Announcement

Collapse
No announcement yet.

vBulletin 4.2.3 and HTTPS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mark.B
    replied
    Originally posted by jagtpf View Post
    Looks like I only get the orange padlock on the main page .

    could it be the <html xmlns="http://www.w3.org/1999/xhtml" statement ???
    I'm not seeing any SSL issues with the site in your license.

    Leave a comment:


  • jagtpf
    replied
    Looks like I only get the orange padlock on the main page .

    could it be the <html xmlns="http://www.w3.org/1999/xhtml" statement ???

    Leave a comment:


  • jagtpf
    replied
    I have found that favicon and titleimage were saving through the default style , but not transferring that change through to the styles we use . Altering image paths manually and saving means that " why no padlock " now marks the Forum as secure - AND YET I still have an orange padlock :chinscratch:

    Leave a comment:


  • jagtpf
    replied
    Originally posted by Carsafety View Post
    I am testing the switch to https today. So far, it is working for the most part. Here's what I did:

    1) Had host install standard ssl cert. Confirmed with checker: https://www.sslshopper.com/ssl-checker.html . If you run caching like varnish or nginx, this may not be straightforward which is why I had my host do it.

    2) Full backup

    3) Closed forum

    4) Changed forum and homepage URL to https in settings->options->Site Name/URL/Contact

    5) Checked settings->options->all setttings to change any other references to http: and changed to https

    6) Checked any ads, templates or blocks I customized for http: references and changed to https . I had some older versions of advertising code snippets I had to update, and it seems if you use a waterfall for ads, you need to check all those too. Also, if you use doubleclick to serve ads, one tricky thing is that if you have used a third party impression URL for tracking purposes, this can apparently cause issues if it is an http: URL. I also had various other references to http: that would have been resolved with a redirect, but I wanted to find and replace them first.

    7) Rebuilt all styles in maintenance->tools

    8) Tested website and used view page source and locate additional insecure resources where possible.

    9) Opened forum

    10) Once I had changed as many http: resources to https: that I could fix easily, I had host implement redirect code to https in .htaccess


    I'm still looking into an image caching plugin for external BB Code image calls (update: I've since installed this mod: http://www.vbulletin.org/forum/showthread.php?t=288060 )

    Also, it appears that there might be some http conflicts with the vbulletin editor and with a skimlinks script that I have not been able to resolve as they appear to be hard coded and I have no easy way to fix it.

    So, at the moment, I get the green padlock sometimes. Other times I get mixed content and it's not always clear why, even on pages without external image calls, though it could be related to the editor and skimlinks js script I'm not sure. Any advice appreciated.


    I've followed most of this through - though I swopped 2 & 3 around .

    I wasn't sure about 7 , couldn't be sure about the 'warning' - so did a manual search through the styles etc to discover instances of http: - found favicon & titleimage and changed both of those and some hard-wired references in FAQs .

    Forum and admincp open ok , but Forum has a warning that some image urls are still http and yet I can't find where these are - plus favicon & titleimage are flagged as incorrect even though the urls are correctly pointed . 29 items ( 21 insecure ) flagged by "why no padlock" .

    Any suggestions would be appreciated - otherwise everything seems to have run smoothly .

    Thanks for those who have helped ....

    Leave a comment:


  • Carsafety
    replied
    Originally posted by Paul M View Post
    What do you mean by "when vBulletin .... could not". There is no bug report for this in Jira, so who exactly could not ?
    Anyone who has viewed this thread, which presumably includes anyone who gets notifications or is responsible to monitor the support/troubleshooting forums. I'd have sent in a ticket to vBulletin if I didn't figure it out for myself, or if my followup to Skimlinks didn't include the fix. I understand it's probably not a direct responsibility of anyone at vBulletin, given that 4.x is not a current product, but you know, that's why you go to the official troubleshooting forum first. That gives support and other experts a chance to resolve issues where others can see the solution, providing positive customer experience and avoiding additional tickets for the same issue.

    Anyway, I should have phrased that differently in retrospect. No harm intended- please have a happy Thanksgiving!

    Leave a comment:


  • Paul M
    commented on 's reply
    What do you mean by "when vBulletin .... could not". There is no bug report for this in Jira, so who exactly could not ?

  • Carsafety
    commented on 's reply
    Updated: I found a fix to the skimlinks script mixed content warning issue. It took a lot of investigation for someone with minimal coding experience, but necessary when vBulletin support forum experts and Skimlinks could not provide a solution. Basically I found the offending script call through SSL check websites and in view page source. I then used keywords from that to search but I didn't get positive results in any template, language phrase or vB file contents. I finally got a clue looking at vB skimlinks plugin code that led me to a file that somehow didn't register on my file contents searches: /packages/skimlinks/hooks/showthread_complete.php

    The very last line is the call to the script. Simply remove http: from the line such that it appears like src="//s.skimresources.com/js/blahblahblah"

    This matches the format I found on this page at skimlinks: http://support.skimlinks.com/hc/en-u...ing-Javascript . Oddly enough, a page created by the same tech support representative that gave me a generic response previously. They later responded that they had resolved the issue with no further explanation. Maybe they can do something on their server to resolve mixed content script calls?

    I hope this helps someone else trying to resolve SSL/https issues. Most of my pages validate now, but there are still some that will sometimes check and sometimes not. I think the editor is an issue and I have no hope of resolving that one like with the skimlinks issue. I guess I'm content that it works a good majority of the time at this point.
    Last edited by Carsafety; Thu 24th Nov '16, 7:17am.

  • Carsafety
    replied
    Originally posted by Carsafety View Post
    Do you happen to have any idea about how to change http://s.skimresources.com/js/XXXXXXXXXXXX.skimlinks.js to https? I've searched templates, phrases and elsewhere but not success yet. I also put in a support ticket at Skimlinks. This is the last culprit I have been able to find with the IE or Chrome insecure element viewer, other than external images of course.
    After escalating my inquiry, Skimlinks support gave me a generic response:-( It doesn't cause a mixed content warning or broken padlock problem on most pages, even though the call appears in the footer of the page source code. I'm not sure if it is the cause of a broken lock on some pages that still generate issues, but it does raise a flag on some SSL checker utilities. Even so, if anyone knows the file, template or location of this call and if a simple change to https would resolve it, I'd appreciate it.

    I have resolved most of the mixed content warnings due to external images using this mod: http://www.vbulletin.org/forum/showthread.php?t=288060

    Thank you for taking the time to get in touch.

    Just to let you know we are currently experiencing this issue across several sites. Our engineering team are currently working on a fix,
    unfortunately I am unable to provide you with an exact time frame on when this issue will be fixed.

    I will contact you once I have received an update from our engineering team.

    Please don't hesitate to contact us if you have any questions.

    Kind regards,

    Imdad
    Skimlinks Support Team

    Last edited by Carsafety; Tue 22nd Nov '16, 10:08am.

    Leave a comment:


  • jagtpf
    replied
    Thanks - It looks like HTTPS is now on a definite swing Apple requires sites linked via apps to be HTTPS - from 2017 . ( Tapatalk informed ) .

    I shall have to make more definite moves towards implementing the change .

    Perhaps Admin , given the advice / experience by carsafety , the information to become a sticky ?

    Leave a comment:


  • Carsafety
    replied
    Originally posted by Mark.B View Post
    Here's another...related to stylesheets:

    Mixed Content: The page at 'https://www.<redacted>.org/forumdisplay.php?2-CAR-SEATS-General-Child-Safety-Seat-Questions-Help-and-Advice' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.<redacted>.org/'. This request has been blocked; the content must be served over HTTPS.

    It isn't giving me the full stylesheet URL, if it's a default one, try switching 'Store CSS Stylesheets as Files?' to 'No' for now.
    Thank you, I've made this change. Is there any advantage or disadvantage to having them stored as files?

    Originally posted by Mark.B View Post
    Carsafety On your home page I see this:

    Mixed Content: The page at 'https://www.&lt;redacted&gt;.org/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.&lt;redacted&gt;org/clek728a.jpg'. This content should also be served over HTTPS.

    I have replaced your actual domain with &lt;redacted&gt; for privacy reasons.

    That looks like an image that's being served directly from your server, so it's important to locate the code that generates that and change it to https.

    I'm sure there will be other examples, that's just one I found from a quick glance.
    Thanks for catching that. It's served in an ad waterfall that I missed, so it didn't appear for me when I was looking for insecure resources.

