PoA is moving to SSL (feedback thread)

Discussion in 'Site Feedback and Support' started by jason, Jun 3, 2016.

Tags:
  1. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    FYI, I'm going to switch the site to force the use of SSL soon. If you have problems with something, please post here. If you try to access the site from one of your devices and it doesn't work...use another browser (or your phone) to log in and report the problem and I'll take a look immediately.
     
  2. rk911

    rk911 Pre-takeoff checklist

    Joined:
    Apr 26, 2015
    Messages:
    354
    Location:
    Wheaton IL
    Display Name:

    Display name:
    rk911
    presuming this is to keep the recent spam from recurring?
     
  3. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    Nope. It's just because it's the right thing to do. :D
     
  4. Caramon13

    Caramon13 Pattern Altitude

    Joined:
    May 18, 2015
    Messages:
    1,758
    Location:
    Sarasota, FL
    Display Name:

    Display name:
    Caramon13
    Sounds good, go for it.
     
  5. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    The most impactful part of this is that we're going to have to switch Xenforo to proxy all images embedded in posts. That may break some things with how images are displayed. I'll do my best to respond to those problems quickly. This is just an FYI to look out for such problems.
     
  6. SCCutler

    SCCutler Administrator Management Council Member PoA Supporter

    Joined:
    Feb 27, 2005
    Messages:
    15,922
    Location:
    Dallas
    Display Name:

    Display name:
    Spike Cutler
    Kewl. Some day, someone needs to explain what that means to me.
     
  7. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    SSL enabled sites require *everything* that is displayed inside of the page to be served from SSL. If the page is SSL (see the lock at the top) but one of the images that you're viewing in the page isn't being served over SSL, then the browser warns you that the page isn't 100% secure.

    Since our members embed images into their posts, we can't control whether or not those links are served from an SSL site (e.g. https :// imgur. com/image123.jpg vs http: // imgur. com/image123.jpg). In order to ensure that every link displayed is SSL our server now fetches the image from the remote server and caches it on our server...and serves it to the viewer using our SSL certificate.

    You can view this post to see this in action...
    http://www.pilotsofamerica.com/comm...ive-coolest-flights.42749/page-2#post-2063642

    The original image embedded in this post was hosted here...
    http: //i. imgur. com/sRTBcu0l.jpg (link intentionally broken so as not to embed the image)

    If you view the post now you'll see that image served from a URL like this... (again, intentionally broken)
    https: //www. pilotsofamerica. com/community/proxy.php?image=http%3A%2F%2Fi.imgur.com%2FsRTBcu0l.jpg&hash=bf3870e07c8ce53a1b8c620f69c5007a

    So we're fetching the image and making sure that it's served from our server.
     
  8. SCCutler

    SCCutler Administrator Management Council Member PoA Supporter

    Joined:
    Feb 27, 2005
    Messages:
    15,922
    Location:
    Dallas
    Display Name:

    Display name:
    Spike Cutler
    That sounds like a pretty good idea! Thanks for all you do.

    Plus, thanks for making my nonprofit friends think I'm smart for recommending Firespring for their web stuff.
     
    jason likes this.
  9. DFH65

    DFH65 Cleared for Takeoff

    Joined:
    Jun 29, 2013
    Messages:
    1,317
    Display Name:

    Display name:
    DFH65
    Do it!!! I double dog dare you. :D
     
  10. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    I've made the switch. Please let me know if you notice anything out of whack...
     
  11. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    6,431
    Location:
    Vermont
    Display Name:

    Display name:
    azure
    Well, the visited states map in my signature no longer displays. Instead (in Firefox) all I see is a thumbnail of what looks like my avatar with a red X through it. I've seen some other posters with the same symptom. I assume this is the reason.
     
  12. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    Probably. But this one is working fine...

    https://www.pilotsofamerica.com/com...ive-coolest-flights.42749/page-2#post-2060270

    I'll need to see if I can figure out what the difference is. Looks like he's using a different site.
     
  13. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    6,431
    Location:
    Vermont
    Display Name:

    Display name:
    azure
    Is there a way to upload an image to the PoA server and then use that URL? From your description it sounds as if that would work. You could do that under the old software but I don't see any obvious way to do it in Xenforo.
     
  14. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    There was a previous discussion here...
    https://www.pilotsofamerica.com/community/threads/upload-sig-pic-here.90819/
    Some were uploading them to that thread. I asked in that thread that they just be uploaded to imgur (which is a site made specifically for hosting images). You can choose which path you'd like to take.
     
  15. krock918316

    krock918316 Pre-Flight

    Joined:
    Nov 11, 2014
    Messages:
    40
    Location:
    Oklahoma
    Display Name:

    Display name:
    Kevin
    Tapatalk seems to be broken. Getting an error message.
     
  16. eman1200

    eman1200 Final Approach

    Joined:
    Mar 10, 2013
    Messages:
    6,517
    Display Name:

    Display name:
    eman1200
    I think tapatalk was down during the cutover. working fine for me now.
     
    jason likes this.
  17. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    6,431
    Location:
    Vermont
    Display Name:

    Display name:
    azure
    I used imgur, that appears to have worked. Thanks.
     
    jason likes this.
  18. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    I had an error as well. I logged out and logged back in and it worked fine. But I think it was more a problem with my two-factor auth.
     
