Results 1 to 12 of 12

Thread: HTTPS on AO

  1. #1
    Join Date
    Apr 2003
    Posts
    1,161

    Exclamation HTTPS on AO

    @admins

    Any option of securing AO with https? As it stands, it's dangerously vulnerable to man in the middle attacks. There's enough security (email verification for any changes) that I'm not worried about my account being taken over, but I have had to make a habit of only using temporary passwords and avoiding PMing any personal details.

    I'm sure if there's a paid/supporter option, the community would offset the cost. I'd certainly donate to help.

  2. #2
    Quote Originally Posted by Xyxyll View Post
    I'm sure if there's a paid/supporter option, the community would offset the cost. I'd certainly donate to help.
    Ditto
    >>WTB<< Sydarm w/ constant air__WarpedMephisto half-c/f body__Ac!d c/f trigger__TASO humpback frame__an Oh-Mag

  3. #3
    Quote Originally Posted by Xyxyll View Post
    I'm sure if there's a paid/supporter option, the community would offset the cost. I'd certainly donate to help.
    Agreed that AO contains some personal details which should benefit from encryption, but Let’s Encrypt is free. I’m happy to help getting https configured here if help is needed.

  4. #4
    Join Date
    May 2001
    Location
    IN -- USA
    Posts
    9,647
    I believe we have the SSL certificate installed. Will look into the settings this weekend.

  5. #5
    Join Date
    May 2001
    Location
    IN -- USA
    Posts
    9,647
    The certificate is out of date, so even if I told the forum to run secure, it would throw an error.

    I have an email out to the hosting company, so hopefully this week it'll be resolved. I'll also set a calendar reminder for the certificate expiration date to make sure it's taken care of in a more timely fashion in the future.

  6. #6
    Join Date
    Apr 2003
    Posts
    1,161
    Great news. Thank you!

  7. #7
    This is interesting reading. I'm an Android developer and learning about webpages.

  8. #8
    Join Date
    May 2001
    Location
    IN -- USA
    Posts
    9,647
    So the certificate is now on auto-update. There are some hard coded items in the templates (so far as we can tell) that are not using HTTPS. Requires some template editing.

    Once we tackle that, we'll see what else is showing as not secure. It's going to be a bit of a process - one thing at a time.

    So right now, LOTS of the site is secured via HTTPS, but it's not showing due to the template issues.

  9. #9
    Join Date
    Apr 2003
    Posts
    1,161
    Quote Originally Posted by Dayspring View Post
    So the certificate is now on auto-update. There are some hard coded items in the templates (so far as we can tell) that are not using HTTPS. Requires some template editing.

    Once we tackle that, we'll see what else is showing as not secure. It's going to be a bit of a process - one thing at a time.

    So right now, LOTS of the site is secured via HTTPS, but it's not showing due to the template issues.
    Thank you for reacting so quickly and taking this so seriously! It's a much appreciated effort that I think will help keep AO relevant for years to come.

  10. #10
    Join Date
    May 2001
    Location
    IN -- USA
    Posts
    9,647
    Had some free time this evening. Went through and found the non-secure coded items in the template. As of 10:38pm on 10/15, AO is showing as 100% secure in Google Chrome. Feel free to let me know if you have any issues or find places where it doesn't come across as secure.

  11. #11
    Join Date
    Oct 2003
    Location
    Don't know, I am lost.
    Posts
    3,163
    Outstanding. Well done.

  12. #12
    Join Date
    May 2001
    Location
    IN -- USA
    Posts
    9,647
    One thing to keep in mind - any images that are hosted elsewhere and linked in a post will cause that page to show as not fully secure only because of those images - all of the data (passwords, etc.) is secured. Just the way the internet works (unless those hosts use SSL, I think - this is a hobby, not a full time thing) I think.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •