vb.org Archive
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   Forcing vBulletin to use HTTPS (https://vborg.vbsupport.ru/showthread.php?t=274711)

Dave 06-09-2014 06:57 PM
Quote:
Originally Posted by CAG CheechDogg (Post 2501301)
From what I understand, only those elements which are not on https are not encrypted, everything else that is behind https is .. unless you have actual documentation that what you are saying is true the purpose of having "your" content or elements behind https is for just that, to encrypt that which is behind https...
It's highly unlikely that someone will perform a MITM attack with mixed content, but it is possible. I'm talking about external resources though. (resources which are not hosted on the current domain)

http://www.troyhunt.com/2013/06/unde...d-content.html
https://support.google.com/chrome/answer/1342714?hl=en
https://community.qualys.com/blogs/s...y-to-break-ssl
http://webmasters.stackexchange.com/...-https-session
http://www.securitee.org/files/mixedinc_isc2013.pdf

CAG CheechDogg 06-09-2014 08:05 PM
Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.

Quote:
Today, almost all major browsers tend to break mixed content into two categories: passive for images, videos, and sound; and activefor more dangerous resources, such as scripts. They tend to allow passive mixed content by default, but reject active content. This is clearly a compromise between breaking the Web and reasonable security.

Zachery 06-10-2014 06:31 AM
Quote:
Originally Posted by CAG CheechDogg (Post 2501316)
Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.
Browsers with good security will block it from being loaded, until you give it the okay to be. That would be Firefox/IE. Not sure if chrome does that yet.

CAG CheechDogg 06-10-2014 07:04 AM
On my site no browser blocks images behind just http, any scripts yes especially iframes , but images always load up without having to give the ok ... that's on all the browsers ...

thetechgenius 06-22-2014 12:15 AM
My entire Vbulletin 4 forum is running though SSL/HTTPS, and it runs perfectly fine. I even installed some Optimized Addons to make the pages load faster.

I havent had any problems at all with running my forum on HTTPS.

Yeah, if someone posts an image from a site using HTTP with the Image BBCode, there will be a tiny little Yellow sign (Chrome) in your browser on top of the Padlock. But no one sees a Security Warning or anything like that. Honestly, you wouldn't even know about the Tiny Yellow Sign if you weren't looking for it, because it really isnt a big deal. If it was a big deal, the user will see a Big Security Warning before he or she enters the page.

But like I said, running SSL with vBulletin is fine. It runs really, really well. I have even setup my web.config (Windows Server 2008R2) to redirect users to HTTPS. So if they type in "mysite.com" in their address bar, it would redirect them to https://mysite.com.

I setup a Test Thread on my site, and I posted an image from tinypic.com that uses HTTP and not HTTPS.

Check it out for yourself:
https://thetechgenius.net/threads/4-Test-Thread

webmastersun 06-23-2014 02:15 AM
Quote:
Originally Posted by IndigoSociety (Post 2272338)
How would I convert my forum to run on HTTPS instead of HTTP?

Does vBulletin support this mainly out of the box? I can't find anything on this besides a "hacky" vbulletin.com forum post.
Using htaccess will be good way for this, do some researches for information. :)


All times are GMT. The time now is 04:34 PM.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00982 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete