PoA is moving to SSL (feedback thread)

jason

Administrator
Management Council Member
Joined
Jul 4, 2006
Messages
5,128
Location
Lincoln, Nebraska
Display Name

Display name:
Jason W (FlyNE)
FYI, I'm going to switch the site to force the use of SSL soon. If you have problems with something, please post here. If you try to access the site from one of your devices and it doesn't work...use another browser (or your phone) to log in and report the problem and I'll take a look immediately.
 
The most impactful part of this is that we're going to have to switch Xenforo to proxy all images embedded in posts. That may break some things with how images are displayed. I'll do my best to respond to those problems quickly. This is just an FYI to look out for such problems.
 
Kewl. Some day, someone needs to explain what that means to me.
 
Kewl. Some day, someone needs to explain what that means to me.
SSL enabled sites require *everything* that is displayed inside of the page to be served from SSL. If the page is SSL (see the lock at the top) but one of the images that you're viewing in the page isn't being served over SSL, then the browser warns you that the page isn't 100% secure.

Since our members embed images into their posts, we can't control whether or not those links are served from an SSL site (e.g. https :// imgur. com/image123.jpg vs http: // imgur. com/image123.jpg). In order to ensure that every link displayed is SSL our server now fetches the image from the remote server and caches it on our server...and serves it to the viewer using our SSL certificate.

You can view this post to see this in action...
http://www.pilotsofamerica.com/comm...ive-coolest-flights.42749/page-2#post-2063642

The original image embedded in this post was hosted here...
http: //i. imgur. com/sRTBcu0l.jpg (link intentionally broken so as not to embed the image)

If you view the post now you'll see that image served from a URL like this... (again, intentionally broken)
https: //www. pilotsofamerica. com/community/proxy.php?image=http%3A%2F%2Fi.imgur.com%2FsRTBcu0l.jpg&hash=bf3870e07c8ce53a1b8c620f69c5007a

So we're fetching the image and making sure that it's served from our server.
 
That sounds like a pretty good idea! Thanks for all you do.

Plus, thanks for making my nonprofit friends think I'm smart for recommending Firespring for their web stuff.
 
Do it!!! I double dog dare you. :D
 
I've made the switch. Please let me know if you notice anything out of whack...
 
Well, the visited states map in my signature no longer displays. Instead (in Firefox) all I see is a thumbnail of what looks like my avatar with a red X through it. I've seen some other posters with the same symptom. I assume this is the reason.
 
Well, the visited states map in my signature no longer displays. Instead (in Firefox) all I see is a thumbnail of what looks like my avatar with a red X through it. I've seen some other posters with the same symptom. I assume this is the reason.
Probably. But this one is working fine...

https://www.pilotsofamerica.com/com...ive-coolest-flights.42749/page-2#post-2060270

I'll need to see if I can figure out what the difference is. Looks like he's using a different site.
 
Is there a way to upload an image to the PoA server and then use that URL? From your description it sounds as if that would work. You could do that under the old software but I don't see any obvious way to do it in Xenforo.
 
Is there a way to upload an image to the PoA server and then use that URL? From your description it sounds as if that would work. You could do that under the old software but I don't see any obvious way to do it in Xenforo.
There was a previous discussion here...
https://www.pilotsofamerica.com/community/threads/upload-sig-pic-here.90819/
Some were uploading them to that thread. I asked in that thread that they just be uploaded to imgur (which is a site made specifically for hosting images). You can choose which path you'd like to take.
 
I think tapatalk was down during the cutover. working fine for me now.
 
Tapatalk seems to be broken. Getting an error message.
I had an error as well. I logged out and logged back in and it worked fine. But I think it was more a problem with my two-factor auth.
 
....we're going to have to switch Xenforo to proxy all images .....

does this mean if I post a pic of me chowing down some nachos, it would be "munchin' by proxy"? hahaha, get it? WOOOOOoohhhoooooo taking nyquil during the day makes me LOOOOOOooopy! aaaand, good night.
 
does this mean if I post a pic of me chowing down some nachos, it would be "munchin' by proxy"? hahaha, get it? WOOOOOoohhhoooooo taking nyquil during the day makes me LOOOOOOooopy! aaaand, good night.
Only if you guzzle epicac and puke your ssl all over your kids.
 
