PoA is moving to SSL (feedback thread)

jason

jason

Administrator
Management Council Member
Joined
Jul 4, 2006
Messages
5,128
Location
Lincoln, Nebraska
Display Name
Display name:
Jason W (FlyNE)
FYI, I'm going to switch the site to force the use of SSL soon. If you have problems with something, please post here. If you try to access the site from one of your devices and it doesn't work...use another browser (or your phone) to log in and report the problem and I'll take a look immediately.
 
presuming this is to keep the recent spam from recurring?
 
The most impactful part of this is that we're going to have to switch Xenforo to proxy all images embedded in posts. That may break some things with how images are displayed. I'll do my best to respond to those problems quickly. This is just an FYI to look out for such problems.
 
Kewl. Some day, someone needs to explain what that means to me.
 
SCCutler said:
Kewl. Some day, someone needs to explain what that means to me.
Click to expand...
SSL enabled sites require *everything* that is displayed inside of the page to be served from SSL. If the page is SSL (see the lock at the top) but one of the images that you're viewing in the page isn't being served over SSL, then the browser warns you that the page isn't 100% secure.

Since our members embed images into their posts, we can't control whether or not those links are served from an SSL site (e.g. https :// imgur. com/image123.jpg vs http: // imgur. com/image123.jpg). In order to ensure that every link displayed is SSL our server now fetches the image from the remote server and caches it on our server...and serves it to the viewer using our SSL certificate.

You can view this post to see this in action...
http://www.pilotsofamerica.com/comm...ive-coolest-flights.42749/page-2#post-2063642

The original image embedded in this post was hosted here...
http: //i. imgur. com/sRTBcu0l.jpg (link intentionally broken so as not to embed the image)

If you view the post now you'll see that image served from a URL like this... (again, intentionally broken)
https: //www. pilotsofamerica. com/community/proxy.php?image=http%3A%2F%2Fi.imgur.com%2FsRTBcu0l.jpg&hash=bf3870e07c8ce53a1b8c620f69c5007a

So we're fetching the image and making sure that it's served from our server.
 
That sounds like a pretty good idea! Thanks for all you do.

Plus, thanks for making my nonprofit friends think I'm smart for recommending Firespring for their web stuff.
 
Do it!!! I double dog dare you. :D
 
I've made the switch. Please let me know if you notice anything out of whack...
 
Well, the visited states map in my signature no longer displays. Instead (in Firefox) all I see is a thumbnail of what looks like my avatar with a red X through it. I've seen some other posters with the same symptom. I assume this is the reason.
 
azure said:
Well, the visited states map in my signature no longer displays. Instead (in Firefox) all I see is a thumbnail of what looks like my avatar with a red X through it. I've seen some other posters with the same symptom. I assume this is the reason.
Click to expand...
Probably. But this one is working fine...

https://www.pilotsofamerica.com/com...ive-coolest-flights.42749/page-2#post-2060270

I'll need to see if I can figure out what the difference is. Looks like he's using a different site.
 
Is there a way to upload an image to the PoA server and then use that URL? From your description it sounds as if that would work. You could do that under the old software but I don't see any obvious way to do it in Xenforo.
 
azure said:
Is there a way to upload an image to the PoA server and then use that URL? From your description it sounds as if that would work. You could do that under the old software but I don't see any obvious way to do it in Xenforo.
Click to expand...
There was a previous discussion here...
https://www.pilotsofamerica.com/community/threads/upload-sig-pic-here.90819/
Some were uploading them to that thread. I asked in that thread that they just be uploaded to imgur (which is a site made specifically for hosting images). You can choose which path you'd like to take.
 
I think tapatalk was down during the cutover. working fine for me now.
 
krock918316 said:
Tapatalk seems to be broken. Getting an error message.
Click to expand...
I had an error as well. I logged out and logged back in and it worked fine. But I think it was more a problem with my two-factor auth.
 
jason said:
....we're going to have to switch Xenforo to proxy all images .....
Click to expand...

does this mean if I post a pic of me chowing down some nachos, it would be "munchin' by proxy"? hahaha, get it? WOOOOOoohhhoooooo taking nyquil during the day makes me LOOOOOOooopy! aaaand, good night.
 
eman1200 said:
does this mean if I post a pic of me chowing down some nachos, it would be "munchin' by proxy"? hahaha, get it? WOOOOOoohhhoooooo taking nyquil during the day makes me LOOOOOOooopy! aaaand, good night.
Click to expand...
Only if you guzzle epicac and puke your ssl all over your kids.
 
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?
 