  19. krock918316

    krock918316 Pre-Flight

    Joined:
    Nov 11, 2014
    Messages:
    40
    Location:
    Oklahoma
    Display Name:

    Display name:
    Kevin
    It's working now.
     
    jason likes this.
  20. eman1200

    eman1200 Final Approach

    Joined:
    Mar 10, 2013
    Messages:
    6,517
    Display Name:

    Display name:
    eman1200
    does this mean if I post a pic of me chowing down some nachos, it would be "munchin' by proxy"? hahaha, get it? WOOOOOoohhhoooooo taking nyquil during the day makes me LOOOOOOooopy! aaaand, good night.
     
  21. silver-eagle

    silver-eagle En-Route

    Joined:
    Mar 11, 2005
    Messages:
    4,639
    Location:
    Massachusetts
    Display Name:

    Display name:
    ~John
    Only if you guzzle epicac and puke your ssl all over your kids.
     
  22. deonb

    deonb Cleared for Takeoff PoA Supporter

    Joined:
    Aug 17, 2015
    Messages:
    1,136
    Display Name:

    Display name:
    deonb
    I am getting a "SSL connection error" when trying to open the site from the default internet browser on Android (Samsung Galaxy S5). It works in Chrome.

    It seems like the COMODO root cert isn't installed on Android by default?
     
  23. frfly172

    frfly172 Touchdown! Greaser!

    Joined:
    Oct 22, 2008
    Messages:
    10,521
    Location:
    mass fla
    Display Name:

    Display name:
    ron keating
    Have tried imgur to no avail ,still can't get the signature picture back. Oh well.
     
  24. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    I'll have to research that. I'm trying to get by without TLS 1.1. Can you give me any more info on your setup? Android version and browser version? That's probably what it is.
     
  25. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    Where is the image that you had before the switch?
     
  26. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    Try it now. I'd be willing to bet that it works.
     
  27. deonb

    deonb Cleared for Takeoff PoA Supporter

    Joined:
    Aug 17, 2015
    Messages:
    1,136
    Display Name:

    Display name:
    deonb
    Yip. Works now.

    Out of curiosity - what did you change?
     
  28. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    Enabled some legacy versions of some SSL protocols. Surprisingly, Android doesn't do a good job of keeping up in that area.
     
  29. SkyHog

    SkyHog Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    18,033
    Location:
    Castle Rock, CO
    Display Name:

    Display name:
    Everything Offends Me
    Maybe crazy here, but I'd you are caching the content and serving locally, doesn't that open up a vulnerability on the POA server?

    Seems like a great way to get content into the server that you had not intended...
     
  30. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    In theory. Jesse and I talked about it some. They work pretty hard on these things to ensure that its actually an image that they're downloading and that they isolate it from running as code.
     
    SkyHog likes this.
  31. BigBadLou

    BigBadLou En-Route

    Joined:
    Aug 6, 2014
    Messages:
    4,122
    Location:
    TX - the friendliest state
    Display Name:

    Display name:
    Lou
    Thank you for the elaborate explanation.
    However, could you maybe explain to us regular web users what the end benefit is to us? Or is the benefit higher for the server?
     
  32. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    SSL is the same technology that banks use to ensure that your communications with the server are secure and encrypted.
     
  33. BigBadLou

    BigBadLou En-Route

    Joined:
    Aug 6, 2014
    Messages:
    4,122
    Location:
    TX - the friendliest state
    Display Name:

    Display name:
    Lou
    Gotcha, right, I understand the technology in use.
    But I am curious as to the actual benefit for the PoA member base.
     
  34. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    https://www.wired.com/2016/03/https-adoption-google-report/

    tl;dr
    Privacy (of what you're posting and reading from prying eyes) and account security (bad guys can't intercept your credentials).


    For us, it results in a boost in SEO...making us more findable and growing our community. It also makes us look more competent for people that care about this stuff...
     
  35. wanttaja

    wanttaja Pattern Altitude

    Joined:
    Jun 7, 2008
    Messages:
    2,318
    Location:
    Seattle
    Display Name:

    Display name:
    Ron Wanttaja
    Don't know if it's related to the SSL or not, but I'm seeing a lot more "Bad Image" icons for folks Avatars than before. Jason, yours is one of them.

    However, they're only bad when I'm looking at them on a work PC in Internet Explorer. At home, with Firefox, all is OK.

    Ron Wanttaja
     
  36. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,100
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    Man, it does a lot of redirecting with 301s. I would suggest that y'all send back the Strict-Transport-Security header to save future hassle.

    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
     
  37. wanttaja

    wanttaja Pattern Altitude

    Joined:
    Jun 7, 2008
    Messages:
    2,318
    Location:
    Seattle
    Display Name:

    Display name:
    Ron Wanttaja
    It appears to be IE-related... Firefox on the same machine looks fine, but IE doesn't display the avatar.

    Ron Wanttaja
     
  38. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    We will. I wanted to give it a month. If I would have turned it on out of the gate and then had to roll it back because of some image proxy problem...we would have been screwed. :D
     
  39. jason

    jason Administrator Management Council Member PoA Supporter

    Joined:
    Jul 4, 2006
    Messages:
    4,814
    Location:
    Lincoln, Nebraska
    Display Name:

    Display name:
    Jason W (FlyNE)
    What Windows and IE version are you using?
     
  40. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,100
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    max-age= uhhh.... 2.

    There we go :D