Will you have SSL/HTTPS support?

(Anonymous) #1

Very disappointed that there is no SSL support here! Websites with any sort of login in 2013 should really be launching SSL-only, and using HSTS.

Whether I’m connecting via Tor, public wifi, my employer’s ethernet, or whatever, the network mustn’t be trusted!

Please fix this ASAP before someone adds discourse support to FireSheep.

(Jeff Atwood) #2

It is definitely on our list. We just could not do it for launch. But I agree it is very important.

(Particularly if we want to host forums, as we do, eventually… http://www.discourse.org/buy/ )

(roomey) #3

Out of interest, if I create an account using an identity provider, such as facebook or google, is sensitive information sent in the plain?
I would think not, but have not checked.

(Jeff Atwood) #4

No, it is not. Login to the provider uses their https facilities. This topic is about Discourse itself using https to serve topics, user pages, topic lists, etc.

(Mikkel Høgh) #5

@codinghorror I see that Discourse now actually has a “use_ssl” option, but it’s not entirely clear what this option does. My site works fine via HTTPS regardless of what this option is set to.

However, Discourse should definitely add an option for secure cookies. As it is now, I get an unsecure cookie when logging in via HTTPS. This means that any standard HTTP requests to the forum server will also include my session cookie. Thus, using HTTPS adds almost no protection against session hijacking.

Oh, and please don’t call it SSL

You probably know this, but the use_ssl option is actually a bit of a misnomer. If you use HTTPS with a modern web browser and server, you’re not actually using SSL. You’re using [TLS][].

I know it’s still called SSL in many places for legacy reasons (openssl, anyone?), but that is not techincally correct. And HTTPS is a more precise term anyways. We’re not using TLS/SSL for any old protocol. We’re discussing whether to encrypt our HTTP connections or not.

So pretty please, with sugar on top, can we call it use_https instead? It would make us pedants sleep better at night :wink:
[TLS]: Transport Layer Security - Wikipedia

(Michael Brown) #6

We have just now changed meta.discourse.org to be SSL-only!

(Sam Saffron) #7

I completely agree with you there, its just confusing.

For the record HTTPS is 100% supported now, we are just cleaning up bits and pieces.

(Sam Saffron) #8

In further progress… @supermathie just enabled secure cookies and hsts on meta.

HTTP cookie - Wikipedia

A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. In addition to that, all cookies are subject to browser’s same-origin policy.[18]

We plan to roll this to the rest of our customers next week and will amend our official ssl template to account for it.

(blaumeer) #9

This is great news, I configured ssl-only easily and works very well. Please notify when you update the ssl template.

(Michael Brown) #10

In case anyone wonders what an HSTS failure looks like, it looks like:

(In this instance, was behind a captive portal at a customer site.)

(Jeff Atwood) #11