Traffic optimization

[fallenmystic]

So images inserted into posts that are hosted on non https sites would have the same effect?
But hyperlinks to such sites (which are bigger worry really, some may be seriously dodgy) presumably wouldn't?

Hyperlinks don't matter whether or not they use HTTPS. Images are, however, a different story and I can only guess as I don't use Cloudflare myself.

If you post an image using a non-HTTPS URL, it will trigger such a warning in most of the browsers. However, there is a neat feature in Cloudflare (which I mentioned in my previous post) that will automatically rewrites such URLs to use HTTPS instead.

The problem is, it will only work if the host in question actually supports HTTPS, like CF does. I just searched and read their documentation and now I became a bit less enthusiastic about it as it reads as follows:

To determine which URLs do not have HTTPS support, Cloudflare uses data from EFF’s HTTPS Everywhere and Chrome’s HSTS preload list.

In other words, it will only work if the domain in question is registered in such lists which may not be the case with URLs our members use.

I think I have a plan to fix this problem without requiring the users to change their URLs. However, it involves tweaking XenForo settings and spending 2$/month, so I'll at least wait until we get the next month's bill and hopefully find that the CDN actually has reduced the cost enough to justify the additional hassle before I suggest the method.

 

[Barbaria1]

No, you don't have to give it up. But it seems that you'll need to download that image and upload it elsewhere, like imgur.com or any other image hosting service.

(You are right in assuming that the image is currently hosted on a server, apparently managed by Madiosi.)

Of course, it can be also fixed if Madiosi could enable HTTPS support to his server (which is a good idea, by the way) but it can be quite a hassle in case he's not using a service like AWS or Cloudflare which provides an easy way to do so.

So, the easiest option would be 1) download the image to your PC (right click on it and you should see an option) 2) register to an image hosting service like imgur.com, 3) upload it to the service, preferrably with a setting it's only visible to those who have the link (Imgur supports that), 4) then finally, copy the new URL of the image and use it to replace your old signature image on CF.

Hope I explained it well, but if you find any of the steps confusing, please feel free to let me know.

I’ve solved my signature problem. Bobinder kindly helped me find a secure home for it. You’ll notice I am no longer triggering security warnings with it.

 

[Migoz2]

You’ll notice I am no longer triggering security warnings with it

You're only now triggering security warnings with your tight little......

 

[fallenmystic]

I’ve solved my signature problem. Bobinder kindly helped me find a secure home for it. You’ll notice I am no longer triggering security warnings with it.

Thanks much! Now I'm feeling a bit more secure here (also because now I'm going to be safe from demerits... for now).

 

[Praefectus Praetorio]

I'm not sure what difference it makes, but it is nice to come to the site and see the secure lock instead of the "not secure" warning!

 

[malins]

I'm not sure what difference it makes, but it is nice to come to the site and see the secure lock instead of the "not secure" warning!

Well in the longer term a possible difference it might make is people continuing to be willing to join up.
There's a concerted effort to get as much of the web on https as possible and browsers will only be ramping up the intensity of their warnings.
That means non-https sites will increasinly be perceived as 'dodgy' and when people feel they are implicitly admitting to a fetish by joining such a site, they want to feel safe.

 

[fallenmystic]

I'm not sure what difference it makes, but it is nice to come to the site and see the secure lock instead of the "not secure" warning!

To give you a better idea why it is considered mandatory to enable SSL on any website that requires user login, here's a not-highly likely, but still entirely possible scenario which could have happened without the HTTPS support:

1. A hacker installs a malicious software in the same network that a router which provides public WIFI access, like in a caffe.
2. A moderator of CF happens to visit the cafe and connects to the compromised network and does the business as usual (e.g. posting squirrel jokes, and so on).
3. The software records all the traffic which comes out of the router and transmits the data to the hacker.
4. The hacker searches for login attempts recorded in the communication log and extracts the login credentials of our moderator in question.
5. The hacker logs on to CF, impersonating as the moderator, then he or she can go on deleting random threads, banning members, or editing posts to insert hate messages, and so on.

