SSL and external images

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.2/Rhea followed by 3.3.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
Ger
Registered User
Posts: 270
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

SSL and external images

Post by Ger » Wed Feb 01, 2017 11:06 am

The web is finally moving more and more towards HTTPS. This is a good thing, but also comes with challenges. For forums, one of them is the img-BBcode. While you have a perfectly nice HTTPS setup for board, a user might embed an image (or avatar/video/etc) that's not served over HTTPS. Dang, there's the mixed content warning.

A good part might be resolved by simply forcing the HTTP images to load over HTTPS, however a significant part of embedded images won't be available over HTTPS. One can argue to simply deny those images when SSL is enabled, but for existing boards with dozens (or thousands) of old posts with embedded images that won't be a good solution either.

I think it would be a good thing for phpBB to provide a camo proxy for those images. I think the route should be something like:

Code: Select all

$protocol = strstr($image_url, '://', true);
$remain = str_replace($protocol, '', $image_url);
if ($protocol != 'https') 
{
	if (url_exists('https' . $remain))
	{
		return 'https' . $remain;
	}
	else
	{
		return camo($image_url);
	}
}
else
{
	return $image_url;
}
I think more and more forums will want to move to HTTPS, especially now Chrome and Firefox are displaying warnings on login pages that are served over HTTP. When they have moved, many board owners are going to see the mixed content warnings, and are going to ask for support on how to prevent this.

In before "create an extension" :P
I think that since SSL is going to be the standard way to serve any website that has some kind of login or private section. Therefore this really should be included in the core.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

User avatar
paulus
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 361
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: SSL and external images

Post by paulus » Wed Feb 01, 2017 12:29 pm

There is already a extension for this: https://github.com/phpbb-extensions/camosslimageproxy
Image

User avatar
Ger
Registered User
Posts: 270
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

Re: SSL and external images

Post by Ger » Wed Feb 01, 2017 2:03 pm

Well, you might start by introducing that in the extensions database instead of only at Github. ;)

But still, as modern browsers "soft-require" SSL for phpBB by showing a warning when it's not enabled, I think that this is something that should be in the core. 2 years ago it wasn't such a biggy, but I predict many support topics about this issue in the coming years if this isn't available.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: SSL and external images

Post by DavidIQ » Wed Feb 01, 2017 5:27 pm

Ger wrote:
Wed Feb 01, 2017 2:03 pm
Well, you might start by introducing that in the extensions database instead of only at Github. ;)
It's not an official extension as of yet ;) At some point this will probably change but, for now anyways, it remains in an unofficial form. Extension will be the way to go for the foreseeable future. Even though there are websites going SSL that is rarely the case for most personal sites especially those that are using phpBB. I seriously doubt this will be changing much if automatically renewing full certs remain as costly as they are now with or without this new "feature" some browsers are implementing.

One of two things are likely going to happen: 1. Browsers will have to abandon pursuit of this "feature" because it will annoy most users and site owners or 2. Auto-renewing full SSL certs will drop so much in price that it will be affordable for every site owner, which is doubtful. I don't think Chrome and FireFox are going to strong arm the entire internet to go SSL.
Image

User avatar
Louis7777
Registered User
Posts: 378
Joined: Fri Apr 04, 2014 12:32 am

Re: SSL and external images

Post by Louis7777 » Thu Feb 02, 2017 12:26 am

DavidIQ wrote:
Wed Feb 01, 2017 5:27 pm
Auto-renewing full SSL certs will drop so much in price that it will be affordable for every site owner, which is doubtful. I don't think Chrome and FireFox are going to strong arm the entire internet to go SSL.
Let's Encrypt. Free.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: SSL and external images

Post by DavidIQ » Thu Feb 02, 2017 12:37 am

Louis7777 wrote:
Thu Feb 02, 2017 12:26 am
Let's Encrypt. Free.
Yes I know about these types of services, which is why I said auto-renewing (or maybe a different word was needed). If the hosting provider doesn't support Let's Encrypt there's a lot of leg work and setup required by the site owner who will then look at the hosting provider offerings and move on when they see that a managed SSL certificate will cost them more than their hosting. Even if one has a dedicated server they will need to know how to manually install it through shell.

