Does SSL work with vb4
 

I am looking for feedback from people who have used SSL with vb4 and want to know if they recommend it.

Of course it works with vB4 .... I have it on my site now ..

I use it and it works just fine. It is needed to use SPDY but if I wasn't using that then I probably wouldn't use it.

Why are you considering it?

Sorry instead of work I really meant does vb4 need any mods to get it working without a hitch.

My reason for considering it was because google plans to make https the industry standard, and thought perhaps I should just get one now while my forum is small instead of waiting until later if it is larger.

Should work fine after you change the base URL of your vBulletin forum to use HTTPS instead of HTTP.
At the vBulletin settings > Server Settings and Optimization options you should also configure a custom Remote YUI Path such as https://ajax.googleapis.com/ajax/libs/yui/ which uses HTTPS.

Also you may be receiving mixed content errors when there's embedded media such as images/videos on a post which loads stuff through HTTP.

Thanks for the advice Dave. Yeah I have been on other forums with SSL and constantly got errors coming up saying the content was unsafe, which is annoying, and makes you wonder about your security, which is not something I want people to experience on my forum.

My host is advising me against getting SSL. I am told that it will make the site slow and that it is overkill. But I notice all the big sites use SSL such as Twitter and they don't seem to be slow. If google is going to go SSL in future I don't see the harm of getting it now. And judging from opinions on here it seems people generally think they are unnecessary. I am just thinking not having a SSL might make people hesitate before joining as everything they input into my forum will be accessible for anyone on the net to see. I don't want my members thinking that what they say or do my forum is not important enough to be encrypted, as it implies I don't care about their security or don't see them as important enough to warrant encryption.

Any pro/cons for why I should not get it? I can't think of any. I am thinking I may just get SSL on the log in and registration pages.

--------------- Added [DATE]1421918450[/DATE] at [TIME]1421918450[/TIME] ---------------

Does it make a difference who you use when getting SSL for vBulletin?

It will not make the site go slow nor is an overkill. It only requires a bit more processing power of the web-server because of the encryption and that's about it.

It doesn't matter where you buy the SSL, just get the cheapest one available.

Thanks for the reply Dave. Maybe my host is concerned about that. I may just leave it as is for now but see most websites according to the stats use one with only 44% not using one.

You cannot gauge your traffic or SSL server usage by Twitter as Twitter is a much larger site and they probably have several servers that are super fast. So if SSL made a server run slow comparing to Twitter is not really realistic.

As for slow, I've had SSL on a site before and never really noticed any difference at all. It sounds like the host has no idea to me what they are doing.

HTTPS requires an initial “handshake” to create a connection between the browser and the server, and this handshake can be be very slow.

The problem

It takes at least four TCP roundtrips just to open a single SSL connection between the client and the server — and this doesn’t happen until after the initial TCP connection has been set up. The amount of data transferred as part of the handshake isn’t huge (under 5 kB typically), but for very small requests this can be quite a bit of overhead.
Important to know: The SSL handshake is actually even more process intensive than the actual data encryption that happens over the connection after the handshake is successfully complete.
How to know if this problem affects you

No one can give you a meaningful answer to this question without some information about the nature of your web site, hardware, software, and network configuration.
There are a couple of ways to look into this problem for your own site:
1. Profile the performance of your web server. There are several tools out there (such as JMeter and Visual Studio) to compare the performance of an HTTP vs HTTPS server.
2. Run WebPagetests of key secure pages on your site. Look at the purple bars on the waterfall chart that indicate SSL negotiation. You don’t want to see:

• too many purple bars
• long purple bars
• purple bars associated with non-essential page resources

Thankyou for the information. I will keep it in mind, but have decided for now not to go with SSL and keep my site as simple as possible until I get more confident with it.

Yeah you can always switch to it easily if need be. :)

I have been running SSL on my entire forum since I first setup my forum. I have it enabled throughout the entire forum, not just on the Login Page. I haven't had any problems at all, and my forum still loads very very fast. Actually, I tested my site on a few speed test sites, and it says my site is about faster then 75%+ of all sites tested. And my site is heavily customized with a bunch of custom addons made by me, and a lot of custom CSS/HTML.

HTTPS doesn't really make your site slower, as long as your server network has a decent speed, you should be fine. My server runs on a Fiber Network with its own dedicated IP, 90Mbps Upload and 90Mbps Download.

If you can afford it, SSL/HTTPS is the way to go. It tells your users that you care about their security and privacy, and it also makes your forum look more legit and professional. (Even though you really don't need SSL on a forum. But its never a bad idea to run SSL)

On a side thought anyone find a work around for rss feed coming in to a https site? I get the icon showing dual security on content. Thanks.

I'm not exactly sure what you mean, but when your site is running SSL/HTTPS, you should be using HTTPS URL's. If content is being served over HTTP on a HTTPS site, you and your users will get a Mixed Content Warning. That is why I always change urls to javascript library's to https, and if the url to the javascript library does not have HTTPS enabled, I download the JS File and store it locally on my server so I can serve it over HTTPS. If I cannot actually download it, I view the JS Code in my browser, copy and paste the code in Notepad++ and then store it locally on my server.

I'm not sure if URLs posted by members affect the Mixed Content Warning or not, but I have a custom Anonym URL Redirect Addon that I created. My addon redirects all URL's that is not on the Whitelist, and redirects the user to the URL anonymously. I have it setup on one of my other Top Level Domains, I made the domain just for my addon. The URL shows up like this in posts - https://ttechg.link/?http://example.com

You can see the URL is not HTTP, but it redirects to the HTTP url, that way users will not get the Mixed Content Warning.

If you want to use my custom addon on your forum, let me know. I did release it on vB.org, but I haven't released the updated version yet. Its because from developing the addon, I have the files scattered around my server. I have to get all of the files together, and clean it up a bit before I release it. But if you need it now, I can get the files together and send you a copy. And I can walk you through the setup process. You can either install it on your forum domain and have it in its own directory, or you can install it on its own domain like how I have it.

My Forum - https://thetechgenius.net
My URL Anonym Redirect Addon - https://ttechg.link

Why would posting a link cause mixed content warnings? If it isn't producing an image or script then it should be fine.

Also look into SPDY if your running SSL as it makes your site faster and that is what sizes such as google use.

The only thing I had to do was create a small image proxy to keep images from producing mixed content messages.

https://www.canesinsight.com

I'm pulling RSS feed in from feedburner which apparently is not capable of https....

--------------- Added [DATE]1422936046[/DATE] at [TIME]1422936046[/TIME] ---------------

Here is all the http links in the page source that I would like to move to https:

http://data-vocabulary.org/Breadcrumb
http://www.w3.org/1999/xhtml
http://www.facebook.com/2008/fbml
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
http://feeds.feedburner.com/reuters/ytaq?format=sigpro

Plus a few links at the bottom for the mods that are regular http...

Any advice? Thanks.

--------------- Added [DATE]1422936219[/DATE] at [TIME]1422936219[/TIME] ---------------

Is SPDY something your host offers or something else? Thanks.

Are you sure feedburner is capable of https? The below link comes up fine. Your server would need to be configured to run SPDY for it to work.

https://feeds.feedburner.com/reuters/ytaq?format=sigpro

Thanks! I know it did not, maybe they changed something. Will check it out...


It worked thanks!