Solutions and ideas for insecure images

  • Related with a post "connection-not-secure", http images in https contents is problematic in many cases.

    Of course, as I mentioned there, there are many solutions like just block it, image proxy, filter/convert with white list.

    But also I guess and understand that many of users who want to serve an own NodeBB forum in secure may not be familiar enough with technical things and feel difficulty for those solutions.

    So I think,, If I provide a plugin for those solutions and an image proxy server by myself, is it helpful or useful for a community and members?

    If I use CDNs and a small cheap VPS, I think it can cover some of registered NodeBB forums. We will see how much resource is needed.
    ( Many of image providers like Imgur may provide https, and own images are also same. I guess that it needs to manage just some exceptional cases )

    Of course, my image proxy server will not give any SLA or guarantee but it's not so harmful and we can try to keep it by community effort ( I do not mean a donation 🙂 )

    This is just flashed idea in coffee break, so if there are plenty demands, I would try it ( without any promise 🙂 ). At least I need one for my forum.

    Now, here is an idea of options and procedure of a plugin ( which isn't exists yet )

    1. Own images of a forum, just convert http to https
    2. With white list, just convert http to https of images
    3. If an image url is not in white list
      1. just leave as it is even though a browser will complain
      2. convert image to link ( with or without messages )
      3. If an image proxy is set, use it.

    Tell me.

  • GNU/Linux Admin

    @qgp9 Thanks for offering to host a CDN! 😄

    As mentioned in the other topic, a lingering concern is the fact that rehosting images may be against the Terms of Services for some websites, and as we can't manually qualify all pictures (at least, not expediently 😄 ), it is a blocker that is significant enough that another alternative should be considered.

    I believe there is already a plugin that will convert images to https, although it is a blind process and some sites don't have https.

    A plugin could be created (either by myself or via the community) that can maintain a cache of links that have been verified as HTTPS'able (by retrieving the HTTP and HTTPS versions and comparing their hash sums), and then transparently "upgrade" HTTP links to their SSL equivalent.

    Such a plugin would be a candidate to be bundled with NodeBB, as I feel it is a nice feature to support

  • Why not look at implementing camo to proxy your images? If you use the iframely plugin you can also route any images retrieved through the embed through camo. No more insecure images. It works fine for GitHub, so why not NodeBB?

    At the very least, I'd recommend the use of @psychobunny's secure images plugin though it seems to be hit or miss lately, depending on how my users add images to their post.

  • @ThingBreaker said:

    Why not look at implementing camo to proxy your images?

    Hi, If I wrote correctly, that Is what I meant. 🙂

  • @qgp9, yes but what I'm getting at is that it wouldn't be difficult for each admin to set up their own camo instance. This way there's no concern for resource usage by others. Plus, its a good exercise for those who haven't done this yet.

  • @julian

    I got your points. Actually that can be general issue for universe of camo or imageproxy. This is quite interesting issue which should be checked before whoever decides to take camo's advatage. Do you have any information or ideas from a camo community?

    In case of Discourse, they really save an image and serve with upload/somewhat_hashed_string.jpg. This is really a matter.

    Thank you for comments. 🙂

  • @ThingBreaker said:

    This way there's no concern for resource usage by others. Plus, its a good exercise for those who haven't done this yet.

    This, I agree.

    yes but what I'm getting at is that it wouldn't be difficult for each admin to set up their own camo instance.

    But, this I don't. It's not so clear to me, and I know a lot of forum/website owners who doesn't. Of course, NodeBB can be different because it's not a php 🙂 and is being at more technical edge. But still I don't believe that most of NodeBB owners or candidates are so used to be or like to be trained in practice.

    But, yes, I agree that it's better to have one's own, definitely!!

  • @ThingBreaker Also we have to think carefully @julian 's point about copy right and rehosting before use camo or other image proxy.

  • GNU/Linux Admin

    camo as opt-in would be fine (as it shifts responsibility away from NodeBB and onto the forum administrator themselves)... never tried it out though, 😄

  • hmm. didn't notice this topic had split.

    copying this here with context so it doesn't get lost.

    @accalia said in Connection Not Secure:

    i think ultimately the best solution for most forums is to have a whitelist of image hosts to use that support https, inline images via // and just leave all other images as links.

    it's not the prettiest nor the best user experience, but i think it strikes a nice balance between ease of implementation, ease of use, and ease of understanding for non technical people.

  • Community Rep

    nodebb-plugin-camo was made by me and @lenovouser. I asked him to make a guide, but it's not that complicated. I set it up in just a few minutes following the instructions on the camo github page (docker or heroku are there). Also, I updated it to v1.0.0 just now.

  • I found a interesting site which already serve image proxy and more.
    Their service seems to be public and free even though they have no clear writings on it. Actually noting for policies, rules, goals but just how to use is there.

    But anyway, one can ask them to use.
    If they are just free and public then it will be really useful.

  • If NodeBB would finally support uploads to 3rd party machines people could setup their own CDN's as well.

    Best would be if the uploader would feature FTP support as most CDN services are featuring it and it is fairly easy to configure a FTP service on your own servers as well.

  • Already I mostly accepted @julian 's points but also after 123 views of this topic,
    It simply seems that no demands of the half public server. ( Good to me 🙂 )

    And I acknowledge that @ThingBreaker may be right, I underestimated NodeBB users 👍


  • Community Rep

    @lenovouser and I have released nodebb-plugin-camo with an internal Camo server, which should make setup much easier, and solves many of the issues here. (Although not all)

Suggested Topics

| | | |