been ignored so far...


[Linked Image][Linked Image][Linked Image][Linked Image]
(ad)
Piano & Music Accessories
piano accessories music gifts tuning and moving equipment
Re: https
wouter79 #2850801 05/21/19 03:44 PM
Joined: Dec 2007
Posts: 17,856
Yikes! 10000 Post Club Member
Offline
Yikes! 10000 Post Club Member
Joined: Dec 2007
Posts: 17,856
So that's why I get a warning every time I wrote a post (right now) in red ---"Not secure".

Re: https
wouter79 #2850802 05/21/19 03:45 PM
Joined: May 2015
Posts: 6,059
Silver Subscriber
6000 Post Club Member
Offline
Silver Subscriber
6000 Post Club Member
Joined: May 2015
Posts: 6,059
Send Frank a PM


"Music, rich, full of feeling, not soulless, is like a crystal on which the sun falls and brings forth from it a whole rainbow" - F. Chopin
"I never dreamt with my own two hands I could touch the sky" - Sappho

It's ok to be a Work In Progress
Re: https
wouter79 #2850880 05/21/19 08:32 PM
Joined: Oct 2012
Posts: 2,071
W
2000 Post Club Member
Offline
2000 Post Club Member
W
Joined: Oct 2012
Posts: 2,071
Originally Posted by wouter79

Anyone who knows how this can be fixed and push the right buttons? I'm pretty sure this is something that needs to be fixed on the PW website, not my computer/browser...


I asked Frank about this quite a while back and he mentioned that it had something to do with the fact that if the server serves https: then all the images must also be served via https: and that was an issue with how the site is laid out.

But, yah, this has to be done server-side. Until then, make sure your pianoworld password is not used on any other sites.


Whizbang
amateur ragtime pianist
https://www.youtube.com/user/Aeschala
Re: https
wouter79 #2850996 05/22/19 06:55 AM
Joined: Mar 2013
Posts: 289
Full Member
Offline
Full Member
Joined: Mar 2013
Posts: 289
Hopefully the actual passwords are sent securely. I don't think there's been a developer who was that inept in a long time. But you bring up a good reason to NEVER use a password at more than one site. You just don't know who's doing what with it.

Re: https
wouter79 #2850999 05/22/19 07:27 AM
Joined: Feb 2010
Posts: 5,361
W
5000 Post Club Member
OP Offline
5000 Post Club Member
W
Joined: Feb 2010
Posts: 5,361
>Hopefully the actual passwords are sent securely

It's extremely unlikely they are secure.

And this issue is bigger than "just" your password that can be compromised. It affects privacy, causes browser issues, etc.


[Linked Image][Linked Image][Linked Image][Linked Image]
Re: https
wouter79 #2852012 05/25/19 07:32 AM
Joined: Mar 2013
Posts: 289
Full Member
Offline
Full Member
Joined: Mar 2013
Posts: 289
Originally Posted by wouter79
>Hopefully the actual passwords are sent securely

It's extremely unlikely they are secure.

And this issue is bigger than "just" your password that can be compromised. It affects privacy, causes browser issues, etc.


I tried it in Firefox and you're right, the Login Name and Password fields are flagged as not secure.

I haven't noticed any browser issues but I'll defer to you on this one since I try to limit myself to only being completely wrong once per thread. smile

Chrome flags every URL I go to in the domain as insecure. Privacy here isn't that much of a concern to me but I hope it's not scaring others off. I learn a lot here. I certainly hope we're all at least using unique and secure passwords on every site.

Re: https
wouter79 #2852405 05/26/19 02:13 PM
Joined: Feb 2010
Posts: 5,361
W
5000 Post Club Member
OP Offline
5000 Post Club Member
W
Joined: Feb 2010
Posts: 5,361
dobperson, did you get a reply?


[Linked Image][Linked Image][Linked Image][Linked Image]
Re: https
wouter79 #2852419 05/26/19 02:46 PM
Joined: May 2015
Posts: 6,059
Silver Subscriber
6000 Post Club Member
Offline
Silver Subscriber
6000 Post Club Member
Joined: May 2015
Posts: 6,059
Originally Posted by wouter79
dobperson, did you get a reply?


Sorry Wouter that I did make this clear.😢 I was recommending that if this is a concern to you, that you contact Frank by private message. This has been a long-standing issue with Pianoworld, and posting in the general feed will not get the attention nor resolution you need, there have been several similar threads.

I have taken my own security steps by choosing a password that is not used on any other site.

Re: https
wouter79 #2852707 05/27/19 11:33 AM
Joined: Feb 2010
Posts: 5,361
W
5000 Post Club Member
OP Offline
5000 Post Club Member
W
Joined: Feb 2010
Posts: 5,361
I sent a PM to Piano World himself, pointing him to this ticket.

Using a different password is not helping in any way to use Pianoworld in a privacy-save or secure way..


[Linked Image][Linked Image][Linked Image][Linked Image]
Re: https
wouter79 #2852772 05/27/19 01:28 PM
Joined: Jun 2015
Posts: 989
F
500 Post Club Member
Offline
500 Post Club Member
F
Joined: Jun 2015
Posts: 989
Quote
Using a different password is not helping in any way to use Pianoworld in a privacy-save or secure way..


Privacy? It's a public bbs system, what privacy could there be?

Secure? If you use a unique password, what's the worst thing that could happen? Someone steals your identity on this forum and uses it to post spam is the only thing that I can think of. And if that happens I'm sure an email to Frank would straighten that out in short order.

So what am I not understanding?


If you're a zombie and you know it, bite your friend!
We got both kinds of music: Country and Western!
Casio Celviano AP-650
Re: https
wouter79 #2852852 05/27/19 05:51 PM
Joined: May 2001
Posts: 6,400
Founder - Owner - Host
6000 Post Club Member
Offline
Founder - Owner - Host
6000 Post Club Member
Joined: May 2001
Posts: 6,400
The forums have been like this for twenty years.

As long as the password you use here is unique to the forums, it is of no value to anyone else.

The problem is the tens of thousands of images throughout the forums, many of them hosted somewhere else.
Because we have no control over images hosted outside our servers we can't make them secure.

Browsers would get even more cranked up if they see a mixture of secure and non secure.

This is one of the reasons I've always asked members to upload copies of the pictures they want to display onto our servers
so we could host them. (the other reason is images hosted elsewhere tend to disappear over time).

With 2,800,000+ posts and thousands upon thousands of images there is no easy answer.

BTW,
The reason the Piano World site is secure is because I had to rebuild the entire content when I moved it to the WordPress platform.
I spent untold hours changing all the images to https: .

If anyone would like to go through all 2,831,975 posts to fix every image (keeping in mind you will likely not be able to do anything about any images hosted outside our environment unless you get permission to download and upload a copy), feel free to let me know.

I wish we had a better solution.


- Frank B.
Founder / Owner / Host
PianoWorld.com
www.PianoSupplies.com
Maple Street Music Shop
Find Us On:
Facebook.com/PianoWorldDotCom
ProRecord.info
www.youtube.com/PianoWorldDotCom
www.linkedin.com/in/pianoworld
Skype: PianoWorldDotCom
My Keyboards:
Estonia L-190 w/ ProRecord, Yamaha P-80, Harpsichord (kit), Clavichord (kit), Bilhorn Telescope Organ c 1880, 2 - Antique Pump Organs
-------------------------
It's Fun To Play the Piano ... PLEASE Pass It On!
Please invite every piano enthusiast you know to join our piano forums!


Re: https
wouter79 #2852973 05/28/19 02:20 AM
Joined: Feb 2010
Posts: 5,361
W
5000 Post Club Member
OP Offline
5000 Post Club Member
W
Joined: Feb 2010
Posts: 5,361
Thanks Frank for replying on this.

I'm not an expert but I assume that my browser can figure it out if some picture links are not secure, and then either ignore them or show them depending on my security settings.

But at least my password would then be safe and also my privacy depending on my browser settings.

More advanced, you could do some automatic URL rewriting for externa links that converts non-secure picture links into a secure version that routes through the PW website.

Also, if you would fix the access rules plus https, that would allow me to use for instance Tor broswer to work around the security issues further.

>The reason the Piano World site is secure ...

I don't quite follow, pianoworld is NOT secure??


[Linked Image][Linked Image][Linked Image][Linked Image]
Re: https
wouter79 #2852981 05/28/19 02:42 AM
Joined: Feb 2019
Posts: 573
S
500 Post Club Member
Offline
500 Post Club Member
S
Joined: Feb 2019
Posts: 573
Originally Posted by wouter79
Thanks Frank for replying on this.

I'm not an expert but I assume that my browser can figure it out if some picture links are not secure, and then either ignore them or show them depending on my security settings.

But at least my password would then be safe and also my privacy depending on my browser settings.

More advanced, you could do some automatic URL rewriting for externa links that converts non-secure picture links into a secure version that routes through the PW website.

Also, if you would fix the access rules plus https, that would allow me to use for instance Tor broswer to work around the security issues further.

>The reason the Piano World site is secure ...

I don't quite follow, pianoworld is NOT secure??



I’m pretty sure Frank knows his stuff and has investigated this thoroughly. Nothing more irritating in IT (or anywhere) than armchair experts 😉


Pianist, independent music arranger, violinist, mother
Re: https
wouter79 #2852991 05/28/19 03:45 AM
Joined: Jan 2017
Posts: 1,368
Gold Subscriber
1000 Post Club Member
Offline
Gold Subscriber
1000 Post Club Member
Joined: Jan 2017
Posts: 1,368
Actually wouter79 is correct. The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot smile Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.


Now learning: Chopin C# minor Nocturne (posth) and C minor Prelude (big chords), Mozart Sonata in C K. 545
Instruments: Yamaha N1X, Kawai ES110, Roland GO:PIANO
Re: https
Chrispy #2852993 05/28/19 03:48 AM
Joined: Feb 2019
Posts: 573
S
500 Post Club Member
Offline
500 Post Club Member
S
Joined: Feb 2019
Posts: 573
Originally Posted by Chrispy
Actually wouter79 is correct. The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot smile Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.


I know :-) I'm just figuring there must be a good reason why Frank has not done this?


Pianist, independent music arranger, violinist, mother
Re: https
Chrispy #2854013 05/30/19 07:54 PM
Joined: May 2001
Posts: 6,400
Founder - Owner - Host
6000 Post Club Member
Offline
Founder - Owner - Host
6000 Post Club Member
Joined: May 2001
Posts: 6,400
Originally Posted by Chrispy
However, this would increase bandwidth costs slightly so that could be a concern.


There are over 2,800,000 posts, my concern is the additional hits to the server that would slow things down, again.

I'm also not sure how the search engines would treat all these posts if they suddenly became https:// instead of http://
We took a serious hit when we moved from pianoworld.com/forum to forum.pianoworld.com, it took a while to crawl back up the rankings.

And finally, here are a few of the "simple" steps to making the conversion, not including Wouter79's suggestions...

Summary
1) Obtain a valid security certificate from your webhost or a reputable third-party seller. I've purchased many "PositiveSSL" certs from SSLs.com.
2) Install it using SHA-2 and make sure it is configured properly.
3) Update ALL your URLs in the Control Panel or manually in your config.ini file. This includes the Homepage URLs, Contact pages, Referer Check, any forum headers/footers, etc.
4) Run a SQL query on your posts, private messages, user avatars, profile comments tables to replace "http://www.YOURDOMAIN.COM" with "https://www.YOURDOMAIN.COM"
5) Set up HTTP to HTTPS 301 redirects in your .htaccess file to forward from http:// to https://
6) Update all external plugins to ensure they are HTTPS compliant (sharaholic, twitter, facebook, youtube, ubb custom-tags, and, if your website contains non-UBB.threads content, all those internal site links - trust me you won't find them all in a single pass)
7) Test your website.
BONUS: Update your URLs in google/bing webmaster tools. Update any ads placed on your website, such as Google Adsense. Update any website analytics code.


