[2020-10-30] [IMPLEMENTED] SSL / HTTPS for BudgetLightForum.com (Request)

@aeroden - The thing is, the login block appears on all pages. So that would require removing the login block and only having a single dedicated page for logging in.

Just a public service announcement: You should always use a unique password for each site that that is sensitive or important to you, whether it uses SSL or not. HTTPS is not a magic bullet to protect your online security, and there’s many more documented cases of identity theft from weak or reused passwords (typed into “secure” sites with a big green padlock in the URL bar) than there are from connection hijacking and wiretapping. Another massive attack vector is malware that logs and phones home passwords that are typed into the browser before they ever hit the wire, be it an encrypted connection or not. Then there’s the question of how the “secure” site actually stores the password on their servers after the HTTPS connection is finished, which on the server side is often far from being truly secure against people hacking directly into the server. Case in point are the sites that have massive lists of compromised passwords, which were stolen directly from the databases of compromised servers. I should also mention that I take the security of the BLF server very seriously and am extremely proactive at applying security patches, and I use accepted best practice techniques to maintain the integrity of the server.

@sb56637 - not necessarily. Changing the form post action to HTTPS version will do the trick. Again, only the form POST action, then it will redirect back to the plain http.

In the highlighted above it can be http*s*://budgetlightforum.com/frontpage?destination=frontpage

How does it sound to you?

Regarding your last paragraph - I fully agree with your points and thank you again for keeping this treasure online. I think adding SSL for logins will really close the gap so to speak since this is the only private piece of information on this public forum probably with the exception of private messages. IMHO every service should do its best to protect private data and leave it to users to decide how conscious they want to be about their privacy.

@aeroden: Thanks, but wouldn’t that make most browsers throw warnings about mixed HTTP and HTTPS content on the same page?

@sb56637 It works the other way around - when you have a page loaded over HTTP*S* and some content on that page is loaded through HTTP, then you get a warning. In our case we do the opposite and there is no problem with that. For example in my above post the image was loaded from Imgur through HTTPS. Actually we don’t even load any content through HTTPS - we only POST login form data through HTTPS and then it would need to redirect us back to HTTP.

In hindsight, I think this whole idea is a bit pointless, since after login I get a session cookie to authorize future requests and if someone can get that cookie through eavesdropping he can actually access the site in full as if it was me (My IP is not of a session cookie hash, and that’s not really secure anyway).

But…. Instead I think I have a much better idea. I see you host this site on lunanode.com and they provide Load Balancer service that will do the SSL termination for you and for your usage metrics it will be even free of charge. So the server will still serve plain HTTP traffic while the Load Balancer will do the certificate provisioning (for free through LetsEncrypt) and SSL termination forwarding the plain HTTP traffic back to the server. Here are the docs: Load Balancers

Sounds compelling?

Aeroden seems to be onto something there.

I personally would always appreciate better security, though the content of this site is generally impersonal. Perhaps if people are sending shipping addresses etc via private message, that would be a risk.

@sb56637 so what do you think about load balancer approach?

Fuzun, would a groupbuy for a VPN be a simple solution?

How does VPN help here?

@aeroden Thanks for the interesting idea, I’ll definitely look into it.

Have you looked at things like Cloudflare that provide SSL by proxying your HTTP site? Cloudflare’s pricing starts at free. There’s a few similar providers around too.

@dave1010 True, but traffic between CloudFlare and the backend still goes over the Internet in plain text. BLF hosting provider has SSL termination feature for no charge so imho it’s a no brainer and secure too.

OK, SSL (https://budgetlightforum.com) is now implemented as @aeroden suggested. Thanks a lot for the tip!

This was the reason for the instability of the site during the past ~12 hours, but I think I managed to work out most of the kinks. Please let me know if you run into anything odd relating to this change.

Great teamwork guys!

Hurrah! Hurrah! Hurrah! Many thanks for making this effort!

Holy SSL! Thank you SB! It’s so awesome to not have to worry about my PM’s being intercepted in every hotel and foreign country the receiver opens/accesses them from. SWEET.

Hooray! This will help your search rank too :slight_smile:

that was definitely worth the down time

We did it reddit BLF!

Thank you for making the site more secure.