What would it take for The Piazza to use HTTPS?

Discussion related to board management, suggestions for improvement, and formal announcements.
Post Reply
User avatar
Tim Baker
Axe Beak
Posts: 1970
Joined: Tue Jan 19, 2016 7:51 am
Gender: male
Location: United States
Contact:

What would it take for The Piazza to use HTTPS?

Post by Tim Baker » Fri Jan 04, 2019 1:15 am

A member of the G+ community is hesitant to join The Piazza because it doesn't use HTTPS. Is there any chance this can be easily enabled on the server(s)?

User avatar
Ashtagon
Hierarch
Posts: 3715
Joined: Thu May 22, 2008 5:45 pm
Gender: female
Location: Hillvale, Isle of Dawn
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Ashtagon » Fri Jan 04, 2019 3:18 pm

Will The Piazza go https?

Probably not in the immediate future. However, the way the web hosting industry is going, it probably will happen soonish. However, it's not really necessary for the kind of data we store.

Note that while the level of encryption used is not the highest commercially available (ie is not https), it is fit for purpose that it is being used. This is similar to the manner in which government documents have varying classifications from protected through to restricted, secret, and top secret.

Who Is in Charge of This Decision?

Not me!

What's the Worst That Can Happen?

In a worst-case scenario where the site gets utterly hacked, the following (required) information could be revealed, which would not under normal circumstances be public:

* Password used for this site.
* Email address used to register the account on this site.

The contents of the user profile is in all other aspects entirely voluntary, and may or may not contain personal information, as each user chooses to enter it and the data (or lack of it) is not verified. Aside from the two items noted above, most aspects of a user profile is visible to anyone with a registered account.

Note that posts in the boards themselves are generally visible to all people, regardless of whether or not they have an account. (Certain boards in the forum are locked so only specific users can read these; none of these are used for sensitive personal data.)

When the site was originally set up by me, getting a host with https was not considered important, as even in a worst-case scenario of the site being hacked utterly, basic common-sense precautions (i.e., different password for each site) would ensure that there was no risk of a hacker gaining access to important data. That has not changed.

What has changed is that modern web browsers have trained people to be more on-edge about security, by issuing a security warning for any and all sites that are not https, regardless of whether that site actually stores sensitive information (such as bank/medical records), and regardless of whether the site even asks visitors to register an account, and even regardless of whether the site stores a cookie on the visitor's computer. This is good and bad: good because too many people have a low awareness of protecting their data, but bad because it doesn't discriminate between sites that store sensitive information and sites that don't).

The reality of computer security as far as visiting websites is concerned is that https is only really needed if you expect to enter sensitive information on the site (information that can be used to uniquely identify you (ie your name or SSID), and/or medical/financial details). Since you can't buy anything here, and we don't try to use any kind of real-world ID to create a user account, https isn't actually necessary for safe browsing on this site.
Emma Rome, otherwise known as Ashtagon
Image
Overall site admin for The Piazza. My moderator colour is pink!

User avatar
Big Mac
Giant Space Hamster
Posts: 24358
Joined: Sun Jun 15, 2008 3:52 pm
Gender: male
Location: London UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Big Mac » Fri Jan 04, 2019 6:12 pm

Ashtagon wrote:
Fri Jan 04, 2019 3:18 pm
Will The Piazza go https?

Probably not in the immediate future. However, the way the web hosting industry is going, it probably will happen soonish. However, it's not really necessary for the kind of data we store.

Note that while the level of encryption used is not the highest commercially available (ie is not https), it is fit for purpose that it is being used. This is similar to the manner in which government documents have varying classifications from protected through to restricted, secret, and top secret.
I think the main problem with HTTP vs HTTPS is that browser providers are now outing websites that do not specifically use HTTPS with warnings that websites are dangerous.

At work, I have to log into a ton of internal services using HTTPS and constantly have "this website does not have a security certificate" warnings that I have to cancel.

I've even encountered a few websites that have been automatically blocked (without me having a chance to add my own certificate) so I can imagine that this eventually will spread as browsers upgrade.
Ashtagon wrote:
Fri Jan 04, 2019 3:18 pm
Who Is in Charge of This Decision?

Not me!
That would be me then.

SSL Certificates (required to stop HTTPS warnings) cost between £25-£125 UKP per annum (from our current hosting company) and phpBB would probably require some tweaks to switch over to the new URL.

