Piano World Home Page

https

Posted By: wouter79

https - 05/21/19 07:20 PM

The PW forum is after all these years still completely unsecured.
* It does not use https, meaning all your communications with pianoworld INCLUDING YOUR PASSWORDS travel around the world for everyone (who has some knowledge) in plain view.
* It refuses connection with Tor ("Your IP address is currently listed in the Stop Forum Spam database as a known spammer/spambot"). But Tor is useless anyway as long as https is disabed.
* Strange thing is that the main pianoworld site IS using https.Nice but it's the wrong way round imho.

Anyone who knows how this can be fixed and push the right buttons? I'm pretty sure this is something that needs to be fixed on the PW website, not my computer/browser...

I know it's not the right subforum. But my posts about this in the general discussion forums have been ignored so far...
Posted By: keystring

Re: https - 05/21/19 07:44 PM

So that's why I get a warning every time I wrote a post (right now) in red ---"Not secure".
Posted By: dogperson

Re: https - 05/21/19 07:45 PM

Send Frank a PM
Posted By: Whizbang

Re: https - 05/22/19 12:32 AM

Originally Posted by wouter79

Anyone who knows how this can be fixed and push the right buttons? I'm pretty sure this is something that needs to be fixed on the PW website, not my computer/browser...


I asked Frank about this quite a while back and he mentioned that it had something to do with the fact that if the server serves https: then all the images must also be served via https: and that was an issue with how the site is laid out.

But, yah, this has to be done server-side. Until then, make sure your pianoworld password is not used on any other sites.
Posted By: TomInCinci

Re: https - 05/22/19 10:55 AM

Hopefully the actual passwords are sent securely. I don't think there's been a developer who was that inept in a long time. But you bring up a good reason to NEVER use a password at more than one site. You just don't know who's doing what with it.
Posted By: wouter79

Re: https - 05/22/19 11:27 AM

>Hopefully the actual passwords are sent securely

It's extremely unlikely they are secure.

And this issue is bigger than "just" your password that can be compromised. It affects privacy, causes browser issues, etc.
Posted By: TomInCinci

Re: https - 05/25/19 11:32 AM

Originally Posted by wouter79
>Hopefully the actual passwords are sent securely

It's extremely unlikely they are secure.

And this issue is bigger than "just" your password that can be compromised. It affects privacy, causes browser issues, etc.


I tried it in Firefox and you're right, the Login Name and Password fields are flagged as not secure.

I haven't noticed any browser issues but I'll defer to you on this one since I try to limit myself to only being completely wrong once per thread. smile

Chrome flags every URL I go to in the domain as insecure. Privacy here isn't that much of a concern to me but I hope it's not scaring others off. I learn a lot here. I certainly hope we're all at least using unique and secure passwords on every site.
Posted By: wouter79

Re: https - 05/26/19 06:13 PM

dobperson, did you get a reply?
Posted By: dogperson

Re: https - 05/26/19 06:46 PM

Originally Posted by wouter79
dobperson, did you get a reply?


Sorry Wouter that I did make this clear.😢 I was recommending that if this is a concern to you, that you contact Frank by private message. This has been a long-standing issue with Pianoworld, and posting in the general feed will not get the attention nor resolution you need, there have been several similar threads.

I have taken my own security steps by choosing a password that is not used on any other site.
Posted By: wouter79

Re: https - 05/27/19 03:33 PM

I sent a PM to Piano World himself, pointing him to this ticket.

Using a different password is not helping in any way to use Pianoworld in a privacy-save or secure way..
Posted By: FrankCox

Re: https - 05/27/19 05:28 PM

Quote
Using a different password is not helping in any way to use Pianoworld in a privacy-save or secure way..


Privacy? It's a public bbs system, what privacy could there be?

Secure? If you use a unique password, what's the worst thing that could happen? Someone steals your identity on this forum and uses it to post spam is the only thing that I can think of. And if that happens I'm sure an email to Frank would straighten that out in short order.

So what am I not understanding?
Posted By: Piano World

Re: https - 05/27/19 09:51 PM

The forums have been like this for twenty years.

As long as the password you use here is unique to the forums, it is of no value to anyone else.

The problem is the tens of thousands of images throughout the forums, many of them hosted somewhere else.
Because we have no control over images hosted outside our servers we can't make them secure.

Browsers would get even more cranked up if they see a mixture of secure and non secure.

This is one of the reasons I've always asked members to upload copies of the pictures they want to display onto our servers
so we could host them. (the other reason is images hosted elsewhere tend to disappear over time).

