Solutions and ideas for insecure images
-
@qgp9 Thanks for offering to host a CDN!
As mentioned in the other topic, a lingering concern is the fact that rehosting images may be against the Terms of Services for some websites, and as we can't manually qualify all pictures (at least, not expediently
), it is a blocker that is significant enough that another alternative should be considered.I believe there is already a plugin that will convert images to https, although it is a blind process and some sites don't have https.
A plugin could be created (either by myself or via the community) that can maintain a cache of links that have been verified as HTTPS'able (by retrieving the HTTP and HTTPS versions and comparing their hash sums), and then transparently "upgrade" HTTP links to their SSL equivalent.
Such a plugin would be a candidate to be bundled with NodeBB, as I feel it is a nice feature to support
-
Why not look at implementing camo to proxy your images? If you use the iframely plugin you can also route any images retrieved through the embed through camo. No more insecure images. It works fine for GitHub, so why not NodeBB?
At the very least, I'd recommend the use of @psychobunny's secure images plugin though it seems to be hit or miss lately, depending on how my users add images to their post.
-
@qgp9, yes but what I'm getting at is that it wouldn't be difficult for each admin to set up their own camo instance. This way there's no concern for resource usage by others. Plus, its a good exercise for those who haven't done this yet.
-
I got your points. Actually that can be general issue for universe of
camoor imageproxy. This is quite interesting issue which should be checked before whoever decides to take camo's advatage. Do you have any information or ideas from a camo community?In case of Discourse, they really save an image and serve with
upload/somewhat_hashed_string.jpg. This is really a matter.Thank you for comments.
-
@ThingBreaker said:
This way there's no concern for resource usage by others. Plus, its a good exercise for those who haven't done this yet.
This, I agree.
yes but what I'm getting at is that it wouldn't be difficult for each admin to set up their own camo instance.
But, this I don't. It's not so clear to me, and I know a lot of forum/website owners who doesn't. Of course, NodeBB can be different because it's not a php
and is being at more technical edge. But still I don't believe that most of NodeBB owners or candidates are so used to be or like to be trained in practice.But, yes, I agree that it's better to have one's own, definitely!!
-
hmm. didn't notice this topic had split.
copying this here with context so it doesn't get lost.
@accalia said in Connection Not Secure:
i think ultimately the best solution for most forums is to have a whitelist of image hosts to use that support https, inline images via
//domain.example.com/pathand just leave all other images as links.it's not the prettiest nor the best user experience, but i think it strikes a nice balance between ease of implementation, ease of use, and ease of understanding for non technical people.
-
nodebb-plugin-camo was made by me and @lenovouser. I asked him to make a guide, but it's not that complicated. I set it up in just a few minutes following the instructions on the camo github page (docker or heroku are there). Also, I updated it to v1.0.0 just now.
-
I found a interesting site which already serve image proxy and more.
Their service seems to be public and free even though they have no clear writings on it. Actually noting for policies, rules, goals but just how to use is there.But anyway, one can ask them to use.
If they are just free and public then it will be really useful. -
If NodeBB would finally support uploads to 3rd party machines people could setup their own CDN's as well.
Best would be if the uploader would feature FTP support as most CDN services are featuring it and it is fairly easy to configure a FTP service on your own servers as well.
-
-
@lenovouser and I have released nodebb-plugin-camo with an internal Camo server, which should make setup much easier, and solves many of the issues here. (Although not all)
