thank you! - All forums now HTTPS

**tsu2** · 11-Dec-2012, 20:26

With the increasing hacking and loss of anonyminity across the Internet, I applaud the move to secure all web access to the openSUSE forums with SSL.

Was a suggestion I made long ago in this forum, is a welcome development to ensuring the integrity and privacy accessing Forums.

A suggestion to further prevent information leakage is to ennumerate post IDs instead of using subject lines. This is what Google is now doing "sometimes" instead of inserting query keywords into the URL(well, sometimes it's still done the old way. Don't know why).

TSU

**hendersj** · 11-Dec-2012, 22:32

On Wed, 12 Dec 2012 03:36:01 +0000, tsu2 wrote:

> With the increasing hacking and loss of anonyminity across the Internet,
> I applaud the move to secure all web access to the openSUSE forums with
> SSL.
>
> Was a suggestion I made long ago in this forum, is a welcome development
> to ensuring the integrity and privacy accessing Forums.

It also simplifies a lot of stuff on the backend, I understand.

> A suggestion to further prevent information leakage is to ennumerate
> post IDs instead of using subject lines. This is what Google is now
> doing "sometimes" instead of inserting query keywords into the URL(well,
> sometimes it's still done the old way. Don't know why).

I'm not sure I follow, but I also don't know that vBulletin can do this.

Jim

--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

**hcvv** · 12-Dec-2012, 02:53

I may be a daft end-user, but I am reading this very page, being loged in in the forums, and I do not see any sign of it being HTTPS.

**keellambert** · 12-Dec-2012, 03:48

here the address line reads

"https://forums.opensuse.org/english/other-forums/forums-feedback/forums-comments-suggestions/481364-thank-you-all-forums-now-https.html"

**hcvv** · 12-Dec-2012, 04:10

I have:
http://forums.opensuse.org/english/other-forums/forums-feedback/forums-comments-suggestions/481364-thank-you-all-forums-now-https.html#post2510398

**consused** · 12-Dec-2012, 06:49

Originally Posted by hcvv

I have:
thank you! - All forums now HTTPS

I have same as @keellambert. If that's more secure, then add my thank you for the implementation.

**hcvv** · 12-Dec-2012, 07:18

When I use @keellambert's, I land on the same page (using HTTPS of course).

But when I use the link from the mail send to me because I am subscibed to this thread, it is HTTP. And the other links there (for stopping the subscription, etc.) are also all HTTP.

Thus it seem that there are two parallel worlds now ???????????

**hcvv** · 12-Dec-2012, 07:21

I can add that using the link from my RSS feeds (where I normaly pry for interesting new threads) do give me HTTPS.

Seems to be a sort of mixture. In any case, @tsu2's remark:

... to secure all web access to the openSUSE forums with SSL.

is only partly true.

**hendersj** · 12-Dec-2012, 10:10

On Wed, 12 Dec 2012 14:26:01 +0000, hcvv wrote:

> I can add that using the link from my RSS feeds (where I normaly pry for
> interesting new threads) do give me HTTPS.
>
> Seems to be a sort of mixture. In any case, @tsu2's remark:
>> ... to secure all web access to the openSUSE forums with SSL.
> is only partly true.

Interesting, I'll check with Matt and see why the http stuff isn't
redirecting - it was my understanding that it should be.

Jim

--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

**MatthewEhle** · 12-Dec-2012, 11:47

Originally Posted by hendersj

On Wed, 12 Dec 2012 14:26:01 +0000, hcvv wrote:

Interesting, I'll check with Matt and see why the http stuff isn't
redirecting - it was my understanding that it should be.

We don't enforce HTTPS for anonymous users, but they should be able to just put the "s" in there and start using it that way if they choose. HSTS is enabled as well, so if you start using HTTPS, it should be enforced by Firefox and Chrom(e|ium).

For authenticated users, this should be a different story. You ought to have a cookie set that is named "authenticated" if you are logged in. Our ADC looks for that cookie and redirects you to HTTPS if you aren't already using it. Furthermore, the session cookie has the secure flag set, so you really shouldn't be authenticated over a non-secure connection. It seems to have worked very consistently, so I would be interested if you have found a way to "break" it!