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?
 
Have tried imgur to no avail ,still can't get the signature picture back. Oh well.
 
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?

I'll have to research that. I'm trying to get by without TLS 1.1. Can you give me any more info on your setup? Android version and browser version? That's probably what it is.
 
I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

It seems like the COMODO root cert isn't installed on Android by default?
Try it now. I'd be willing to bet that it works.
 
Yip. Works now.

Out of curiosity - what did you change?

Enabled some legacy versions of some SSL protocols. Surprisingly, Android doesn't do a good job of keeping up in that area.
 
Maybe crazy here, but I'd you are caching the content and serving locally, doesn't that open up a vulnerability on the POA server?

Seems like a great way to get content into the server that you had not intended...
 
Maybe crazy here, but I'd you are caching the content and serving locally, doesn't that open up a vulnerability on the POA server?

Seems like a great way to get content into the server that you had not intended...

In theory. Jesse and I talked about it some. They work pretty hard on these things to ensure that its actually an image that they're downloading and that they isolate it from running as code.
 
SSL enabled sites require *everything* that is displayed inside of the page to be served from SSL. If the page is SSL (see the lock at the top) but one of the images that you're viewing in the page isn't being served over SSL, then the browser warns you that the page isn't 100% secure.

Since our members embed images into their posts, we can't control whether or not those links are served from an SSL site (e.g. https :// imgur. com/image123.jpg vs http: // imgur. com/image123.jpg). In order to ensure that every link displayed is SSL our server now fetches the image from the remote server and caches it on our server...and serves it to the viewer using our SSL certificate.

You can view this post to see this in action...
http://www.pilotsofamerica.com/comm...ive-coolest-flights.42749/page-2#post-2063642

The original image embedded in this post was hosted here...
http: //i. imgur. com/sRTBcu0l.jpg (link intentionally broken so as not to embed the image)

If you view the post now you'll see that image served from a URL like this... (again, intentionally broken)
https: //www. pilotsofamerica. com/community/proxy.php?image=http%3A%2F%2Fi.imgur.com%2FsRTBcu0l.jpg&hash=bf3870e07c8ce53a1b8c620f69c5007a

So we're fetching the image and making sure that it's served from our server.

Thank you for the elaborate explanation.
However, could you maybe explain to us regular web users what the end benefit is to us? Or is the benefit higher for the server?
 
Thank you for the elaborate explanation.
However, could you maybe explain to us regular web users what the end benefit is to us? Or is the benefit higher for the server?
SSL is the same technology that banks use to ensure that your communications with the server are secure and encrypted.
 
Gotcha, right, I understand the technology in use.
But I am curious as to the actual benefit for the PoA member base.
https://www.wired.com/2016/03/https-adoption-google-report/

tl;dr
Privacy (of what you're posting and reading from prying eyes) and account security (bad guys can't intercept your credentials).


For us, it results in a boost in SEO...making us more findable and growing our community. It also makes us look more competent for people that care about this stuff...
 
Don't know if it's related to the SSL or not, but I'm seeing a lot more "Bad Image" icons for folks Avatars than before. Jason, yours is one of them.

However, they're only bad when I'm looking at them on a work PC in Internet Explorer. At home, with Firefox, all is OK.

Ron Wanttaja
 
Man, it does a lot of redirecting with 301s. I would suggest that y'all send back the Strict-Transport-Security header to save future hassle.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 
Don't know if it's related to the SSL or not, but I'm seeing a lot more "Bad Image" icons for folks Avatars than before. Jason, yours is one of them.

However, they're only bad when I'm looking at them on a work PC in Internet Explorer. At home, with Firefox, all is OK.
It appears to be IE-related... Firefox on the same machine looks fine, but IE doesn't display the avatar.

Ron Wanttaja
 
Man, it does a lot of redirecting with 301s. I would suggest that y'all send back the Strict-Transport-Security header to save future hassle.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
We will. I wanted to give it a month. If I would have turned it on out of the gate and then had to roll it back because of some image proxy problem...we would have been screwed. :D
 
We will. I wanted to give it a month. If I would have turned it on out of the gate and then had to roll it back because of some image proxy problem...we would have been screwed. :D
max-age= uhhh.... 2.

There we go :D
 
Back
Top