With 2,800,000+ posts and thousands upon thousands of images there is no easy answer.

BTW,
The reason the Piano World site is secure is because I had to rebuild the entire content when I moved it to the WordPress platform.
I spent untold hours changing all the images to https: .

If anyone would like to go through all 2,831,975 posts to fix every image (keeping in mind you will likely not be able to do anything about any images hosted outside our environment unless you get permission to download and upload a copy), feel free to let me know.

I wish we had a better solution.
Posted By: wouter79

Re: https - 05/28/19 06:20 AM

Thanks Frank for replying on this.

I'm not an expert but I assume that my browser can figure it out if some picture links are not secure, and then either ignore them or show them depending on my security settings.

But at least my password would then be safe and also my privacy depending on my browser settings.

More advanced, you could do some automatic URL rewriting for externa links that converts non-secure picture links into a secure version that routes through the PW website.

Also, if you would fix the access rules plus https, that would allow me to use for instance Tor broswer to work around the security issues further.

>The reason the Piano World site is secure ...

I don't quite follow, pianoworld is NOT secure??
Posted By: ShyPianist

Re: https - 05/28/19 06:42 AM

Originally Posted by wouter79
Thanks Frank for replying on this.

I'm not an expert but I assume that my browser can figure it out if some picture links are not secure, and then either ignore them or show them depending on my security settings.

But at least my password would then be safe and also my privacy depending on my browser settings.

More advanced, you could do some automatic URL rewriting for externa links that converts non-secure picture links into a secure version that routes through the PW website.

Also, if you would fix the access rules plus https, that would allow me to use for instance Tor broswer to work around the security issues further.

>The reason the Piano World site is secure ...

I don't quite follow, pianoworld is NOT secure??



I’m pretty sure Frank knows his stuff and has investigated this thoroughly. Nothing more irritating in IT (or anywhere) than armchair experts 😉
Posted By: Chrispy

Re: https - 05/28/19 07:45 AM

Actually wouter79 is correct. The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot smile Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.
Posted By: ShyPianist

Re: https - 05/28/19 07:48 AM

Originally Posted by Chrispy
Actually wouter79 is correct. The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot smile Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.


I know :-) I'm just figuring there must be a good reason why Frank has not done this?
Posted By: Piano World

Re: https - 05/30/19 11:54 PM

Originally Posted by Chrispy
However, this would increase bandwidth costs slightly so that could be a concern.


There are over 2,800,000 posts, my concern is the additional hits to the server that would slow things down, again.

I'm also not sure how the search engines would treat all these posts if they suddenly became https:// instead of http://
We took a serious hit when we moved from pianoworld.com/forum to forum.pianoworld.com, it took a while to crawl back up the rankings.

And finally, here are a few of the "simple" steps to making the conversion, not including Wouter79's suggestions...

Summary
1) Obtain a valid security certificate from your webhost or a reputable third-party seller. I've purchased many "PositiveSSL" certs from SSLs.com.
2) Install it using SHA-2 and make sure it is configured properly.
3) Update ALL your URLs in the Control Panel or manually in your config.ini file. This includes the Homepage URLs, Contact pages, Referer Check, any forum headers/footers, etc.
4) Run a SQL query on your posts, private messages, user avatars, profile comments tables to replace "http://www.YOURDOMAIN.COM" with "https://www.YOURDOMAIN.COM"
5) Set up HTTP to HTTPS 301 redirects in your .htaccess file to forward from http:// to https://
6) Update all external plugins to ensure they are HTTPS compliant (sharaholic, twitter, facebook, youtube, ubb custom-tags, and, if your website contains non-UBB.threads content, all those internal site links - trust me you won't find them all in a single pass)
7) Test your website.
BONUS: Update your URLs in google/bing webmaster tools. Update any ads placed on your website, such as Google Adsense. Update any website analytics code.


** MAKE A BACKUP BEFORE YOU BEGIN **


The SQL
** BE VERY CAREFUL OF "POST_DEFAULT_BODY" and "POST_BODY" USAGE - DO NOT INTERCHANGE THEM
• POST_DEFAULT_BODY - [BBcode] This is the original post. CONTENT REBUILDER > REBUILD POSTS takes this and converts it to POST_BODY [HTML]
• POST_BODY - [HTML] This is shown to the user. it is generated from POST_DEFAULT_BODY

To update your POSTS:
* ubbt_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_POSTS - POST_BODY
Code

UPDATE ubbt_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your PRIVATE MESSAGES:
* ubbt_PRIVATE_MESSAGE_POSTS - POST_DEFAULT_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_DEFAULT_BODY = replace(POST_DEFAULT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PRIVATE_MESSAGE_POSTS - POST_BODY
Code

UPDATE ubbt_PRIVATE_MESSAGE_POSTS
SET POST_BODY = replace(POST_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER AVATARS and PROFILE COMMENTS:
* ubbt_USER_PROFILE - USER_AVATAR
Code

UPDATE ubbt_USER_PROFILE
SET USER_AVATAR = replace(USER_AVATAR, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_PROFILE_COMMENTS - COMMENT_BODY
Code

UPDATE ubbt_PROFILE_COMMENTS
SET COMMENT_BODY = replace(COMMENT_BODY, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');



To update your USER SIGNATURES:
* ubbt_USER_PROFILE - USER_DEFAULT_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_DEFAULT_SIGNATURE = replace(USER_DEFAULT_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');


* ubbt_USER_PROFILE - USER_SIGNATURE
Code

UPDATE ubbt_USER_PROFILE
SET USER_SIGNATURE= replace(USER_SIGNATURE, 'http://www.YOURDOMAIN.COM', 'https://www.YOURDOMAIN.COM');




HTTP to HTTPS 301 Redirects For Your .htaccess File
Code

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]





Notes and Further Reading
Full URLs (http:// and https://) vs relative URLs (//):
If you want to correctly FULLY go SSL, use the full protocol name of "http://www.YOURDOMAIN.COM" instead of just "//www.YOURDOMAIN.COM"
The reason to use just double slashes instead of the HTTPS protocol declaration, is if you intend to have your secure urls (https) distribute different content than your open urls (http), since both are seen as separate urls on search engines.

If you are switching to HTTPS, it is advised to fully replace all your http protocol references with https, and forward all calls from http to https. Do not allow the browser/end-user to choose http by leaving your protocol blank with an open "//" url.

If the asset you need is available on SSL, then always use the https:// asset:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/27999789#27999789

Why omitting the protocol scheme might not be a good idea:
http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just/37654145#37654145

Sometimes IE7 and IE8 do not correctly handle "//" assets. They look at this as being a file transfer, and will attempt to download the page through a download window. Even though the "//" asset is a spec from 1996/1998
https://www.paulirish.com/2010/the-protocol-relative-url/

Google deprecates protocol relative URLs in place of full protocol URLs for the html5 spec:
https://github.com/h5bp/html5-boilerplate/pull/1694/commits/045a1676c4c8cf4bdd23374b5b049507101f5043

Additional discussions:
http://stackoverflow.com/questions/...h-in-a-script-src-http/37609402#37609402


Google SEO HTTPS Migration Checklist (for the ad and SEO focused)
Source: Search Engine Roundtable
• Update all your ad code to support HTTPS
• Ensure your analytics will work on the new HTTPS URLs
• Update your site search (if not using the inbuilt UBB.threads search methods) to support HTTPS and discover new URLs sooner
• Create and submit your new HTTPS XML sitemaps
• Review the Google site move article
• Verify the new HTTPS site with Google Webmaster Tools and track indexation, crawling, search queries, etc.


Final Steps
• Test your site using the Qualys Lab tool
• Followup by searching for, and reading additional articles on "http to https site moves," to know what to expect
Posted By: Cheshire Chris

Re: https - 05/31/19 05:44 AM

Seems like a reasonably straightforward process.
Posted By: ShyPianist

Re: https - 05/31/19 08:46 AM

Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?
Posted By: Sam S

Re: https - 05/31/19 09:50 AM

Originally Posted by ShyPianist
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


I pay him, monthly. I used to do IT before I retired. My take on this, is that the longer you delay taking care of it, the worse it will be. And it's not good to get security warnings whenever you visit the forums...

Sam
Posted By: ShyPianist

Re: https - 05/31/19 09:56 AM

Originally Posted by Sam S
Originally Posted by ShyPianist
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


I pay him, monthly. I used to do IT before I retired. My take on this, is that the longer you delay taking care of it, the worse it will be. And it's not good to get security warnings whenever you visit the forums...

Sam


I do IT as well, currently, and I know a little about all this but not enough to comment about it here and certainly not in respect of PHP, which is not my area. But at the end of the day it's a piano forum, so anyone who understands IT can also assess the risk, surely, and realise that this application is extremely low risk?
Posted By: bennevis

Re: https - 05/31/19 12:01 PM

When I first joined PW, I was a greenhorn (I'd only just bought my first computer - in 2010) and stupidly used a password that anyone could think of within a few seconds. And PW sent me back the password I'd chosen to my email address to confirm my membership. Then someone hacked into my email address to send spam from it to all my contacts......