** MAKE A BACKUP BEFORE YOU BEGIN **


The SQL
** BE VERY CAREFUL OF "POST_DEFAULT_BODY" and "POST_BODY" USAGE - DO NOT INTERCHANGE THEM
• POST_DEFAULT_BODY - [BBcode] This is the original post. CONTENT REBUILDER > REBUILD POSTS takes this and converts it to POST_BODY [HTML]
• POST_BODY - [HTML] This is shown to the user. it is generated from POST_DEFAULT_BODY

To update your POSTS:
* ubbt_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_POSTS - POST_BODY
Code

UPDATE ubbt_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your PRIVATE MESSAGES:
* ubbt_PRIVATE_MESSAGE_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PRIVATE_MESSAGE_POSTS - POST_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER AVATARS and PROFILE COMMENTS:
* ubbt_USER_PROFILE - USER_AVATAR
Code

UPDATE ubbt_USER_PROFILE
SET USER_AVATAR = replace(USER_AVATAR, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PROFILE_COMMENTS - COMMENT_BODY
Code

UPDATE ubbt_PROFILE_COMMENTS
SET COMMENT_BODY = replace(COMMENT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER SIGNATURES:
* ubbt_USER_PROFILE - USER_DEFAULT_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_DEFAULT_SIGNATURE = replace(USER_DEFAULT_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_USER_PROFILE - USER_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_SIGNATURE= replace(USER_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');




HTTP to HTTPS 301 Redirects For Your .htaccess File
Code

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]





Notes and Further Reading
Full URLs (http:// and https://) vs relative URLs (//):
If you want to correctly FULLY go SSL, use the full protocol name of "http://www.YOURDOMAIN.COM" instead of just "//www.YOURDOMAIN.COM"
The reason to use just double slashes instead of the HTTPS protocol declaration, is if you intend to have your secure urls (https) distribute different content than your open urls (http), since both are seen as separate urls on search engines.

If you are switching to HTTPS, it is advised to fully replace all your http protocol references with https, and forward all calls from http to https. Do not allow the browser/end-user to choose http by leaving your protocol blank with an open "//" url.

If the asset you need is available on SSL, then always use the https:// asset:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/27999789#27999789

Why omitting the protocol scheme might not be a good idea:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/37654145#37654145

Sometimes IE7 and IE8 do not correctly handle "//" assets. They look at this as being a file transfer, and will attempt to download the page through a download window. Even though the "//" asset is a spec from 1996/1998
https://www.paulirish.com/2010/the-protocol-relative-url/

Google deprecates protocol relative URLs in place of full protocol URLs for the html5 spec:
https://github.com/h5bp/html5-boilerplate/pull/1694/commits/045a1676c4c8cf4bdd23374b5b049507101f5043

Additional discussions:
http://stackoverflow.com/questions/...h-in-a-script-src-http/37609402#37609402


Google SEO HTTPS Migration Checklist (for the ad and SEO focused)
Source: Search Engine Roundtable
• Update all your ad code to support HTTPS
• Ensure your analytics will work on the new HTTPS URLs
• Update your site search (if not using the inbuilt UBB.threads search methods) to support HTTPS and discover new URLs sooner
• Create and submit your new HTTPS XML sitemaps
• Review the Google site move article
• Verify the new HTTPS site with Google Webmaster Tools and track indexation, crawling, search queries, etc.


Final Steps
• Test your site using the Qualys Lab tool
• Followup by searching for, and reading additional articles on "http to https site moves," to know what to expect


- Frank B.
Founder / Owner / Host
PianoWorld.com
www.PianoSupplies.com
Maple Street Music Shop
Find Us On:
Facebook.com/PianoWorldDotCom
ProRecord.info
www.youtube.com/PianoWorldDotCom
www.linkedin.com/in/pianoworld
Skype: PianoWorldDotCom
My Keyboards:
Estonia L-190 w/ ProRecord, Yamaha P-80, Harpsichord (kit), Clavichord (kit), Bilhorn Telescope Organ c 1880, 2 - Antique Pump Organs
-------------------------
It's Fun To Play the Piano ... PLEASE Pass It On!
Please invite every piano enthusiast you know to join our piano forums!


