Welcome to Fractal Forums

Community => Discuss Fractal Forums => Topic started by: claude on January 12, 2015, 06:26:30 PM



Title: https / SSL for fractalforums.com
Post by: claude on January 12, 2015, 06:26:30 PM
Would be nice to be able to use https://www.fractalforums.com/ as well as http://www.fractalforums.com

I tried but Iceweasel (Firefox in disguise) freaked out, so I investigated with wget:

Code:
$ wget https://www.fractalforums.com/
--2015-01-12 17:15:53--  https://www.fractalforums.com/
Resolving www.fractalforums.com (www.fractalforums.com)... 82.165.59.163
Connecting to www.fractalforums.com (www.fractalforums.com)|82.165.59.163|:443..
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

Turns out port 443 (usually https, with SSL) is serving regular http instead of https, which is quite unusual...

Code:
$ wget http://www.fractalforums.com:443/
--2015-01-12 17:19:32--  http://www.fractalforums.com:443/
Resolving www.fractalforums.com (www.fractalforums.com)... 82.165.59.163
Connecting to www.fractalforums.com (www.fractalforums.com)|82.165.59.163|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'

    [ <=> ] 108,040      565K/s   in 0.2s    

2015-01-12 17:19:33 (565 KB/s) - `index.html' saved [108040]

Is this intentional?

I know that getting an SSL certificate that browsers won't scream about can be a pain, though - some DNS registrar offer a certificate as part of the bundle, possibly hosting companies too - a self-signed certificate would be better than nothing though, even though you have to click about 6 buttons in scary-looking dialogs to accept them these days..

Title: Re: https / SSL for fractalforums.com
Post by: cKleinhuis on January 12, 2015, 07:57:02 PM
the thing is that my provider just does it with a special sub domain or something, not just replacing the http with https, i try to make some time to look into it and confgure it
there is just only security breach that might occur, that is, when logging  in the password can be grabbed by man in the middle attacks or just plain sniffing

Title: Re: https / SSL for fractalforums.com
Post by: 3dickulus on January 13, 2015, 03:27:24 AM
if the login page is served via https it should be relatively impervious to sniffing and such as the connection is SSL before a password is sent ? (cmiiw)

I have nothing against self signed certs as long as the information about the owner is correct and verifiable ;) and what's a few clicks between friends? once it's accepted users won't have to keep clickety clicking

regular http can serve the masses (bots) while https can serve members

Title: Re: https / SSL for fractalforums.com
Post by: cKleinhuis on January 13, 2015, 07:39:15 AM
yay, i will look into it, throughout the week!

Title: Re: https / SSL for fractalforums.com
Post by: claude on January 16, 2015, 11:33:16 PM
actually, it might be worth waiting a few months for this to be live: https://letsencrypt.org/

Title: Re: https / SSL for fractalforums.com
Post by: 3dickulus on January 16, 2015, 11:51:46 PM
 :thumbsup1:

Title: Re: https / SSL for fractalforums.com
Post by: cKleinhuis on January 17, 2015, 01:00:46 AM
i checked, an ssl certificate has to be ordered by my provider, i ordered one, it is going to cost 5€ bucks a year, so it is bearable
as soon as i got the certificate i will instruct the webserver to use it, it is going to be available via a subdomain, i will see what we can
do about it just mirroring the content to there in the most easy to use way



Powered by SMF 1.1.21 | SMF © 2015, Simple Machines