Author Topic: HTTPS for the site?  (Read 11856 times)

Offline groomer

  • DansDeals Copper Elite
  • *
  • Join Date: May 2018
  • Posts: 4
  • Total likes: 1
  • DansDeals.com Hat Tips 0
    • View Profile
  • Location: USA
HTTPS for the site?
« on: May 29, 2018, 06:47:16 AM »
Hi

Just joined, but I noticed that the forums registering and login pages don't huge HTTPS. It's quite basic today and important (before today).
Wouldn't it better to have?

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #1 on: May 29, 2018, 09:50:55 AM »
Hi

Just joined, but I noticed that the forums registering and login pages don't huge HTTPS. It's quite basic today and important (before today).
Wouldn't it better to have?
Yes it would, in any event you shouldn't use the same password for 2 sites not a big issue here unless you're afraid someone might hijack your HT or likes.

if Dan is interested to implement HTTPS you can do it free with https://letsencrypt.org/  which is supported, sponsored and developed by major Tech companies.

if you'r using AWS maybe look into https://community.letsencrypt.org/t/aws-announces-certificate-manager-similar-to-le/9289
« Last Edit: May 29, 2018, 09:56:10 AM by yesitsme »
["-"]

Offline stooges44

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Jan 2017
  • Posts: 6454
  • Total likes: 2751
  • DansDeals.com Hat Tips 269
    • View Profile
Re: HTTPS for the site?
« Reply #2 on: May 29, 2018, 11:49:48 AM »
Paging @Suave
If it's not free shipping it's not worth it.

Offline groomer

  • DansDeals Copper Elite
  • *
  • Join Date: May 2018
  • Posts: 4
  • Total likes: 1
  • DansDeals.com Hat Tips 0
    • View Profile
  • Location: USA
Re: HTTPS for the site?
« Reply #3 on: May 29, 2018, 12:07:19 PM »
Yes it would, in any event you shouldn't use the same password for 2 sites not a big issue here unless you're afraid someone might hijack your HT or likes.

if Dan is interested to implement HTTPS you can do it free with https://letsencrypt.org/  which is supported, sponsored and developed by major Tech companies.

if you'r using AWS maybe look into https://community.letsencrypt.org/t/aws-announces-certificate-manager-similar-to-le/9289

Thanks, I know. Still have some old passwords from 20 years ago running around the web, from the days the internet different, maybe

Offline ben89

  • Dansdeals Presidential Platinum Elite
  • ********
  • Join Date: Jul 2015
  • Posts: 2855
  • Total likes: 198
  • DansDeals.com Hat Tips 142
    • View Profile
Re: HTTPS for the site?
« Reply #4 on: May 29, 2018, 01:32:39 PM »
Hi

Just joined, but I noticed that the forums registering and login pages don't huge HTTPS. It's quite basic today and important (before today).
Wouldn't it better to have?
are you sure that your location is USA??

Offline Aerial Dag

  • Dansdeals Lifetime Platinum Elite
  • *******
  • Join Date: Jun 2013
  • Posts: 1046
  • Total likes: 78
  • DansDeals.com Hat Tips 7
    • View Profile
  • Location: MS Desert
Re: HTTPS for the site?
« Reply #5 on: May 30, 2018, 08:50:14 PM »
Yes it would, in any event you shouldn't use the same password for 2 sites not a big issue here unless you're afraid someone might hijack your HT or likes.
I hope you’re being sarcastic. This site should definitely have SSL. I’m sure people have given personal information to others over PM.
But also imagine a scenario where someone hijacks a trusted user’s account and then proceeds to trick users on the buy/sell board to pay them for nonexistent merchandise. Easy to rack up thousands of dollars from unsuspecting users.
It’s so easy to have SSL seems silly not to have it. Besides, Chrome will soon start warning users that the site is insecure. That’s just bad for Dan.

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #6 on: May 30, 2018, 09:50:07 PM »
I hope you’re being sarcastic. This site should definitely have SSL. I’m sure people have given personal information to others over PM.
But also imagine a scenario where someone hijacks a trusted user’s account and then proceeds to trick users on the buy/sell board to pay them for nonexistent merchandise. Easy to rack up thousands of dollars from unsuspecting users.
It’s so easy to have SSL seems silly not to have it. Besides, Chrome will soon start warning users that the site is insecure. That’s just bad for Dan.

You're right, I added the sites I maintain to hsts preload, https://hstspreload.org/ it's like saying bye to non secure http.
« Last Edit: May 30, 2018, 11:52:24 PM by yesitsme »
["-"]

Offline myi

  • Dansdeals Lifetime 20K Presidential Platinum Elite
  • ********
  • Join Date: Feb 2015
  • Posts: 23544
  • Total likes: 2427
  • DansDeals.com Hat Tips 356
  • Gender: Male
    • View Profile
  • Location: InMyPants! 🙈
  • Programs: 2Many2List!
Re: HTTPS for the site?
« Reply #7 on: June 01, 2018, 01:33:03 AM »
You're right, I added the sites I maintain to hsts preload, https://hstspreload.org/ it's like saying bye to non secure http.
They don't like the fact that the forum is a subdomain.

