Keeping the forum https with members posting mixed content

Discussion in 'Help and Feedback' started by Amin Sabet, Oct 24, 2015.

  1. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    @barry13@barry13 @sesser@sesser @ others who know more about this stuff than I do...

    Not long ago, I switched this site to https. That has proven to be a huge pain in the neck. While most members post secure content (thread attachments, Flickr https images, etc), some continue to post images from non-secure (http) hosting sites.

    This leads to mixed content warnings in browsers, and some members browsers may be set up to block non-secure content. To get around this issue, I've made several attempts to setup an image proxy that would retrieve all externally hosted images and temporarily host those images here so they could be made secure. Besides getting rid of the mixed content warnings, this also makes the site more secure, preventing certain forms of cookie stuffing.

    However, the image proxy has proven extremely costly (paying developers, upgrading the server, spending my own time), and I haven't been able to get it just right. Certain images don't show, either for known reasons (slow origin) or unknown ones (gremlins).

    So I'm faced with three options:

    1) Keep trying to get the image proxy right (but I'm running out of time and money)

    2) Change the sites back to http

    3) Leave the sites https and accept the occasional mixed content warnings

    I'm leaning towards #3 (in fact that is the current state). What do you think?
     
  2. MAubrey

    MAubrey Photographer

    Jul 9, 2012
    Bellingham, WA
    Mike Aubrey
    I'm perfectly happy with #3.
     
    • Agree Agree x 1
  3. felipegeek

    felipegeek Mu-43 Enthusiast

    113
    Jan 8, 2014
    Miami, FL
    Felipe
    Amin,

    I was glad when you implemented HTTPS. I think all sites should be in that mode. Maybe all externally referenced content that is not in HTTPS mode should result in new window/tab page opening direct to the content. It's less elegant but you don't have to reduce security and it will make those posting insecure content more aware of the issue since it won't embed in the site and may prompt them to change it if the secure way is available to them.

    I vote for #3
     
  4. barry13

    barry13 Super Moderator; Photon Wrangler

    Mar 7, 2014
    Southern California
    Barry
    Hi Amin,

    As far as privacy and security go, only the login and profile update pages need SSL.

    However, I understand Google is giving a (small) SEO boost to sites using SSL (although it's completely unclear to me if it's supposed to be ALL pages or not.
    (http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446)
    One must wonder though what Google does if there's mixed content.

    As far as users go, I suspect most have turned off the browser warnings about mixed content.

    However, my main concern would be about costs of operating the site; I'm guessing the bandwidth charges for the proxy are significant; I don't think that would be economically viable (correct me if I'm wrong).

    Anyways, I'd go with #2 BUT with SSL for the users' profile & login pages, or stay with #3.

    Barry
     
    • Agree Agree x 1
  5. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    The bandwidth charges I can handle. It's mostly the time I'm spending trying to get the proxy working that's an issue.

    I'm going to stick with #3 for now, Thanks, all.
     
    • Like Like x 1
  6. sesser

    sesser Zen Master

    490
    Mar 10, 2015
    Portland, OR
    randy
    Google is a black box. Not only are you playing against the house (and the house always wins), but the house also controls cards and the rules of the game. Bottom line; Google is trying to keep the web honest (in their own demented way). If you think you're doing something "sketchy," chances are Google already knows about it and is actively working on a way to prevent you from doing it.

    Anyway, option #3 is fine with me, but only because I understand how how SSL works in the browser. I'm not concerned about mixed content on this site. If it was my bank, it might be different.

    One potential solution (and this would require developer intervention) would be to show a "button" for non-secure images. When the button is clicked, the non-secure image loads. Initial page load would say the page is secure. Flickr does this with images not hosted on the flickr domain, but this could be done for https vs http. Without imposing rules about how external content is served from this site, you're kind of stuck.

    Thanks for putting in all the effort for this site @Amin Sabet@Amin Sabet . I really appreciate your dedication and hard work (and I'm sure a majority of users do as well).
     
    • Appreciate Appreciate x 1
  7. pdk42

    pdk42 One of the "Eh?" team

    Jan 11, 2013
    Leamington Spa, UK
    Sounds like you've made your decision Amin - but I'd vote for #2, save for login and profile update pages which should remain in https. Of course I'm happy to support whatever decision you do make!
     
  8. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    I like this idea a lot. Let me see what I can do.
     
  9. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    I was able to do this. When I turn it on, it's going to mean that a LOT of old posts don't show images without clicking, because Flickr used to use http.

    @barry13@barry13 - do you foresee any problems if I do this find / replace to change all Flickr URLs in messages from http to https?

    Code:
    UPDATE xf_post SET message = REPLACE(message,'https://farm','https://farm');
    I could do a similar find/replace for any site (Tumblr, Smugmug, etc) which has since gone over to https without changing the rest of their URLs. Would need some help from the members as to the specific find/replace I should use.
     
  10. sesser

    sesser Zen Master

    490
    Mar 10, 2015
    Portland, OR
    randy
    I would think most of the popular image hosting sites (flickr, smugmug, tumblr, etc) all support https at this point and simply changing the URLs would be fine. Only "gotcha" I can see is users (like myself) who have custom domains setup with services like Smugmug. HTTPS works, but the certificate doesn't match the domain so you get warnings on the client side.

    Also, if this is a database replace, I hope there's no other service using https://farm* as a hostname ;)
     
  11. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Okay, these are the ones I've done so far:

    Code:
    UPDATE xf_post SET message = REPLACE(message,'http://farm','https://farm');
    
    UPDATE xf_post SET message = REPLACE(message,'http://player.vimeo.com/','https://player.vimeo.com/');
    
    UPDATE xf_post SET message = REPLACE(message,'http://www.youtube.com','https://www.youtube.com');
    
    If someone would tell me which replacements to do for Smugmug, Tumblr, Xenfolio, Picasaweb, etc, I'd be much obliged. In the meanwhile, I'll enable the addon so you can have a look.
     
  12. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    It would be fine, as long as they are https :).
     
  13. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    I just enabled it briefly, and it's a real eyesore. Too many non-https images in threads. I'm gonna leave it with the mixed content warnings for now rather than hiding all those members' images.
     
    • Agree Agree x 1