But it's not quite as easy as throwing money at the problem and changing a couple of settings. We have a ton of internal links, and I'm not sure what would happen when people click HTTP links that are already on the forums. Worse case scenario, is that we would need to scan the entire database for HTTP links and edit them.

However, that doesn't mean it isn't something worth considering, at some point.
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and follow The Piazza's Twitter feed so that you can stay in touch.
Spelljammer 3E Conversion Project - Spelljammer Wiki - The Spelljammer Image Group.
Moderator of the Spelljammer forum (and administrator). My moderator voice is green.

User avatar
Tim Baker
Axe Beak
Posts: 1970
Joined: Tue Jan 19, 2016 7:51 am
Gender: male
Location: United States
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Tim Baker » Sat Jan 05, 2019 5:03 am

Thanks for the quick responses. It's helpful to understand where things stand.
Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
But it's not quite as easy as throwing money at the problem and changing a couple of settings. We have a ton of internal links, and I'm not sure what would happen when people click HTTP links that are already on the forums. Worse case scenario, is that we would need to scan the entire database for HTTP links and edit them.
This should probably be handled with an HTTP 301 response to any HTTP request. The redirect would point to the HTTPS version of the same URL. It should be something that your hosting provider can implement, as it's a standard way of handling this. You shouldn't need to change any links. Even more importantly, external links to pages on The Piazza would continue to work.

User avatar
Big Mac
Giant Space Hamster
Posts: 24358
Joined: Sun Jun 15, 2008 3:52 pm
Gender: male
Location: London UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Big Mac » Sun Jan 06, 2019 11:09 am

Tim Baker wrote:
Sat Jan 05, 2019 5:03 am
Thanks for the quick responses. It's helpful to understand where things stand.
Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
But it's not quite as easy as throwing money at the problem and changing a couple of settings. We have a ton of internal links, and I'm not sure what would happen when people click HTTP links that are already on the forums. Worse case scenario, is that we would need to scan the entire database for HTTP links and edit them.
This should probably be handled with an HTTP 301 response to any HTTP request. The redirect would point to the HTTPS version of the same URL. It should be something that your hosting provider can implement, as it's a standard way of handling this. You shouldn't need to change any links. Even more importantly, external links to pages on The Piazza would continue to work.
Thanks! I'll look into that. :)
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and follow The Piazza's Twitter feed so that you can stay in touch.
Spelljammer 3E Conversion Project - Spelljammer Wiki - The Spelljammer Image Group.
Moderator of the Spelljammer forum (and administrator). My moderator voice is green.

User avatar
Tim Baker
Axe Beak
Posts: 1970
Joined: Tue Jan 19, 2016 7:51 am
Gender: male
Location: United States
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Tim Baker » Sun Jan 06, 2019 10:40 pm

The discussion about HTTPS continues over on G+. This resource was a good read, so I'm sharing it in case it's valuable to anyone here. https://www.troyhunt.com/heres-why-your ... eds-https/

User avatar
Big Mac
Giant Space Hamster
Posts: 24358
Joined: Sun Jun 15, 2008 3:52 pm
Gender: male
Location: London UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Big Mac » Mon Jan 07, 2019 2:54 pm

Tim Baker wrote:
Sun Jan 06, 2019 10:40 pm
The discussion about HTTPS continues over on G+. This resource was a good read, so I'm sharing it in case it's valuable to anyone here. https://www.troyhunt.com/heres-why-your ... eds-https/
Thanks Tim.

I've added that to the private RFC discussion I'm having with the staff.

Of course The Piazza is not a static website, it's a dynamic one.

So it's not going to be a "five minute job" like Troy Hunt suggests is needed for a static site*. There are two other pre-existing things we are working on fixing behind the scenes (one with the forums and one with The Book House) and adding a security certificate will either involve paying more money for the hosting, or a partial or total move to another provider.

* = If it was a five minute job, with no cost impications or risk of stopping the forum working, it would already be done.
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and follow The Piazza's Twitter feed so that you can stay in touch.
Spelljammer 3E Conversion Project - Spelljammer Wiki - The Spelljammer Image Group.
Moderator of the Spelljammer forum (and administrator). My moderator voice is green.

User avatar
Tim Baker
Axe Beak
Posts: 1970
Joined: Tue Jan 19, 2016 7:51 am
Gender: male
Location: United States
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Tim Baker » Mon Jan 07, 2019 11:18 pm

Big Mac wrote:
Mon Jan 07, 2019 2:54 pm
I've added that to the private RFC discussion I'm having with the staff.

Of course The Piazza is not a static website, it's a dynamic one.

So it's not going to be a "five minute job" like Troy Hunt suggests is needed for a static site.
Thanks for the update. I appreciate the transparency. I have a volunteer over on G+ who believe this should be easy, regardless of whether the site is static or dynamic. He says the example of a static site requiring HTTPS is intended to communicate how it's needed for all sites these days, and isn't intended to imply that dynamic sites are necessarily harder. There may very well be several valid reasons for why this truly is more difficult, but the distinction of dynamic vs. static alone shouldn't make a difference.

I'd be happy to make a connection between you two in private, if you'd like. He's interested in helping make this happen in order to entice more 13th Age community members make the jump to The Piazza.

User avatar
Big Mac
Giant Space Hamster
Posts: 24358
Joined: Sun Jun 15, 2008 3:52 pm
Gender: male
Location: London UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Big Mac » Fri Jan 11, 2019 1:33 am

Tim Baker wrote:
Mon Jan 07, 2019 11:18 pm
Big Mac wrote:
Mon Jan 07, 2019 2:54 pm
I've added that to the private RFC discussion I'm having with the staff.

Of course The Piazza is not a static website, it's a dynamic one.

So it's not going to be a "five minute job" like Troy Hunt suggests is needed for a static site.
Thanks for the update. I appreciate the transparency. I have a volunteer over on G+ who believe this should be easy, regardless of whether the site is static or dynamic. He says the example of a static site requiring HTTPS is intended to communicate how it's needed for all sites these days, and isn't intended to imply that dynamic sites are necessarily harder. There may very well be several valid reasons for why this truly is more difficult, but the distinction of dynamic vs. static alone shouldn't make a difference.

I'd be happy to make a connection between you two in private, if you'd like. He's interested in helping make this happen in order to entice more 13th Age community members make the jump to The Piazza.
I really appreciate the offer of help, but we literally do not have the time to do this right now.
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and follow The Piazza's Twitter feed so that you can stay in touch.
Spelljammer 3E Conversion Project - Spelljammer Wiki - The Spelljammer Image Group.
Moderator of the Spelljammer forum (and administrator). My moderator voice is green.

User avatar
Giant Space Hamster
Initiate
Posts: 360
Joined: Tue Jun 07, 2011 8:55 pm
Gender: male
Location: London, UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Giant Space Hamster » Mon Jan 21, 2019 12:19 am

Big Mac wrote:
Fri Jan 11, 2019 1:33 am
Tim Baker wrote:
Mon Jan 07, 2019 11:18 pm
Big Mac wrote:
Mon Jan 07, 2019 2:54 pm
I've added that to the private RFC discussion I'm having with the staff.

Of course The Piazza is not a static website, it's a dynamic one.

So it's not going to be a "five minute job" like Troy Hunt suggests is needed for a static site.
Thanks for the update. I appreciate the transparency. I have a volunteer over on G+ who believe this should be easy, regardless of whether the site is static or dynamic. He says the example of a static site requiring HTTPS is intended to communicate how it's needed for all sites these days, and isn't intended to imply that dynamic sites are necessarily harder. There may very well be several valid reasons for why this truly is more difficult, but the distinction of dynamic vs. static alone shouldn't make a difference.

I'd be happy to make a connection between you two in private, if you'd like. He's interested in helping make this happen in order to entice more 13th Age community members make the jump to The Piazza.
I really appreciate the offer of help, but we literally do not have the time to do this right now.
Just so you know Tim, this is what everyone would see if we switch to HTTPS and don't get the security certificate right:
Screen Shot 2019-01-21 at 00.13.16.jpg
Your connection is not secure error
Screen Shot 2019-01-21 at 00.13.16.jpg (112.29 KiB) Viewed 962 times
So, when I say it's more than a 5 minute job, I mean that we have to make sure that nothing in phpBB or the Book-House is going to stop the migration and we have to pay for a certificate and be totally sure that it won't give anyone an error.

