PKP Community Forum is Insecure (HTTP)

security
Tags: #<Tag:0x007f484865a5a8>

#1

Unsure if you’ve noticed, but the URL for this forum is insecure: http://forum.pkp.sfu.ca/ – being HTTP only, and HTTPS isn’t available. This means that any and all login credentials entered are transmitted in the clear and can be read and obtained by anyone on the network, as well as requests/responses being able to be tampered with.

Browsers like Firefox are already highlighting this problem like so:

and severity of errors will escalate with later browser versions.

If getting a SSL/TLS certificate is a problem, then may I suggest Certbot/Let’s Encrypt (http://certbot.eff.org/), the free certificate authority supported by all major web entities (https://letsencrypt.org/). It allows free certificates to be automatically issued and renewed, certs are supported in all major browsers, and plugins are available for all major web server software.

As a final point, I’d suggest that you email all users on the forum to let them know about the fact they should change their passwords. Given how simple it is to intercept HTTP-only traffic, this will help users stay safe (especially if they’re reusing passwords).


#2

Hi again,

Thanks for adding the Let’s Encrypt certificate to the forum – I presume that’s what’s happened as HTTPS has been enabled in the last few hours following my post above. That said, the pages aren’t fully secure because of the remaining http:// resources on the page. A quick look shows that it’s just the logo (http://stranack.ca/public-images/forum-logo-black-L-transparent-932x145.png) that’s still insecure. The URL https://stranack.ca doesn’t have HTTPS correctly configured so either that needs adjustment or the image would need to be placed somewhere else.

Also, a comment here to let me and everyone know about the changes would be awesome, just so we know what’s happening.

Cheers & thanks for acting so quickly.


#3

Hi David,

Thanks for giving us the push to add Letsencrypt – we use it in other parts of our ecosystem and simply hadn’t gotten around to using it here.

However, we probably won’t be making an exhaustive effort to eliminate all mixed content from this site, as not everyone who does moderation work is precisely attuned to https stuff, and it’s entirely likely you might see a logo or an image loaded from an http-only domain moving forward. Hopefully that shouldn’t cause undue stress.

best,
Alex


#4

Thanks for the quick reply!

In this case, I was talking about the main “PKP Community Forum” logo at the top every page. You’ve got the control over the logo in the Discourse settings so it’s just a case of uploading it to a HTTPS-based server (eg into Discourse and grabbing its URL or to another service like https://imgur.com/), and using its URL.

Individual posts are going to be hard/impossible to manage which is why I only mentioned the site-wide logo. Besides, the general push towards HTTPS will get us all there eventually!

Cheers


#5

done :slight_smile:

thanks @stranack


#6

Thanks again.

Also, I’ve just noticed that as I was going to change my password, the URLs being generated by Discourse are http:// (eg http://forum.pkp.sfu.ca/u/password-reset/… and http://forum.pkp.sfu.ca/u/authorize-email/…).

Could you check if the the Use HTTPS setting is enabled in the Security site settings? From my understanding, that affects the base_url used within those email templates (and in various other places in Discourse too).

Cheers.


#7

Hmmm – How about now?


#8

Yep, that’s got it. Given what I saw in the Discourse codebase, that should change the base_url everywhere.

Thanks again for the quick action!