Re: https
wouter79 #2854082 05/31/19 01:44 AM
Joined: Mar 2019
Posts: 374
Full Member
Offline
Full Member
Joined: Mar 2019
Posts: 374
Seems like a reasonably straightforward process.


Chris

Yamaha P-515, Yamaha Reface CP.
Re: https
Cheshire Chris #2854105 05/31/19 04:46 AM
Joined: Feb 2019
Posts: 573
S
500 Post Club Member
Offline
500 Post Club Member
S
Joined: Feb 2019
Posts: 573
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


Pianist, independent music arranger, violinist, mother
Re: https
ShyPianist #2854116 05/31/19 05:50 AM
Joined: Dec 2007
Posts: 3,682
3000 Post Club Member
Offline
3000 Post Club Member
Joined: Dec 2007
Posts: 3,682
Originally Posted by ShyPianist
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


I pay him, monthly. I used to do IT before I retired. My take on this, is that the longer you delay taking care of it, the worse it will be. And it's not good to get security warnings whenever you visit the forums...

Sam

Page 1 of 3 1 2 3

Moderated by  BB Player 

Link Copied to Clipboard
Hand Sanitizer for Musicians
Hand Sanitizer for Musicians
Musician's Hand Sanitizer available in our online store (and our Maple Street Music shop in Cornish Maine). Antibacterial, 62% ethyl alcohol. Hand Sanitizer for Musicians
Tons more music related products in our online store!
What's Hot!!
News from the Piano World
Where Did The Buttons Go?!
----------------------
Our April 2020 Newsletter Available Online Now...
The Piano World During the Pandemic!
----------------------
Posting Pictures on the Forums
-------------------
Forums RULES & HELP
-------------------
ADVERTISE on Piano World
(ad)
Best of Piano Buyer
 Best of Piano Buyer
(ad)
Faust Harrison Pianos
Faust Harrison 100+ Steinway pianos
Download Sheet Music
Virtual Sheet Music - Classical Sheet Music Downloads
New Topics - Multiple Forums
Kawai ES-110 Bluetooth Functionality
by Skyscrapersax - 06/02/20 04:10 AM
Kawai cs7 vs Yamaha 675 vs Yamaha 585
by clarinetist - 06/02/20 02:52 AM
Kawai CA58 - regulation critique
by daleq - 06/02/20 01:10 AM
Kawai ES110 to ableton live 10
by izumi - 06/01/20 07:07 PM
Request for bottom view picture of the Kawai VPC1
by Ivan Soto - 06/01/20 06:27 PM
Forum Statistics
Forums41
Topics199,349
Posts2,965,028
Members97,272
Most Online15,252
Mar 21st, 2010
Please Support Our Advertisers


Faust Harrison 100+ Steinways

Dampp Chaser Piano Life Saver

 Best of Piano Buyer

PianoTeq Bechstein
Visit our online store for gifts for music lovers

Virtual Sheet Music - Classical Sheet Music Downloads



 
Help keep the forums up and running with a donation, any amount is appreciated!
Or by becoming a Subscribing member! Thank-you.
Donate   Subscribe
 
Our Piano Related Classified Ads
| Dealers | Tuners | Lessons | Movers | Restorations | Pianos For Sale | Sell Your Piano |

Advertise on Piano World
| Subscribe | Piano World | PianoSupplies.com | Advertise on Piano World |
| |Contact | Privacy | Legal | About Us | Site Map | Free Newsletter |


copyright 1997 - 2020 Piano World ® all rights reserved
No part of this site may be reproduced without prior written permission
Powered by UBB.threads™ PHP Forum Software 7.7.4