HTTPS on getkirby.com


#1

It’s sad you do not support HTTPS on getkirby.com, especially at forum.getkirby.com as passwords are send in plain-text in this forum.
There are some CAs which provide free certificates (e.g. StartSSL), so you can just get a cert from there. Or wait until [Let’s Encrypt] (http://letsencrypt.org/) launches in November 2015.

So what do you think about adding HTTPS here?


Is Kirby secure?
#2

The Kirby Forum is hosted at Discourse. As far as I can tell, they charge 20 USD extra for SSL (sic!, I hope they support TLS ;)).

I also think that HTTPS is vital for any kind of website (TLS all the things), especially for the forum or generally sites with user data. I don’t know how easy it is to implement TLS on the forum though (whether the cert is already included or not), so I invited Bastian to this topic.

PS: StartSSL is not actually free for this purpose, as the free certs may not be used on commercial sites.


#3

Oh, that of course makes it more complicated. (however getkirby.com could at least use HTTPS)

You’ll see it afterwards: $25 for TLS 1.0 support, $30 TLS 1.1 and $40 TLS 1.2 :wink:

Yes :+1:
That’s why I’am asking. :smile:

Really? In their FAQ they say this:

In the Class 1 settings (free), the only possible relationship between
StartCom and the subscriber is with individuals, i.e. natural persons.
StartCom has no relationship with the organization a subscriber may
represents and acknowledges only the subscriber. All responsibilities
according to the StartCom CA Policy are that of the subscriber
personally, even in case he/she decides to obtain certification as an
employee or representative of an organization.

So as I read this this just means that - even if you are part of an organisation - the cert is still only given to you personally. I think this part is more a contract thing.
Of course they recommend their nice certificates so you can see (if you look veery closely ;)) the organisation name:

Organizations should perform Class 2 validation and an organization name
may only appear in a digital certificate at Class 2 level and higher.

And of course also WoSign would be possible.


#4

Definitely true. Both should, but Bastian needs to decide that.

Haha. :smiley:

It’s both. Their CA policy (see 3.1.2.1) states that:

Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc.

You could argue that it only matters if you actually use the site to sell stuff (that’s why I know this policy exists, because I was in this exact situation and they didn’t give me a certificate), but “of commercial nature” is quite broad.


Is Kirby secure?
#5

Okay, this sounds differently. Whether this forum is commercially - well… as it’s a legal terms you can never be sure. However as I see the in this forum there is nothing sold and there is also no advertisement - so probably it’s not-commercial.


#6

Tadaaaaaaa:

:tada:

It took a while, but it’s finally there. I will take care to get the same running for getkirby.com as soon as possible


#7

Awesome! I think you should also enforce HTTPS, because unencrypted access is still the default.


#8

I thought it already was. I’m getting redirected in every browser here. Could you check again.


#9

If I go to http://forum.getkirby.com in RESTed and disable “Follow Redirects” the result is HTTP 200 and a HTML page.


#10

I don’t know what “RESTed” is, but actually HTTPS is enforced by the HSTS header so http://forum.getkirby.com will only be accessed once over HTTP. Later all major browsers respect the HSTS header and only allow HTTPS connections.
@bastianallgeier BTW if all subdomains of getkirby.com (can) use HTTPS you can also add the “includeSubdomains” directive.


#11

RESTed is a GUI HTTP client.

The Strict-Transport-Security header is only set for HTTPS requests, so it won’t work if the user accesses the site via HTTP in the first place. Only a redirection to HTTPS will fix this.


#12

Ah okay this client does not save this header of course.
But as I visited this topic I got redirected, so I think the redirections are okay.

But if you

then it can’t redirect of course. :smile:


#13

Well, I’m still on HTTP. Without the s. Logging out and in again didn’t help.
There is a setting in the admin panel do force HTTPS. Is that turned on?


#14

This setting only means that it doesn’t automatically redirect. But as I said, the response for the Forum homepage without TLS is HTTP 200 and a HTML page, so no redirect, even if I enabled it.


#15

I was also still on http until I entered https manually … but if I clear the cache and enter http again, it does not redirect me to https.


#16

It’s indeed not forced yet by default. I just contacted the Discourse guys to change this.


#17

It is forced by default now… btw I noticed login with Google is broken here, can you fix it up per: https://meta.discourse.org/t/configuring-google-oauth2-login-for-discourse/15858


#18

Yes, I can confirm that, the error is a “redirect_uri_mismatch”.


#19

That’s weird! I already fixed that yesterday. I will check again.


#20

BTW, I still don’t see an automatic redirect from http to https …