Have tried imgur to no avail ,still can't get the signature picture back. Oh well.
 
deonb said:
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?
Click to expand...

I'll have to research that. I'm trying to get by without TLS 1.1. Can you give me any more info on your setup? Android version and browser version? That's probably what it is.
 
deonb said:
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?
Click to expand...
Try it now. I'd be willing to bet that it works.
 
deonb said:
Yip. Works now.

Out of curiosity - what did you change?
Click to expand...

Enabled some legacy versions of some SSL protocols. Surprisingly, Android doesn't do a good job of keeping up in that area.
 
Maybe crazy here, but I'd you are caching the content and serving locally, doesn't that open up a vulnerability on the POA server?

Seems like a great way to get content into the server that you had not intended...
 
SkyHog said:
Maybe crazy here, but I'd you are caching the content and serving locally, doesn't that open up a vulnerability on the POA server?

Seems like a great way to get content into the server that you had not intended...
Click to expand...

In theory. Jesse and I talked about it some. They work pretty hard on these things to ensure that its actually an image that they're downloading and that they isolate it from running as code.
 
jason said:
SSL enabled sites require *everything* that is displayed inside of the page to be served from SSL. If the page is SSL (see the lock at the top) but one of the images that you're viewing in the page isn't being served over SSL, then the browser warns you that the page isn't 100% secure.

Since our members embed images into their posts, we can't control whether or not those links are served from an SSL site (e.g. https :// imgur. com/image123.jpg vs http: // imgur. com/image123.jpg). In order to ensure that every link displayed is SSL our server now fetches the image from the remote server and caches it on our server...and serves it to the viewer using our SSL certificate.

You can view this post to see this in action...
http://www.pilotsofamerica.com/comm...ive-coolest-flights.42749/page-2#post-2063642

The original image embedded in this post was hosted here...
http: //i. imgur. com/sRTBcu0l.jpg (link intentionally broken so as not to embed the image)

If you view the post now you'll see that image served from a URL like this... (again, intentionally broken)
https: //www. pilotsofamerica. com/community/proxy.php?image=http%3A%2F%2Fi.imgur.com%2FsRTBcu0l.jpg&hash=bf3870e07c8ce53a1b8c620f69c5007a

So we're fetching the image and making sure that it's served from our server.
Click to expand...

Thank you for the elaborate explanation.
However, could you maybe explain to us regular web users what the end benefit is to us? Or is the benefit higher for the server?
 
BigBadLou said:
Thank you for the elaborate explanation.
However, could you maybe explain to us regular web users what the end benefit is to us? Or is the benefit higher for the server?
Click to expand...
SSL is the same technology that banks use to ensure that your communications with the server are secure and encrypted.
 
BigBadLou said:
Gotcha, right, I understand the technology in use.
But I am curious as to the actual benefit for the PoA member base.
Click to expand...
https://www.wired.com/2016/03/https-adoption-google-report/

tl;dr
Privacy (of what you're posting and reading from prying eyes) and account security (bad guys can't intercept your credentials).


For us, it results in a boost in SEO...making us more findable and growing our community. It also makes us look more competent for people that care about this stuff...
 
Don't know if it's related to the SSL or not, but I'm seeing a lot more "Bad Image" icons for folks Avatars than before. Jason, yours is one of them.

However, they're only bad when I'm looking at them on a work PC in Internet Explorer. At home, with Firefox, all is OK.

Ron Wanttaja
 
Man, it does a lot of redirecting with 301s. I would suggest that y'all send back the Strict-Transport-Security header to save future hassle.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 
wanttaja said:
Don't know if it's related to the SSL or not, but I'm seeing a lot more "Bad Image" icons for folks Avatars than before. Jason, yours is one of them.

However, they're only bad when I'm looking at them on a work PC in Internet Explorer. At home, with Firefox, all is OK.
Click to expand...
It appears to be IE-related... Firefox on the same machine looks fine, but IE doesn't display the avatar.

Ron Wanttaja
 
mkosmo said:
Man, it does a lot of redirecting with 301s. I would suggest that y'all send back the Strict-Transport-Security header to save future hassle.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Click to expand...
We will. I wanted to give it a month. If I would have turned it on out of the gate and then had to roll it back because of some image proxy problem...we would have been screwed. :D
 
jason said:
We will. I wanted to give it a month. If I would have turned it on out of the gate and then had to roll it back because of some image proxy problem...we would have been screwed. :D
Click to expand...
max-age= uhhh.... 2.

There we go :D
 
You must log in or register to reply here.
Back
Top