HTTPS and the Forums


HTTPS and the Forums
#1
Right now on the forums we are allowing external linking to non-secure content. With the recent change in security policy for most of the major browsers, I will be switching this functionality off. This means that any links to external images that are not served via a secure (HTTPS) method will appear as a broken link. Eventually this will apply to the rest ofthe websites in the LDraw ecosystem.
Reply
RE: HTTPS and the Forums
#2
Wait a minute, will this break embedding images from brickshelf?
What's the background of this?
Why should linking or embedding http (instead of https) images (or files) be forbidden?

I would understand such a policy on an online banking site,
but on an LDRAW discussion forum?

I would like to better understand the reasoning behind this.
Reply
RE: HTTPS and the Forums
#3
(2018-02-27, 3:38)Steffen Wrote: Wait a minute, will this break embedding images from brickshelf?
What's the background of this?
Why should linking or embedding http (instead of https) images (or files) be forbidden?

I would understand such a policy on an online banking site,
but on an LDRAW discussion forum?

I would like to better understand the reasoning behind this.

Both Chrome and Firefox will be labeling all content served over HTTP as “Not Secure” starting with Chome in July. This may have the effect of scaring off new users. I’d rather err on the side of caution

Chrome Will Label All HTTP Pages as “Not Secure” in Just a Few Months
Mozilla To Label HTTP Sites As “Not Secure” in Future Versions of Firefox
Reply
RE: HTTPS and the Forums
#4
I know about this move of the browsers and I like it a lot basically. It is coming from a good origin and principle.
However, I think you are overshooting here a little: applying those considerations especially to this forum and in that strict way
IMHO creates more damage than benefit. I think the different usecases need different treatment:

(a) Existing embedded images
All old posts which currently have an image embedded from a http source, like for example http://www.brickshelf.com,
would be blocked by your new policy, and the posts therefore would look broken.
This is a huge collateral damage.

(b) Embedding new images
Enforcing a "https only allowed" policy for new embedded images will lock out all sites which have not yet migrated to https
(like brickshelf.com). I again here think that the achieved "gain" is much smaller than the "loss".

(c ) Links to somewhere else in a post
I think enforcing a policy here makes no sense, because these things have no impact on the "security" classification of forums.ldraw.org itself.
It is the job of the destination site to migrate to https, not ours to lock them out.
The loss of information sharing capability also here IMHO is too large compared to the small gain.
Imagine someone wanting to describe a problem and point a link to somewhere and cannot post that.

What I consider *more important* is to migrate whole ldraw.org to https.
We ourselves haven't done our own homework yet!
For example, the forums are https now, but the parts tracker is not.
I have suggested doing that long time ago:
https://forums.ldraw.org/thread-21917.html
Your new policy would lock out
- all links to the PT
- all ldraw.org own-generated images like http://www.ldraw.org/library/unofficial/.../28324.png
- peeron.com
- brickshelf.com

Please understand that I'm also working in the IT industry and of course am a https stakeholder in general.
I just think that the approach taken here is the wrong order. I instead suggest:

(I) migrate whole ldraw.org to https
This will be a lot of work, I expect lots and lots of small trivial edits (https by http) on the parts tracker implementation
and its scripts. It will probably also affect the peeron.com infrastructure, therefore I suggest at the same time:

(II) migrate whole peeron.com to https

(III) In the forum, we can _recommend_ https over http, but not forbid http
Forbidding must come at a much later stage.


- just my opinion! -
Reply
RE: HTTPS and the Forums
#5
(2018-02-27, 14:50)Steffen Wrote: I know about this move of the browsers and I like it a lot basically. It is coming from a good origin and principle.
However, I think you are overshooting here a little: applying those considerations especially to this forum and in that strict way
IMHO creates more damage than benefit. I think the different usecases need different treatment:

(a) Existing embedded images
All old posts which currently have an image embedded from a http source, like for example http://www.brickshelf.com,
would be blocked by your new policy, and the posts therefore would look broken.
This is a huge collateral damage.

(b) Embedding new images
Enforcing a "https only allowed" policy for new embedded images will lock out all sites which have not yet migrated to https
(like brickshelf.com). I again here think that the achieved "gain" is much smaller than the "loss".

(c ) Links to somewhere else in a post
I think enforcing a policy here makes no sense, because these things have no impact on the "security" classification of forums.ldraw.org itself.
It is the job of the destination site to migrate to https, not ours to lock them out.
The loss of information sharing capability also here IMHO is too large compared to the small gain.
Imagine someone wanting to describe a problem and point a link to somewhere and cannot post that.

What I consider *more important* is to migrate whole ldraw.org to https.
We ourselves haven't done our own homework yet!
For example, the forums are https now, but the parts tracker is not.
I have suggested doing that long time ago:
https://forums.ldraw.org/thread-21917.html
Your new policy would lock out
- all links to the PT
- all ldraw.org own-generated images like http://www.ldraw.org/library/unofficial/.../28324.png
- peeron.com
- brickshelf.com

Please understand that I'm also working in the IT industry and of course am a https stakeholder in general.
I just think that the approach taken here is the wrong order. I instead suggest:

(I) migrate whole ldraw.org to https
This will be a lot of work, I expect lots and lots of small trivial edits (https by http) on the parts tracker implementation
and its scripts. It will probably also affect the peeron.com infrastructure, therefore I suggest at the same time:

(II) migrate whole peeron.com to https

(III) In the forum, we can _recommend_ https over http, but not forbid http
Forbidding must come at a much later stage.


- just my opinion! -

You seem to be significantly more well versed in this than I. I'm annoyed at the requirement since it a) costs money and b) doesn't matter for non-sensitive information.

Point I is in the works. I may do a small test run on the main site at some point to see what breaks since I can't test on a non-production server. The other 2, OMR and Wiki, are on my personal server and will be implemented when I have time.

Also, point II cannot be done by us. Peeron is owned by Dan and I have not control over his website.
Reply
RE: HTTPS and the Forums
#6
OK, understood. Let's minimize annoyance and hassle.
We in fact have no "real" problem here. All existing stuff and sites will continue to function.
The only change is that the major browsers will display a site which is not 100% https as "not secure" in the address bar, which simply is the truth.
The only thing they changed is: telling us about it.

As we are really just a fun site, we have no time pressure in switching over to https, although of course, in the long run, we should, as everybody else.

I suggest we wait until the browsers display that tag:
My guess is that 99% of all forum pages already will get a "secure" tagging.
Reply
« Next Oldest | Next Newest »



Forum Jump:


Users browsing this thread: 6 Guest(s)