After which, I changed all my passwords (yes, I stupidly used the same stupid password for PW as for my email address - this post is full of 'stupids'...... cry) to very long obscure ones using every symbol and letter and number and case on the keypad, which I calculated would take the most powerful current computer about one million years to hack into, and which only I can remember (which is clever wink ). They're not written down or printed or recorded anywhere, except in my grey cells.

Since then, everything has been safe, but I still periodically get sent spam from friends' email addresses, when I then smugly send them emails to tell them that they've been hacked into and need to change their passwords ASAP into something gibberish that only they can remember. Which from a computer greenhorn is clever advice, even if I, a greenhorn, say so myself...... cool

Posted By: Sam S

Re: https - 05/31/19 12:55 PM

Originally Posted by ShyPianist
Originally Posted by Sam S
Originally Posted by ShyPianist
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


I pay him, monthly. I used to do IT before I retired. My take on this, is that the longer you delay taking care of it, the worse it will be. And it's not good to get security warnings whenever you visit the forums...

Sam


I do IT as well, currently, and I know a little about all this but not enough to comment about it here and certainly not in respect of PHP, which is not my area. But at the end of the day it's a piano forum, so anyone who understands IT can also assess the risk, surely, and realise that this application is extremely low risk?


I know it's low risk, and you know it's low risk. But almost every browser now warns you when you go a site that is not secure. My browser puts a red "Not Secure" message to the left of the address bar and a big red X. How many people will be scared off by that? How many will think that PW is some kind of scam or will steal their info?

Sam
Posted By: JoBert

Re: https - 05/31/19 01:56 PM

Frank, here's a different suggestion:

Just convert the forum to HTTPS but leave all the existing image references as they are.

Yes, that will generate "mixed content" warnings, but those warnings (as long as the only mixed content are HTTP images embedded in HTTPS pages) are much less intrusive now than they used to be. Long gone are the time of Internet Explorer 8 (and older), where the mixed content warning actually popped up as a dialog that would disrupt the user.

I just tested with Chrome, FireFox, Edge and Internet Explorer on Windows. All of them show the mixed content only as a subtle difference in the icons in the address bar, as you can see here (images on the left are with normal HTTPS content, images on the right are with mixed content):
[Linked Image]

(BTW, IE shows this on the right of the address bar, the others on the left. All of them also log a warning to the development console.)

I don't have a Mac or Linux to test, but in Safari on my iPhone, the difference is only in a missing lock-icon in the address bar. (You can try this out yourself at https://www.mixedcontentexamples.com).

So there really is no need to fear mixed content warnings, like one had to in olden times.

Therefore I suggest to simply move the site over to HTTPS and leave the original HTTP image URLs as they are. Users will likely not even notice the mixed content warnings but the login will finally be encrypted (just make sure that the login page itself does not contain any mixed content, so that it is shown as fully safe).
Posted By: Chrispy

Re: https - 05/31/19 03:07 PM

Originally Posted by ShyPianist
Does anyone pay him to use this forum?


Yes, anyone who has the silver, gold, platinum, etc under their name has paid.
Posted By: akc42

Re: https - 05/31/19 03:07 PM

I used to do a small bit of hosting on the side before I decided to give my customers notice that I was going to retire and helped them move to other hosting providers. I found that switching the the NGINX web server was more efficient, but it also has what is known as the proxy_pass module.

You can set a configuration up so that it processes all incoming requests as https, but for certain urls that match you can collect the requests and convert them to http (for instance your images - provided you can tell from the url that it needs to go to the image server)

These days, you can also get FREE SSL certificates from Lets Encrypt (see https://letsencrypt.org/). I have these set up along with fully automated renewal every 90 days (or rather just under - certificates expire after 90 days) on my personal web site.
Posted By: Cheshire Chris

Re: https - 05/31/19 03:53 PM

Originally Posted by ShyPianist
Originally Posted by Cheshire Chris
Seems like a reasonably straightforward process.


I think if people aren't careful here, Frank is going to get extremely annoyed and tell you all to stuff it! Does anyone pay him to use this forum?


Why would anyone get annoyed, SP? I’ve worked in IT for close on 40 years, and I was offering my professional opinion that the procedure that Frank described seems straightforward to implement.
Posted By: Piano World

Re: https - 05/31/19 05:35 PM

It isn't a question of the costs, it's a question of the viability.

There are way too many variables here.

I checked with our IT guy from our hosting service, Ken is very knowledgeable, especially with server environments and databases.

His reply...
This ignores the fact that many many sites fight against auto-downloading by
other sites (ie scraping).