Quote
Need your LG Exalt fixed? Cracked in half? Water damage? Or parts to repair yourself. 347.201.2501

Offline myi

  • Dansdeals Lifetime 20K Presidential Platinum Elite
  • ********
  • Join Date: Feb 2015
  • Posts: 23544
  • Total likes: 2427
  • DansDeals.com Hat Tips 356
  • Gender: Male
    • View Profile
  • Location: InMyPants! 🙈
  • Programs: 2Many2List!
Re: HTTPS for the site?
« Reply #8 on: June 01, 2018, 01:36:29 AM »
I hope you’re being sarcastic. This site should definitely have SSL. I’m sure people have given personal information to others over PM.
But also imagine a scenario where someone hijacks a trusted user’s account and then proceeds to trick users on the buy/sell board to pay them for nonexistent merchandise. Easy to rack up thousands of dollars from unsuspecting users.
It’s so easy to have SSL seems silly not to have it. Besides, Chrome will soon start warning users that the site is insecure. That’s just bad for Dan.
Quote @Dan or @Suave to get something maybe to be done about it,as well lekoved the 10th anniversary some improvements.
Quote
Need your LG Exalt fixed? Cracked in half? Water damage? Or parts to repair yourself. 347.201.2501

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #9 on: June 01, 2018, 07:11:06 AM »
They don't like the fact that the forum is a subdomain.

They like subdomains, however to preload yor domain it needs to be secure (served over tls), include all subdomains in your hsts header, and all subdomains also need to be servered over tls, then you can submit your domain in this case https:// dansdeals.com to the hsts preload list.

The point of hsts header is to prevent cookie hijacking and only takes effect after the first visit, if it's added to the preload list it doesn't ever allow the user to load http://dansdeals.com even the first time.

You can read more here https://https.cio.gov/hsts/
["-"]

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #10 on: June 06, 2018, 08:01:05 PM »
You're right, I added the sites I maintain to hsts preload, https://hstspreload.org/ it's like saying bye to non secure http.
Hsts came back to bite me, I sent out a mass email using a third party email relay service and click tracking was set up through a sub domain with a came record pointing to the third party provider and bingo all links in the email I sent out didn't work, there are work arounds by proxying instead of pointing with came but it gets more complicated.
« Last Edit: June 06, 2018, 08:08:19 PM by yesitsme »
["-"]

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #11 on: June 18, 2018, 04:32:55 PM »
Thank You @Dan  !

Offline Dan

  • Administrator
  • Dansdeals Lifetime 50K Diamond Elite
  • **********
  • Join Date: May 2008
  • Posts: 67601
  • Total likes: 16913
  • DansDeals.com Hat Tips 16442
  • Gender: Male
    • View Profile
  • Location: CLE
  • Programs: UA GS, AA EXP, DL Dirt, Hyatt Glob, Fairmont Lifetime Plat, DD Diamond, Blocked By @NeriaKraus
Re: HTTPS for the site?
« Reply #12 on: June 18, 2018, 04:34:56 PM »
Save your time, I don't answer PM. Post it in the forum and a dedicated DDF'er will get back to you as soon as possible.

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #13 on: June 18, 2018, 08:50:28 PM »
@BAHayman I hope that you ran repair.php to overwrite all urls, I believe that you did just double checking.
["-"]

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: HTTPS for the site?
« Reply #14 on: June 19, 2018, 06:40:20 PM »
@BAHayman I hope that you ran repair.php to overwrite all urls, I believe that you did just double checking.
Nope I haven't run repair_settings.php yet. Which urls need to be overwritten?

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #15 on: June 19, 2018, 08:09:28 PM »
Nope I haven't run repair_settings.php yet. Which urls need to be overwritten?
Not sure but I believe that there's a caching issue.
["-"]

Offline srap

  • Dansdeals Presidential Platinum Elite
  • ********
  • Join Date: Dec 2013
  • Posts: 2819
  • Total likes: 202
  • DansDeals.com Hat Tips 4
    • View Profile
Re: HTTPS for the site?
« Reply #16 on: June 20, 2018, 07:17:59 AM »
Thank you BAHayman and Dan!! I've been waiting for this.

Offline ushdadude

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Apr 2013
  • Posts: 6305
  • Total likes: 934
  • DansDeals.com Hat Tips 5
    • View Profile
  • Location: NY
Re: HTTPS for the site?
« Reply #17 on: June 20, 2018, 02:03:27 PM »
is it hard to setup https for a site? i tried reading up on it but the words might as well be in a foreign language

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: HTTPS for the site?
« Reply #18 on: June 20, 2018, 02:11:23 PM »
is it hard to setup https for a site? i tried reading up on it but the words might as well be in a foreign language
If you know what you're doing not at all, if you don't know for sure.

Offline ushdadude

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Apr 2013
  • Posts: 6305
  • Total likes: 934
  • DansDeals.com Hat Tips 5
    • View Profile
  • Location: NY
Re: HTTPS for the site?
« Reply #19 on: June 20, 2018, 02:13:06 PM »