    Do you happen to have any idea about how to change http://s.skimresources.com/js/XXXXXXXXXXXX.skimlinks.js to https? I've searched templates, phrases and elsewhere but not success yet. I also put in a support ticket at Skimlinks. This is the last culprit I have been able to find with the IE or Chrome insecure element viewer, other than external images of course.

    Thanks again for the tips and for checking the site!

    Leave a comment:


  • Mark.B
    replied
    Here's another...related to stylesheets:

    Mixed Content: The page at 'https://www.<redacted>.org/forumdisplay.php?2-CAR-SEATS-General-Child-Safety-Seat-Questions-Help-and-Advice' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.<redacted>.org/'. This request has been blocked; the content must be served over HTTPS.

    It isn't giving me the full stylesheet URL, if it's a default one, try switching 'Store CSS Stylesheets as Files?' to 'No' for now.

    Leave a comment:


  • Mark.B
    replied
    Carsafety On your home page I see this:

    Mixed Content: The page at 'https://www.<redacted>.org/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.<redacted>org/clek728a.jpg'. This content should also be served over HTTPS.

    I have replaced your actual domain with <redacted> for privacy reasons.

    That looks like an image that's being served directly from your server, so it's important to locate the code that generates that and change it to https.

    I'm sure there will be other examples, that's just one I found from a quick glance.

    Leave a comment:


  • Carsafety
    replied
    I am testing the switch to https today. So far, it is working for the most part. Here's what I did:

    1) Had host install standard ssl cert. Confirmed with checker: https://www.sslshopper.com/ssl-checker.html . If you run caching like varnish or nginx, this may not be straightforward which is why I had my host do it.

    2) Full backup

    3) Closed forum

    4) Changed forum and homepage URL to https in settings->options->Site Name/URL/Contact

    5) Checked settings->options->all setttings to change any other references to http: and changed to https

    6) Checked any ads, templates or blocks I customized for http: references and changed to https . I had some older versions of advertising code snippets I had to update, and it seems if you use a waterfall for ads, you need to check all those too. Also, if you use doubleclick to serve ads, one tricky thing is that if you have used a third party impression URL for tracking purposes, this can apparently cause issues if it is an http: URL. I also had various other references to http: that would have been resolved with a redirect, but I wanted to find and replace them first.

    7) Rebuilt all styles in maintenance->tools

    8) Tested website and used view page source and locate additional insecure resources where possible.

    9) Opened forum

    10) Once I had changed as many http: resources to https: that I could fix easily, I had host implement redirect code to https in .htaccess


    I'm still looking into an image caching plugin for external BB Code image calls (update: I've since installed this mod: http://www.vbulletin.org/forum/showthread.php?t=288060 )

    Also, it appears that there might be some http conflicts with the vbulletin editor and with a skimlinks script that I have not been able to resolve as they appear to be hard coded and I have no easy way to fix it.

    So, at the moment, I get the green padlock sometimes. Other times I get mixed content and it's not always clear why, even on pages without external image calls, though it could be related to the editor and skimlinks js script I'm not sure. Any advice appreciated.
    Last edited by Carsafety; Mon 21st Nov '16, 1:09pm.

    Leave a comment:


  • jagtpf
    replied
    I too could not care abut what google may or may not do as far as Forum rankings are concerned . And https doesn't make a Forum / or website any more secure ( Ask Tesco Bank ! in UK ) , it only affects the traffic between Members and the server holding the Forum . But a Member has asked and I felt bound in some ways to investigate ; like Paul I personally remain sceptical about the benefit it may bring to a Forum like ours - the only financial aspect of which is Paid Subscriptions via PayPal .

    Leave a comment:


  • Carsafety
    replied
    Originally posted by Paul M View Post
    I was responding to the comment on it being "safer".
    Despite what they may think, Google do not actually rule the internet, not everyone cares that much about google 'signals'.
    For your average forum, using https isnt going to make a lot of difference to how safe it is - it can still be attacked, ddos'd, spammed or hacked, just the same.
    True- honestly if someone did intercept traffic and steal someone's login info, they aren't going to get much of value by hacking their account on my forum;-) But I doubt Google will understand that if they insist on docking sites because they have public logins:-(

    Maybe my forum is an exception, but I do get considerable traffic from Google search. It's a big deal if https eventually becomes a big ranking signal, just as having a mobile style or responsive style was when that became a major signal. If you don't comply, you drop off 1st page results and no one finds you.

    Leave a comment:

Related Topics

Collapse

Working...
X