Try posting an image from somewhere to facebook - quite often you dont get
what you want at all, just a link to/logo from the site's main page or
something else. Quite often they dont even expose the image url, you cant
right click on the image to do "copy image location", they've hidden it in
javascript so that it 'constructs' the image display dynamically after the
page is loaded, making it very hard to figure out where the image is being
loaded from (the raw url).

Furthermore, user agents and cookies will be tested and what not to ensure they match,
or even that your previous requests were from a page related to the image for eg.
We used this principle to defeat russian scrapers for a client once who never downloaded
things in order, but from multiple different pages/sources randomly over time.

It might work for 50 or even 80% of the sites out there, but the rest will
be broken images.

The best solution is what most sites do, force the user to upload the image they
themselves downloaded from the website in question. If they need to be exceedingly
clever to get that image they want, good for them -- that's very hard to code into
automatic code.

He's right that for some subset of websites (25%? depends on which sites, large
social media sites or just a random personal website?) a proxy will work but it
wont work for all sites, not even close. When it doesnt work you and I have
to support it.

Posted By: Piano World

Re: https - 05/31/19 05:46 PM

And...
I approached the developers who work on the UBB about this. Here is their answer:
=====================================================
Development on UBB.threads was abandoned in 2009 when Rick sold UBBCentral and UBB.threads to UBBSystems, SD had been hired on to contribute security fixes and some feature additions, but until Isaac and I started development on 7.5.9+ in 2015 the product had seen little activity (there was a 2 year gap between 7.5.8 and 7.5.9).

Currently, a proxy to masquerade 3rd party non-HTTPs image attachments as a local HTTPs URL isn't planned at all; the time to develop, test, test security, and maintain a database would be quite cumbersome and would push the focus of what development time we have towards UBB.threads in directions that would be better focused elsewhere (such as compatibility with newer builds of PHP and MySQL, furthering web standards, UI cleanup, etc). A new tool would require parsing the database for 3rd party links, building a database of these links, writing a script to process new requests to those links, updating all previous posts for the parser, etc. Not to mention, a large (your forum is huge) forum would end up with a sizable database table to hold this additional content.

Our official stance on the matter is that the existing links in the database need to be updated, and 3rd party content reigned in (such as having users upload their images directly into their posts vs using 3rd party services, and forcing them to not have images in their signatures and to upload their avatars to your site vs hosting externally). If the 3rd party resource doesn't offer an HTTPs option, its their shortcoming.

Isaac's guide (the original post in this thread) was created to provide forum owners (who know what they're doing) with directions towards converting their forums to 100% HTTPs, anything outside of UBB.threads (such as user submitted content from 3rd party websites) falls under Step #6 of his guide:

Originally Posted by isaac
6) Update all external plugins to ensure they are HTTPS compliant (Sharaholic, Twitter, Facebook, YouTube, UBB Custom Tags, and, if your website contains non-UBB.threads content, all those internal site links - trust me you won't find them all in a single pass)
Posted By: ShyPianist

Re: https - 05/31/19 05:50 PM

I guess there’s a question of how much that matters, but it would be frustrating for users browsing old threads. As I said, I’m not an expert by any means, but this came up with a site I’m involved with and it was possible to make a change to the headers that means it can now handle images over http. CSS coming from connected services running as http is still blocked, but images are now OK. But like I said, I know very little about PHP. Ours is ASP.NET, and I don’t know if that makes a difference.
Posted By: ShyPianist

Re: https - 05/31/19 05:56 PM

Crossed posts. And I don’t think you should be having to explain your reasoning for decisions taken on your site in such depth in order for people to accept it.
Posted By: Chrispy

Re: https - 05/31/19 06:30 PM

The thing I don't get from Ken's response is that if sites block 3rd party linking, that's already "broken" on the forum. Nothing changes there. We are already in the situation where there are very few 3rd party image sites that are easy to link in to forum posts. A proxy isn't going to solve that problem, it would purely be to allow insecure links to not show up as mixed content.

As to UBB's response, I think I agree, if you go to HTTPS, just don't look back. If people have broken image links to 3rd party sites in old posts, so be it, will anyone really care? I personally think the benefits of HTTPS outweigh breaking some old image links (login security and direct message security specifically, as well as not scaring away potential new users.)

Anyway, I'm not going to rage quit the forums or anything, and I realize there is work involved in switching to HTTPS so I'll shut up after this post laugh

Posted By: Piano World

Re: https - 06/03/19 08:40 PM

And then there is this from one of the UBB developers....



