SSL : yes or not
-
Google gives sites with SSL higher priority over those without.
It's free.Just because you don't take payment doesn't mean you shouldn't use SSL. What about the login pages? I wouldn't be a fan of broadcasting passwords over an insecure connection.
In fact, @julian, what about incorporating letsencrypt into the setup. Setup is relatively simple and only needs a few commands, domain name and email address for recovery. Only manual part would be nginx or Apache.
-
@a_5mith said:
Google gives sites with SSL higher priority over those without.
It's free.Just because you don't take payment doesn't mean you shouldn't use SSL. What about the login pages? I wouldn't be a fan of broadcasting passwords over an insecure connection.
In fact, @julian, what about incorporating letsencrypt into the setup. Setup is relatively simple and only needs a few commands, domain name and email address for recovery. Only manual part would be nginx or Apache.
There have been a couple threads come up where this was discussed. In my case nodebb does not need SSL because I have a proxy in front of it that has the SSL. But I think this would be a really good thing for anyone that does it direct.
-
@djcyry there is never a reason not to use SSL anymore. The benefit is that the data flowing between my device and your server is encrypted and no one can just slurp up all the data at a random router along the way and see my my stuff.
Yeah most forums are public and such, but not all.
-
I do agree that SSL is a great idea and a security best practice. However, unless the information on the forum is sensitive (personally identifying info, PANs, or anything you don't want getting out in the public) using SSL might be overkill. Enabling SSL is free, this is correct. But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired. The odds of a MiTM (man in the middle) capturing your traffic in transit off any of the routers at the ISP level is extremely low. Usually a MiTM is on one end or the other of the connection (on the servers network or the users). So again this lowers the risk of not using SSL. So basically unless the user is on a public WiFi or some one has hacked their network, the chances of the traffic being recorded is very low. And again, unless there is sensitive information, if someone were to get it they'd likely delete it. Plus unless your going to disable sslv2 sslv3 and tlsv1.0 as well there is no reason to use SSL.
I hope this info was helpful.
Cheers,
M@V -
I'm firmly on the 'not' side.
Most forums I visit don't have it, and I see no reason for them to have it.
I'm highly skeptical of any security benefit it provides. And it introduces a third-party to your security strategy, guaranteeing additional security risks.
-
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc).
Strongly disagree, Cloudflare and Let's Encrypt both offer valid SSL certificates that will not trigger a warning since these are trusted certificates, and both of those options are free. The field of HTTPS and SSL got so much better over the past that there are good alternatives that are trusted.
-
At present, Let's Encrypt requires that the python dependency be installed, which is a blocker to integration into NodeBB.
If there were a way to do so via node then we'd adopt it immediately. The only one I did find was a debug version that hadn't been updated in quite some time.
Theoretically, we could run code to execute the python lib. I will look into it.
Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx... so I'd be bundling it with NodeBB and then if they wanted to use it with nginx, they'd need to disable the SSL termination via NodeBB and then set it up with nginx anyway, since that's not handled automatically by even the python lib yet.
Either way, really looking forward to it, but not quite there for us yet
-
@julian said:
Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx...
This is how I see it. Most people should be running it behind a proxy of some kind.
-
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
-
@a_5mith said:
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
Can you help me to install it ? or explain me , thanks
I have read this : https://letsencrypt.org/howitworks/ but im usimg nginx and ubuntu 14.04 -
More or less this guide: http://huytd.github.io/2015/12/16/setup-free-ssl-with-lets-encrypt/index.html
Few notes:
I had to stop Nginx or it errors out with already in use and won't create the live folder.
You might get permission denied errors when trying to navigate to the live folder. Just run as root.
Then search this forum for the SSL code and replace as needed. Can send mind if needed. Then just make sure everything you link to uses https:// -
@a_5mith said:
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
Its free for live or for 90 days? thanks
-
@a_5mith said:
@djcyry Life
Can you please show me your code?
I have install it but :http://www.hercio.net/ - works ok .
https://www.hercio.net/ - default nginx page . -
Just replace all references of that URL and IP with yours.