SSL Suggested also for the forum

Status
Not open for further replies.

peopleinside

New member
Hi, I want suggest to use SSL also for the forum. SSL should be used everywhere where user insert personal data. in that case personal data is password, logins... So i Think here access to all forum or only in the admin area and log in area of the forum should be SSL protected ;-) as I see are the Client Area Access :)

Congratulations, I have checked for find security hole in your SSL Client Area and your SSL seems to be installed well. Many website have security Issue, your Client Area SSL is well installed. Great! So I have to inform your SSL is well installed on the Client Area.
 

peopleinside

New member

Thanks Greg, I AM not posting for any other scope than posting. I have maybe the score for request the Hosting but I Am not doing this :yahoo:
 

Sander k

New member
I wouldn't use a SSL certificate on a forum, every external image (could even be an avatar) would make your connection unsafe.
 

GigaGreg

Moderator
Staff member
Sander k said:
I wouldn't use a SSL certificate on a forum, every external image (could even be an avatar) would make your connection unsafe.

True, that is why none of the forums has SSL installed on.

But imagine if that wouldn't be the case and external images would be safe (it never will be, just thoughts).
 

peopleinside

New member
I know forum under SSL and there aren't SSL issue if all is well configured.
Maybe can be issue on external video who can be not SSL but also youtube right now generate SSL code. Regarding avatar if is uploaded is uploaded under SSL if the server is well configured and maybe I think Gravatar are using also SSL as I can see work fine in osTicket: user image are showed under SSL safe without warning.

The safety is userful on the log in process or in the admin area of the forum where user can chosse to write for example a private message with some private data.

Is just a suggestion, you can consider or also not. Some forum decide to have SSL only in admin side... that's good but maybe a little bit more difficoult to configure.
I wouldn't use a SSL certificate on a forum, every external image (could even be an avatar) would make your connection unsafe.

External elements in http can change the padlock from safe to a warning of mixed content. Will be not really a unsafe connection but it's just not nice to see and is always better than have no SSL. Maybe with some settings also not SSL content can be not allowed.
 

nobodyspecial

New member
My 30 or so words,

most of the man in the middle attacks are as GigaGreg pointed out are for anything to do with money and the representation of pricing.

Security can be beefed up on the forumwith ssl, but at the cost of performance, and one of the fine arts of running a successful forum is speed

The other side of the coin is that you have to ask yourself the following question,Are my assest at high risk or not, and be honest with yourself

Will a hacker want to deface your presentation of your personal assest for his personal gain, to be honest, like i have read over countless of forums they find an exploit, even if you have ssl and either change your home page or they leave you a note if they are polite.

But to add ssl on a forum, something that even hackers, when they are been normal people use is just a waste of time in all sences.

as for a WordPress site or any other CMS script portals, I would sersiously beef up my securty on my servers before adding ssl and even ssl on the fly creation

Always remember the following
A request from one person take x time from the server, now add the creating of the ssl cert to that time
now multiply that by 100 users
also every user to your website uses your precious ram, now also add the ssl cert proccess to your ram usage.

webhosting is about fine tuning, and using only the services required, just because it is therem does not mean that you should use or install it for the idea of better security.

a term used, is called "server hardening practices" would get you far greater security than anything else and at no loss of performance

also best practice and a flaw we do make at times is to use similar passwords between systems, now that is the worst mistake we can make.

PrestaShop has something listed about password policies on thier forum, somethng to go look up and think about.

but what a great thread to start, maybe it should be under the tech section

Everyone could maybe post there idea's and server hardening pratice, oh wait there is one already somewhere
 

peopleinside

New member
Sure, SSL is not all. You can have SSL and bad hole in the CMS or plugin or the outdated software. Also you can have an SSL but not well installed or old OpenSSL who is a security risk.
In any case with SSL on login you are more safe your password can0t be easly readed from an attak man in the middle.

I hope prestashop will look into password security and if there are holes will fix it.
Thanks for your post. Is right.
 

peopleinside

New member

Thanks,
I know what I say and I think all log in page and maybe contact form or modules should be SSL secured. Also other factor means security not only a padlock but is better, I prefer insert password under SSL instead of not SSL pages.
 
Status
Not open for further replies.