The serious downside to a simple proxy approach is that you are routing all external resources through your own server/systems. Which is not only a liability, but also can get rather costly. It adds complexity to the page for no good reason. It also defeats any CDNs which are suppose to route to near servers or balance to idle ones.

With simple proxy script, anything can be included and will be delivered from your domain.

EXAMPLE:
http:// www .THEIRSITE. com/virus.jpg
WOULD BECOME:
https:// www .YOURSITE. com/?imgsrc=http:// www .THEIRSITE. com/virus.jpg

The security now becomes even worse than without the use of a pseudo-SSL proxy script. With this, your site could appear to be hosting malicious files.

Expanding on that, if a random user would copy that new SSL link with "your domain url + malicious file link" across the web, you get the "site credibility ding" for "hosting" the malicious file, even though you are only passing it through as a third party. The random user could also apply any link to the proxy tool they wanted to add.

Real-time tracking of all HTTP URLs and requesting them again if SSL connection failed is highly inefficient and overall sounds like a bad idea.

Its highly unlikely that there are going to be any core workarounds of this type written for UBB.threads, especially because the vast majority of websites today use SSL anyway, and the rest can either get on with the program or have their content treated as a second-class citizen. UBB.threads 7.7.2 provides a optional forum setting to replace hotlinked insecure embedded images with a plain URL that the end user can click through to view if they choose to.

That said, nobody is going to stop you from adding any sort workaround with custom code or server modules. good luck.
Posted By: Tyrone Slothrop

Re: https - 06/04/19 05:00 PM

OT here, but just wanted to mention the main PianoWorld page is giving off this error:
Code
WordPress database error: [FUNCTION pianowpdb.JSON_CONTAINS does not exist]
SELECT id FROM wp_sfsi_jobqueue WHERE jobtype = '1' AND JSON_CONTAINS(urls,'[3290,3268,3224,3194,3162,3125,2804,2798,2791,2776,2634,2622,2598,2582,2577,2564,2563,2532,2504,2440,2414,2315,2313,2285,2283,2260,2255,2227,2222,2199,2173,2166,2146,2132,2099,2080,2062,2046,1996,1970,1931,1920,1913,1901,1886,1845,1837,1732,1726,1723,1718,1715,1705,1684,1679,1649,1640,1638,1599,1592,1573,1564,1541,1535,1527,1518,1503,1495,1490,1487,1483,1479,1476,1472,1470,1468,1465,1459,1458,1454,1453,1452,1451,1450,1449,1448,1447,1446,1445,1444,1443,1442,1441,1440,1439,1438,1437,1436,1435,1434,1433,1432,1431,1430,1429,1428,1427,1426,1425,1424,1423,1422,1421,1420,1419,1418,1417,1416,1415,1414,1413,1412,1411,1410,1409,1408,1407,1406,1405,1404,1346,1328,1318,1317,1316,1315,1314,1313,1312,1311,1310,1309,1308,1307,1306,1305,1304,1303,1302,1301,1300,1299,1298,1297,1296,1295,1294,1293,1292,1291,1290,1289,1288,1287,1286,1285,1284,1283,1282,1281,1280,1279,1278,1277,1276,1275,1274,1273,1272,1271,1270,1269,1267,1124,1123,1122,1121,1120,1119,1118,1117,1116,1115,1114,1113,1112,1111,1110,1109,1108,1107,1106,1105,1104,1103,1102,1101,1100,1099,1098,1096,1095,1094,1093,1092,1091,1090,1089,1088,1087,1086,1085,1084,1083,1082,1081,1080,1079,1078,1077,1076,1075,1073,1070,1058,1020,1013,1010,1007,991,988,983,957,954,951,948,927,925,923,921,919,917,915,913,911,909,907,905,901,899,897,895,893,891,889,887,885,883,881,879,877,875,873,871,869,867,865,863,861,859,857,855,853,851,849,847,845,843,841,829,827,825,823,821,819,815,813,802,800,798,796,794,792,790,788,786,784,782,780,778,776,774,772,770,768,766,764,762,760,758,756,754,752,750,748,743,712,710,708,706,704,702,700,674,672,670,668,666,664,662,660,658,656,654,580,552,549,542,532,511,505,502,496,485,482,476,453,448,439,437,434,429,421,417,414,412,397,377,364,342,338,336,330,324,313,293,282,277,268,258,251,246,241,211,179,104,63,55,47,30,1]')
Posted By: wouter79

Re: https - 06/04/19 06:14 PM

Quote

EXAMPLE:
http:// www .THEIRSITE. com/virus.jpg
WOULD BECOME:
https:// www .YOURSITE. com/?imgsrc=http:// www .THEIRSITE. com/virus.jpg

The security now becomes even worse than without the use of a pseudo-SSL proxy script. With this, your site could appear to be hosting malicious files.


