[narual]

This is silly. Put the ssl on the login form, password reset, etc. Done. No need or reason to encrypt an entire website.

[UncleVanya]

This is silly. Put the ssl on the login form, password reset, etc. Done. No need or reason to encrypt an entire website.

Not true. That is an old way of managing security that has worked but is showing cracks. The phishing and merged attacks out there today make all ssl a best practice. Many sites already headed this way last year or even earlier.

[MightyMike]

Steve the global redirect will handle it over and over. The inline viewing may be broken but clicking the link will resolve to the corrected link.

So this means if I want inline viewing to be maintained I'd have to alter every post made over a 10+ year period (not so hard on this website but on DPR where I'm more active photo-wise as I'm sure it will likely eventually go that way). The majority of photos I post on Pentaxforums are product shots for my ads and I'm sure it won't be too hard to start uploading them to the provided gallery space on this website. Its just legacy posts will eventually be a series of links and not inline images anymore. It seems my web space does come with the ability to set up 1 SSL certificate for the website but I'll have to learn what that might entitle and how to do it correctly. Of course once done I'll have to figure out how to setup that 301 redirect thing and whats involved in that or all legacy image links won't link anymore.

Do I understand this correctly now?

[Adam]

This is silly. Put the ssl on the login form, password reset, etc. Done. No need or reason to encrypt an entire website.

The problem with this is that your session cookies will still be sent to you over HTTP, so an attacker would be able to get access to your username and a hash of your password, OR the session ID if you're not using "remember me". Remember that security is only as strong as the weakest link in the chain.

By the end of this month, Chrome will start labeling any HTTP site as "insecure" if it contains password fields anywhere on the page, and this would have applied to PF.

So this means if I want inline viewing to be maintained I'd have to alter every post made over a 10+ year period (not so hard on this website but on DPR where I'm more active photo-wise as I'm sure it will likely eventually go that way). The majority of photos I post on Pentaxforums are product shots for my ads and I'm sure it won't be too hard to start uploading them to the provided gallery space on this website. Its just legacy posts will eventually be a series of links and not inline images anymore. It seems my web space does come with the ability to set up 1 SSL certificate for the website but I'll have to learn what that might entitle and how to do it correctly. Of course once done I'll have to figure out how to setup that 301 redirect thing and whats involved in that or all legacy image links won't link anymore. Do I understand this correctly now?

You're correct in assuming that most major HTTP websites will probably be making the move to SSL in the near future, so it's a good idea to start looking at options.

There are many shared web hosts that provide you with free SSL via their subdomain if you do not want to purchase or set up your own certificate (i.e. netfirms). But I think it would be easiest for you to just use a free photo hosting service such as google drive, flickr, etc. for your files. You can also use our attachment and album systems, since your quotas are pretty high as a reseller.

Any old embedded http images will automatically be converted to https on our forum. If they cannot be retrieved securely, then they will be replaced by a link. However, if you later end up implementing SSL on the site hosting those images, you will not need to update your old posts on PF and the photos will start loading again.

Adam
PentaxForums.com Webmaster (Site Usage Guide | Site Help | My Photography)



PentaxForums.com server and development costs are user-supported. You can help cover these costs by donating or purchasing one of our Pentax eBooks. Or, buy your photo gear from our affiliates, Adorama, B&H Photo, KEH, or Topaz Labs, and get FREE Marketplace access - click here to see how! Trusted Pentax retailers:

[reeftool]

He runs his own site for hosting as far as I could understand from his post. That means the onus is on him to convert his site.

I didn't catch that at first but as I mentioned later in my comment, this is something our web browsers are forcing. If Adam didn't do this, Pentax Forum will get flagged as insecure by all users of Firefox and Chrome as of this week. I think you will see MS Edge and Safari right behind them.

To the OP: Your site will generate a security warning to any Firefox or Chrome user if you don't do the necessary fix. I don't know what that involves but I'm sure a quick search should turn up results. You aren't the only one dealing with this.

[Adam]

EDIT ADD: Follow-up question, lets say I figure out how to convert my own personal web space to https, does that mean all previous links over the past decade won't connect if not updated?

As long as your server redirects http to https, all old links will continue working.

Furthermore, we will automatically and globally convert http to https in embedded images on the forum, so you won't have to go back and change those links.

If I read Adam correctly the inline display will be turned off but the links will still be inserted and clickable. Even in the future. Unless I'm parsing Adam wrong.

Correct. You can already test this behavior by changing the HTTP image preference in your options.

Essentially, any insecure images will be replaced by a link that reads "click here to view photo".

I myself have had to search, and search, and search to find free image hosting that seemed to work reasonably consistently. If the hosting service I now use turns out to not meet security standards, it will greatly hamper my participation here.

Odds are that the hosting service will also make the move over to HTTPS sooner rather than later if it doesn't do so already. Who do you use?

In case they do not, then your inline images will turn in to clickable links starting next year. The actual timing of this change will depend in part on how quickly the photo hosting industry transitions to SSL.

Note that hosts such as google, flickr, facebook, smugmug, and others already serve secure images.

As a reader of many an archived forum discussion, this sounds like many of those old threads--full of encyclopedic photography information-- will soon lose there illustrative photos. Already enough of them lose pictures because the poster moved his or her picture hosting account to somewhere else forgetting it would turn links in their old discussions dead for the rest of us.

To be clear, any insecure photos would still be accessible via a link, and that link will automatically be displayed.

In case those photos start being hosted securely later on, they will magically reappear.

This is also why I'd like to encourage everyone to use our attachment system and albums. Photos hosted on the forum are guaranteed to stick around, even in really old threads

[Compaan]

Now those eavesdropping hackers cannot so easily discover our fondness for the K mount system and bacon.

What a world. What a species we are. First we invent the marvel of interconnecting people to share information and than, little by little, we are pushed into a climate of mistrust, in which the terms protection and security seem to be necessary even in a simple photography forum.

[clackers]

What a world. What a species we are. First we invent the marvel of interconnecting people to share information and than, little by little, we are pushed into a climate of mistrust, in which the terms protection and security seem to be necessary even in a simple photography forum.

A hacker hopes that a photography or car forum username and login is also being used for their PayPal or iTunes or eBay account or whatever.

Dispiriting I know, but theft goes back to the dawn of time too, right?

[narual]

The problem with this is that your session cookies will still be sent to you over HTTP, so an attacker would be able to get access to your username and a hash of your password, OR the session ID if you're not using "remember me". Remember that security is only as strong as the weakest link in the chain.

Why on earth is that stuff in the cookie? Cookie should only have a session guid, session data should be stored in a db, and your password should be (and I believe already is) required to change email or password.

It's been a few years since I took the ethical hacking course, but this kinda thing smacks more of security theater than actual security.

I hope you'll at least run a script to rewrite all the http:// Flickr et al links through the many years of history so they don't throw errors left and right. And that you don't end up needing more expensive server gear to handle all the extra encryption load - I know that was an issue at the bank I used to work at when we encrypted an entire high traffic site.

[MightyMike]

I think i have a handle on this now, contact my host, have them talk me through the creation/activation of my SSL Certificate and make sure the website will accept both http and https requests for any of the content. This was suggested to me over a redirect option as it may actually be more friendly to multiple websites that may have my content embedded or inline.

[Adam]

Why on earth is that stuff in the cookie? Cookie should only have a session guid, session data should be stored in a db, and your password should be (and I believe already is) required to change email or password.

You're right, but that's how vBulletin implements it. Convenient I guess, but kind of scary.

I hope you'll at least run a script to rewrite all the http:// Flickr et al links through the many years of history so they don't throw errors left and right. And that you don't end up needing more expensive server gear to handle all the extra encryption load - I know that was an issue at the bank I used to work at when we encrypted an entire high traffic site.

Yes, they are all being rewritten.

[Adam]

If you redirect http to https via 301, embedded files will still be shown.

[Adam]

Why on earth is that stuff in the cookie? Cookie should only have a session guid, session data should be stored in a db, and your password should be (and I believe already is) required to change email or password.

So I decided to stay up late to address this atrociousness. I can't believe nobody else has released out a modification to stop vbulletin from putting passwords in cookies after all these years, because it really is fairly trivial.

A side-effect of this redesign is that all existing persistent cookies will no longer work, so everyone will have to log in again.

[photolady95]

A side-effect of this redesign is that all existing persistent cookies will no longer work, so everyone will have to log in again.

I found that to be true this morning. Had to log in again.

As for flickr, it's already using https:// so no problem with my many photos showing up in here since the change over.

[normhead]

You have changes the way the search engine works.

For some reason, no matter what you put, the forum search returns garbage, always has. You can type in "Got Squirrels images." copied from the thread title, check titles only, and it will not find the "Got Squirrel Shots" thread. In the past I'd scroll down to the general Google search at the bottom of the page, and it would find the thread, even though the forum search wouldn't. Now the bottom of the page doesn't return any results making the forum search function pretty much useless for locating threads you haven't bookmarked.

Someone needs to figure out how to make the search results more reliable.