Even though a public WIFI endpoint itself is usually encrypted, the path past the router is not. So, if the hacker gains access to that part of the network he or she can basically reads everything everyone does in that network unless the individual communication is also encrypted, typically using HTTPS or VPN.

This is the reason why it is considered a common sense to have HTTPS enabled in any website that requires user login to access nowadays.

 

[fallenmystic]

For anyone who may wonder what security vulnerability that it may cause when a user links a non-secure signature image, it's a relatively minor one compared to the above mentioned scenario.

The most damage that the hacker can inflict in this scenario is probably replacing such an image with something else, say a squirrel pic, for example. But why would anyone do that, I mean, unless the hacker's name is Rias?

As I can safely assume that Rias isn't more interested in network hacking than in acorns or cats, the mixed content warning message is more of a nuisance while the actual threat was already eliminated when we enabled the site-wide SSL after migrating to a CDN.

 

[Eulalia]

To give you a better idea why it is considered mandatory to enable SSL on any website that requires user login, here's a not-highly likely, but still entirely possible scenario which could have happened without the HTTPS support:

1. A hacker installs a malicious software in the same network that a router which provides public WIFI access, like in a caffe.
2. A moderator of CF happens to visit the cafe and connects to the compromised network and does the business as usual (e.g. posting squirrel jokes, and so on).
3. The software records all the traffic which comes out of the router and transmits the data to the hacker.
4. The hacker searches for login attempts recorded in the communication log and extracts the login credentials of our moderator in question.
5. The hacker logs on to CF, impersonating as the moderator, then he or she can go on deleting random threads, banning members, or editing posts to insert hate messages, and so on.

Even though a public WIFI endpoint itself is usually encrypted, the path past the router is not. So, if the hacker gains access to that part of the network he or she can basically reads everything everyone does in that network unless the individual communication is also encrypted, typically using HTTPS or VPN.

This is the reason why it is considered a common sense to have HTTPS enabled in any website that requires user login to access nowadays.

The possibility of a moderator's identity being hijacked is one we've considered. Suffice to say we have contingency plans.

 

[Barbaria1]

The possibility of a moderator's identity being hijacked is one we've considered. Suffice to say we have contingency plans.

Yep, we plan to send out for professional help!

 

[fallenmystic]

The possibility of a moderator's identity being hijacked is one we've considered. Suffice to say we have contingency plans.

Yeah, normally such sites keep daily database backups, for example. But if I were a hacker I may try to make my sabotaging attempts less dramatic so that it'd be too late when others find out.

For instance, I can start by deleting a few random posts in old threads. Then I may start replacing a few avatar images of those who haven't been logged on recently. Or I may delete a word here, or inserting one there (like racial slurs or political propaganda).

If I do this slowly enough, I may be able to stay undetected until the last good backup is overwritten by a bad one (because they always use a rolling backup plan to save space).

While I'm doing this, I can even subtley harrass other members via PM (not to mention of being able to read all previous private messages of the compromised account) and nobody would notice it unless some of the victims bring the matter on public.

So even though it's great that our website also follows such common practices to recover from an accidental disaster, there can be countless ways to inflict lasting damage unless such a danger is prevented at the source, like by encrypting all sensitive communications between a website and its users, which is basically what HTTPS does.

 

[Madiosi]

View attachment 900244 Yep, we plan to send out for professional help!

 

[ImageMaker]

Unfortunately, the savings are not very big

 

[fallenmystic]

Unfortunately, the savings are not very big View attachment 908043

Yeah, I can see why. The main traffic should be from attachments but we only cached their thumbnails. But I’d like to console that 4% reduction with HTTPS support was worth it, as we could do it for free of charge.

There is a measure which we can try to reduce the size of attachments as I mentioned earlier (i.e. auto compressing them using webp). But seeing that the previous effort resulted in a marginal improvement, I am a bit reluctant to propose it since it will cost $2 this time.

In case you want to try it, please let me know. And thanks for letting us know the result!