The security is not worse, it's better

* others can't see I'm downloading the virus
* Others can't see my passwords
* Others can't track me
* I maybe able to use Tor browser for added security
* Both the old and new situation allow download of virus.jpg so it does not make a difference in that respect
* if the browser takes virus.jpg as a EXECUTABLE, then the browser is really rotten anyway, both in the old and new situation


Posted By: wouter79

Re: https - 06/04/19 06:19 PM

Quote

That said, nobody is going to stop you from adding any sort workaround with custom code or server modules. good luck


I'm not quite following. Are you answering a specific question here? Can we add custom code to the server modules? How?
Posted By: Piano World

Re: https - 06/04/19 10:36 PM

Originally Posted by Tyrone Slothrop
OT here, but just wanted to mention the main PianoWorld page is giving off this error:
Code
WordPress database error: [FUNCTION pianowpdb.JSON_CONTAINS does not exist]
SELECT id FROM wp_sfsi_jobqueue WHERE jobtype = '1' AND JSON_CONTAINS(urls,'[3290,3268,3224,3194,3162,3125,2804,2798,2791,2776,2634,2622,2598,2582,2577,2564,2563,2532,2504,2440,2414,2315,2313,2285,2283,2260,2255,2227,2222,2199,2173,2166,2146,2132,2099,2080,2062,2046,1996,1970,1931,1920,1913,1901,1886,1845,1837,1732,1726,1723,1718,1715,1705,1684,1679,1649,1640,1638,1599,1592,1573,1564,1541,1535,1527,1518,1503,1495,1490,1487,1483,1479,1476,1472,1470,1468,1465,1459,1458,1454,1453,1452,1451,1450,1449,1448,1447,1446,1445,1444,1443,1442,1441,1440,1439,1438,1437,1436,1435,1434,1433,1432,1431,1430,1429,1428,1427,1426,1425,1424,1423,1422,1421,1420,1419,1418,1417,1416,1415,1414,1413,1412,1411,1410,1409,1408,1407,1406,1405,1404,1346,1328,1318,1317,1316,1315,1314,1313,1312,1311,1310,1309,1308,1307,1306,1305,1304,1303,1302,1301,1300,1299,1298,1297,1296,1295,1294,1293,1292,1291,1290,1289,1288,1287,1286,1285,1284,1283,1282,1281,1280,1279,1278,1277,1276,1275,1274,1273,1272,1271,1270,1269,1267,1124,1123,1122,1121,1120,1119,1118,1117,1116,1115,1114,1113,1112,1111,1110,1109,1108,1107,1106,1105,1104,1103,1102,1101,1100,1099,1098,1096,1095,1094,1093,1092,1091,1090,1089,1088,1087,1086,1085,1084,1083,1082,1081,1080,1079,1078,1077,1076,1075,1073,1070,1058,1020,1013,1010,1007,991,988,983,957,954,951,948,927,925,923,921,919,917,915,913,911,909,907,905,901,899,897,895,893,891,889,887,885,883,881,879,877,875,873,871,869,867,865,863,861,859,857,855,853,851,849,847,845,843,841,829,827,825,823,821,819,815,813,802,800,798,796,794,792,790,788,786,784,782,780,778,776,774,772,770,768,766,764,762,760,758,756,754,752,750,748,743,712,710,708,706,704,702,700,674,672,670,668,666,664,662,660,658,656,654,580,552,549,542,532,511,505,502,496,485,482,476,453,448,439,437,434,429,421,417,414,412,397,377,364,342,338,336,330,324,313,293,282,277,268,258,251,246,241,211,179,104,63,55,47,30,1]')


Thanks Tyrone, just got back into the office, working on this now.
Posted By: TomInCinci

Re: https - 06/05/19 12:26 PM

Computer security is only a hobby for me but didn't TLS replace SSL in like 1999?
Posted By: gwing

Re: https - 06/05/19 01:28 PM

Originally Posted by TomInCinci
Computer security is only a hobby for me but didn't TLS replace SSL in like 1999?


TLS first arrived in 1999 but SSL2 and SSL3 were't deprecated until 2011 and 2015 respectively. However they are vulnerable and deprecated so you shouldn't be using them and, if you do, there will be lots of difficulties with browsers complaining.

That said, when folks just say 'SSL' without being specific they are usually referring generically to either SSL or TLS, which after all is itself based on SSL3 and therefore not so very different.

