Site Suggestion

[TheTechGenius]

I think SSL/HTTPS should be enabled on the store pages, to ensure the customers their information being sent and received is safe.

I see SSL is already enabled on the Login/Logout pages, so I know the site already has an authorized SSL Certificate installed.

You can do this with an .htaccess file or a web.config file on a iis server.

Or you could enable SSL throughout the entire site. You can do this in the config.php file with in the ip.board files. Change [board_url] from http:// to https:// .

I did this myself on my board, when I bought my SSL Certificate.

[Ssoele]

All pages that have delicate information already use SSL, enabling SSL on the whole site causes more problems then it solves (eg. all external images also need to be on SSL, otherwise users get a warning message).

[TheTechGenius]

Your right, but it's not a major warning though, it's just a little warning in the address bar. The site will still be secure. And most major image hosts have SSL Certificates, so the image would need to be posted with https. But I understand that most users won't worry about using https to post an image. Unless everyone uses this site to upload and share their images they want to post. Then the images would use HTTPS as default.

[colonel_mortis]

They tried it on the whole site, but stuff broke, notably the YouTube embed code (which they can't change (easily?)). When I force https, I get a mixed content warning in the address bar, so it is blocking stuff (I think it is a stylesheet, but I can't remember or be bothered to find out). If you really want https, get an addon like httpseverywhere, and force it to encrypt your traffic.

[TheTechGenius]

Actually, the Login/Logout pages are already broke (Probably from using non HTTPS image Ads on the page).

 

 

Look at the address bar at the top. I took a screenshot to show you. From a technical view, this isn't really a problem, it doesn't make the page any less secure. The only thing an attacker would be able to hijack, is the Ad Image (or anything that is not connected via HTTPS). But for people or customers that don't know much about SSL/HTTPS, that could be a problem. A lot of people don't like inputting personal information on a non secure connection. And that RED HTTPS with a red X will push most people away. But I am just speaking in general. Its not like users are inputting credit card numbers or anything, its just a forum. I guess its up to Linus Media Group.

 

[colonel_mortis]

Actually the only mixed content that it loads is the font (roboto), not the ads, so that is within their power to change (the google fonts thing allows https:// requests, so all they have to do is replace the

<link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto">

in the html file (2nd to bottom line in head) with

<link type="text/css" rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto">

and everything is fixed (no warnings). @Slick @MrWizard (I'm sure this isn't a priority, but it's a really easy fix that would make the site better for everyone because they know it's secure)

[Guest]

We tried for a while but there were too many issues.

[TheTechGenius]

Actually the only mixed content that it loads is the font (roboto), not the ads, so that is within their power to change (the google fonts thing allows https:// requests, so all they have to do is replace the

<link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto">

in the html file (2nd to bottom line in head) with

<link type="text/css" rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto">

and everything is fixed (no warnings). @Slick @MrWizard (I'm sure this isn't a priority, but it's a really easy fix that would make the site better for everyone because they know it's secure)

 

You are 100% correct, I just went through the entire login page, and i see the ads are connected via HTTPS.

 

 

EDIT:  I see exactly what you are saying now.

[colonel_mortis]

You are 100% correct, I just went through the entire login page, and i see the ads are connected via HTTPS.

It should log it to the console... No need to inspect every element. (Or is that just firebug on firefox that does that)

[TheTechGenius]

It should log it to the console... No need to inspect every element. (Or is that just firebug on firefox that does that)

 

 

Well its not that, I was just checking through the page to see if there was any other non HTTPS connections.

[linusforsell]

That's a bad idea for a forum where there are tons of content loaded from non-encrypted URLs. If the forum were to retrieve and store local copies of all things posted then it' could be a good move, but as things are right now, and as they previously noticed when they tried it out, it's a no-go.

 

 

Or you could enable SSL throughout the entire site. You can do this in the config.php file with in the ip.board files. Change [board_url] from http:// to https:// .

 

Never hard-code the transfer protocol, simply use // to make the browser handle it. That'll probably save you tons of work if you have to change things up in the future.