The Windows automated activation system for instance was a huge deal for lots of people and many failed at that so I can imagine something like this is going to be even more cumbersome to set up for those types of people. Black and white/green screens scare people. Heck even FTP is too complex of a concept for some people.

Don't get me wrong I think SSL is obviously a good thing for the Internet but to declare that the Internet is going to go entirely SSL because a couple of browsers are being overly ambitious is a little bit exaggerated.
Image

User avatar
Ger
Registered User
Posts: 270
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

Re: SSL and external images

Post by Ger » Thu Feb 02, 2017 7:59 am

DavidIQ wrote:
Thu Feb 02, 2017 12:37 am
to declare that the Internet is going to go entirely SSL because a couple of browsers are being overly ambitious is a little bit exaggerated.
That "couple of browsers" cover 60% of the market share. And when Chrome does stuff like this, others will probably follow.

And of course the entire internet won't go SSL. Not not and not within 10 years.
However: you can't deny this trend: from ± 3% to almost 10% in a years time for the top 1 million websites. Now I cannot predict the future, but this rate will grow. By how much: I don't know. But since the graph linked to is made, there is already a growth from 9.6% to 10.8%. By the time 3.3 is done (2018 I guess) this rate will probably reach ± 15%. If phpBB doesn't provide for this, when will it be provided? 3.4 maybe? That'll only be due in 2019 at best, by then probably 20% - 30% will use SSL.

Of course, I know, this is only my projection. But just following the current trend it is what we're looking at.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: SSL and external images

Post by DavidIQ » Thu Feb 02, 2017 11:49 am

We are already providing for it since 3.1 ;) Eventually the camo extension will become an official one unless the developers decide to integrate it into the core.
Image

Seibertron
Registered User
Posts: 1
Joined: Fri Feb 03, 2017 4:00 pm

Re: SSL and external images

Post by Seibertron » Fri Feb 03, 2017 4:04 pm

Ger wrote:
Thu Feb 02, 2017 7:59 am
DavidIQ wrote:
Thu Feb 02, 2017 12:37 am
to declare that the Internet is going to go entirely SSL because a couple of browsers are being overly ambitious is a little bit exaggerated.
That "couple of browsers" cover 60% of the market share. And when Chrome does stuff like this, others will probably follow.

And of course the entire internet won't go SSL. Not not and not within 10 years.
However: you can't deny this trend: from ± 3% to almost 10% in a years time for the top 1 million websites. Now I cannot predict the future, but this rate will grow. By how much: I don't know. But since the graph linked to is made, there is already a growth from 9.6% to 10.8%. By the time 3.3 is done (2018 I guess) this rate will probably reach ± 15%. If phpBB doesn't provide for this, when will it be provided? 3.4 maybe? That'll only be due in 2019 at best, by then probably 20% - 30% will use SSL.

Of course, I know, this is only my projection. But just following the current trend it is what we're looking at.
Just throwing my 2 cents in ... I just converted my website with a large phpBB forum to entirely SSL yesterday. This topic was pointed out to me by someone on the main phpbb.com website because I'm trying to figure out how to resolve non-SSL images that users are posting on the forums. I am on phpBB 3.0.14 and have not upgraded to 3.1 yet because my website is in the middle of a redesign. Hopefully the folks behind phpBB will implement this feature, along with other features like auto-embedding YouTube videos by posting a YouTube url, sometime soon in 2017.

*link removed*
Last edited by DavidIQ on Fri Feb 03, 2017 4:32 pm, edited 1 time in total.
Reason: Removed unnecessary promo link

User avatar
Barrnet
Registered User
Posts: 10
Joined: Tue Feb 05, 2013 3:04 am

Re: SSL and external images

Post by Barrnet » Sat Feb 04, 2017 10:20 am

Forma my forum, i made a script who serve an image, linked by a get value, via gdiimages's library. For that "mod", i simply edited my bbcode.HTML template file.
Example: https://videogamezone.eu/imagewrapper.p ... hewild.jpg

P.s. sorry for bad english, but is not my native language and i writed with my phone and my touchscreen keyboard correct all word in italian lol

Post Reply