How would I convert my forum to run on HTTPS instead of HTTP?

Does vBulletin support this mainly out of the box? I can't find anything on this besides a "hacky" vbulletin.com forum post.

It supports it. I would personally wait until the release of 4.1.10 as it fixes a inline-moderation bug relating to HTTPS. The only really vB-specific thing to change is the relevant values in the Site Name / URL / Contact Details section of the ACP to use "https://" instead of "http://".

Since you've omitted a good chunk of information (webserver configuration & control panel, if any) no one is going to be a able to help much.. So you'll have to contact your host about that. You will need a private IP address and a valid certificate, though.

It's not difficult.

This is a great question.

I've changed the Site links to https.

However the login box does not pop up in Firefox, Chrome, and IE as they all believe it's a security concern of http mixing with https.

In my .htaccess file I've forced all to https but no luck. I have PHP 5.4 running with Vbulltein 4.2.1 on a Linux setup.

Any ideas? (Clean browsers were used on various machines.)

You likely have either a self-signed SSL certificate or a certificate that is not issued by a signing authority that is recognized by those web browsers, which means that every user will at least once be forced to see the message and click to continue on anyways.

@squidsk

Wanted to update. The HTTPS site was pulling an HTTP located ajax script.

Thus the browsers went crazy as HTTP and HTTPS were mixed for the users.

Thanks for the help!

I have PHP 5.4 running with Vbulltein 4.2.1 on a Linux setup.

Just a reminder:

vb4.2.1 <--> php 5.3
vb4.2.2 <--> php 5.3, php 5.4

Unless you have personally modified your vb4.2.1 code you will run into some problems. :)

You also have to keep in mind that if any of your users include any images or external resources in their post, it will "break" the HTTPS since most of the time those external resources are being loaded over HTTP instead of HTTPS.

You also have to keep in mind that if any of your users include any images or external resources in their post, it will "break" the HTTPS since most of the time those external resources are being loaded over HTTP instead of HTTPS.

That is not true with images, with scripts it is, but images will still load fine if they are served from http instead of https ...

That is not true with images, with scripts it is, but images will still load fine if they are served from http instead of https ...

Of course it will load fine, but that doesn't mean your HTTPS connection is secure if you load HTTP images of an external server.

From what I understand, only those elements which are not on https are not encrypted, everything else that is behind https is .. unless you have actual documentation that what you are saying is true the purpose of having "your" content or elements behind https is for just that, to encrypt that which is behind https...

From what I understand, only those elements which are not on https are not encrypted, everything else that is behind https is .. unless you have actual documentation that what you are saying is true the purpose of having "your" content or elements behind https is for just that, to encrypt that which is behind https...

It's highly unlikely that someone will perform a MITM attack with mixed content, but it is possible. I'm talking about external resources though. (resources which are not hosted on the current domain)

http://www.troyhunt.com/2013/06/understanding-risk-of-mixed-content.html
https://support.google.com/chrome/answer/1342714?hl=en
https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl
http://webmasters.stackexchange.com/questions/25051/how-can-mixed-content-compromise-an-entire-https-session
http://www.securitee.org/files/mixedinc_isc2013.pdf

Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.

Today, almost all major browsers tend to break mixed content into two categories: passive for images, videos, and sound; and activefor more dangerous resources, such as scripts. They tend to allow passive mixed content by default, but reject active content. This is clearly a compromise between breaking the Web and reasonable security.

Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.
Browsers with good security will block it from being loaded, until you give it the okay to be. That would be Firefox/IE. Not sure if chrome does that yet.

On my site no browser blocks images behind just http, any scripts yes especially iframes , but images always load up without having to give the ok ... that's on all the browsers ...

My entire Vbulletin 4 forum is running though SSL/HTTPS, and it runs perfectly fine. I even installed some Optimized Addons to make the pages load faster.

I havent had any problems at all with running my forum on HTTPS.

Yeah, if someone posts an image from a site using HTTP with the Image BBCode, there will be a tiny little Yellow sign (Chrome) in your browser on top of the Padlock. But no one sees a Security Warning or anything like that. Honestly, you wouldn't even know about the Tiny Yellow Sign if you weren't looking for it, because it really isnt a big deal. If it was a big deal, the user will see a Big Security Warning before he or she enters the page.

But like I said, running SSL with vBulletin is fine. It runs really, really well. I have even setup my web.config (Windows Server 2008R2) to redirect users to HTTPS. So if they type in "mysite.com" in their address bar, it would redirect them to https://mysite.com.

I setup a Test Thread on my site, and I posted an image from tinypic.com that uses HTTP and not HTTPS.

Check it out for yourself:
https://thetechgenius.net/threads/4-Test-Thread

How would I convert my forum to run on HTTPS instead of HTTP?

Does vBulletin support this mainly out of the box? I can't find anything on this besides a "hacky" vbulletin.com forum post.
Using htaccess will be good way for this, do some researches for information. :)