Frank does avoid some issues by staying with plain http :-)
Posted By: wouter79

Re: https - 06/06/19 07:09 PM

If non-https is the road-blocking and insurmountable issue for a secure forum then I'd rather see that insecure content blocked. Just show the insecure link and then the user can decide to follow (click on) it
Posted By: TomInCinci

Re: https - 06/07/19 11:42 AM

Originally Posted by gwing
Originally Posted by TomInCinci
Computer security is only a hobby for me but didn't TLS replace SSL in like 1999?


TLS first arrived in 1999 but SSL2 and SSL3 were't deprecated until 2011 and 2015 respectively. However they are vulnerable and deprecated so you shouldn't be using them and, if you do, there will be lots of difficulties with browsers complaining.

That said, when folks just say 'SSL' without being specific they are usually referring generically to either SSL or TLS, which after all is itself based on SSL3 and therefore not so very different.

Frank does avoid some issues by staying with plain http :-)


I don't doubt that 'foks say' things that way. I'm not so sure a paid professional should.

Now me, I don't an issue with the insecure format. It means little to me. But clearly not everyone sees it that way. I guess we can all just claim 'we were hacked' if a thread gets out of control and posts we regret are made...
Posted By: Tyrone Slothrop

Re: https - 06/12/19 01:48 PM

Originally Posted by Piano World
Originally Posted by Tyrone Slothrop
OT here, but just wanted to mention the main PianoWorld page is giving off this error:
Code
WordPress database error: [FUNCTION pianowpdb.JSON_CONTAINS does not exist]
SELECT id FROM wp_sfsi_jobqueue WHERE jobtype = '1' AND JSON_CONTAINS(urls,'[3290,3268,3224,3194,3162,3125,2804,2798,2791,2776,2634,2622,2598,2582,2577,2564,2563,2532,2504,2440,2414,2315,2313,2285,2283,2260,2255,2227,2222,2199,2173,2166,2146,2132,2099,2080,2062,2046,1996,1970,1931,1920,1913,1901,1886,1845,1837,1732,1726,1723,1718,1715,1705,1684,1679,1649,1640,1638,1599,1592,1573,1564,1541,1535,1527,1518,1503,1495,1490,1487,1483,1479,1476,1472,1470,1468,1465,1459,1458,1454,1453,1452,1451,1450,1449,1448,1447,1446,1445,1444,1443,1442,1441,1440,1439,1438,1437,1436,1435,1434,1433,1432,1431,1430,1429,1428,1427,1426,1425,1424,1423,1422,1421,1420,1419,1418,1417,1416,1415,1414,1413,1412,1411,1410,1409,1408,1407,1406,1405,1404,1346,1328,1318,1317,1316,1315,1314,1313,1312,1311,1310,1309,1308,1307,1306,1305,1304,1303,1302,1301,1300,1299,1298,1297,1296,1295,1294,1293,1292,1291,1290,1289,1288,1287,1286,1285,1284,1283,1282,1281,1280,1279,1278,1277,1276,1275,1274,1273,1272,1271,1270,1269,1267,1124,1123,1122,1121,1120,1119,1118,1117,1116,1115,1114,1113,1112,1111,1110,1109,1108,1107,1106,1105,1104,1103,1102,1101,1100,1099,1098,1096,1095,1094,1093,1092,1091,1090,1089,1088,1087,1086,1085,1084,1083,1082,1081,1080,1079,1078,1077,1076,1075,1073,1070,1058,1020,1013,1010,1007,991,988,983,957,954,951,948,927,925,923,921,919,917,915,913,911,909,907,905,901,899,897,895,893,891,889,887,885,883,881,879,877,875,873,871,869,867,865,863,861,859,857,855,853,851,849,847,845,843,841,829,827,825,823,821,819,815,813,802,800,798,796,794,792,790,788,786,784,782,780,778,776,774,772,770,768,766,764,762,760,758,756,754,752,750,748,743,712,710,708,706,704,702,700,674,672,670,668,666,664,662,660,658,656,654,580,552,549,542,532,511,505,502,496,485,482,476,453,448,439,437,434,429,421,417,414,412,397,377,364,342,338,336,330,324,313,293,282,277,268,258,251,246,241,211,179,104,63,55,47,30,1]')


Thanks Tyrone, just got back into the office, working on this now.


There is a new error on the main page. It is now:
Code
WordPress database error: [1]
SELECT * FROM wp_posts WHERE ID = 1 LIMIT 1
© 2019 Piano World Piano & Digital Piano Forums