The video on the page you linked to shows a Man in the Middle attack that the advocate of "HTTPS on staticl websites" constructed* to prove a point. That's a theoretical risk (which we do want to get rid of) vs a certainty of the above error message if we don't actually buy a security certificate.

* = What he did was to create his own server in the middle of his browser and the website of the person he was attempting to debunk and then hack himself, while browsing to the blog of the person he was attempting to debunk. The risk is not zero, but would be dependent on the physical location of potential victims and attackers. A hypothetical MitM attacker would probably be targeting someone who was a browsing the Internet - not attacking individual websites.

But we are not giving up on this, as the people who make browsers are getting more agressive about forcing people to use HTTPS. And we will have to deal with people who have been told the website "needs to be fixed".
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and The Piazza's Google + community and follow The Piazza's Twitter feed so that you can stay in touch.
This account is only used for forum administration. For general contact, please use my personal user account.
Administrator at The Piazza. My moderator voice is green.

User avatar
Tim Baker
Axe Beak
Posts: 1970
Joined: Tue Jan 19, 2016 7:51 am
Gender: male
Location: United States
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Tim Baker » Mon Jan 21, 2019 12:35 am

I appreciate the update. I know that you'd have to get the certificate side of things correct in order to properly support HTTPS. The good news is that you can always test it while still allowing HTTP traffic, and then make the switch to HTTPS after you've verified it.

Personally, I'm not too worried about it on this site, as I don't use this account's password anywhere else. I'd be disappointed if someone took over my account, but since I know you and others on the site, I suspect I could get in touch with an admin and have my password reset before too much harm was done. I think the worst case would be if someone deleted all of my posts, which I'd be really bummed about, but wouldn't ultimately impact my finances or something equally important.

However, it's come up twice now when I pointed G+ users to The Piazza. I'm not saying this to try to force anything to happen, but it's an interesting data point, even if it's anecdotal.

User avatar
JoeNotCharles
Ogre
Posts: 271
Joined: Thu Jun 05, 2008 8:29 pm
Gender: male
Location: Montréal, Québec

Re: What would it take for The Piazza to use HTTPS?

Post by JoeNotCharles » Tue Jan 22, 2019 12:52 pm

Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
SSL Certificates (required to stop HTTPS warnings) cost between £25-£125 UKP per annum (from our current hosting company) and phpBB would probably require some tweaks to switch over to the new URL.
Certificates from letsencrypt.org are free.

User avatar
JoeNotCharles
Ogre
Posts: 271
Joined: Thu Jun 05, 2008 8:29 pm
Gender: male
Location: Montréal, Québec

Re: What would it take for The Piazza to use HTTPS?

Post by JoeNotCharles » Tue Jan 22, 2019 12:59 pm

Tim Baker wrote:
Sat Jan 05, 2019 5:03 am
Thanks for the quick responses. It's helpful to understand where things stand.
Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
But it's not quite as easy as throwing money at the problem and changing a couple of settings. We have a ton of internal links, and I'm not sure what would happen when people click HTTP links that are already on the forums. Worse case scenario, is that we would need to scan the entire database for HTTP links and edit them.
This should probably be handled with an HTTP 301 response to any HTTP request. The redirect would point to the HTTPS version of the same URL. It should be something that your hosting provider can implement, as it's a standard way of handling this. You shouldn't need to change any links. Even more importantly, external links to pages on The Piazza would continue to work.
Another way is to uses HSTS: https://en.m.wikipedia.org/wiki/HTTP_St ... t_Security

Instead of treating HTTP and HTTPS differently you just add a single header to all responses. Any browser that's new enough to complain about HTTP being insecure will recognize that header and switch to HTTPS.

User avatar
JoeNotCharles
Ogre
Posts: 271
Joined: Thu Jun 05, 2008 8:29 pm
Gender: male
Location: Montréal, Québec

Re: What would it take for The Piazza to use HTTPS?

Post by JoeNotCharles » Tue Jan 22, 2019 1:27 pm

Giant Space Hamster wrote:
Mon Jan 21, 2019 12:19 am
Just so you know Tim, this is what everyone would see if we switch to HTTPS and don't get the security certificate right:
Screen Shot 2019-01-21 at 00.13.16.jpg

So, when I say it's more than a 5 minute job, I mean that we have to make sure that nothing in phpBB or the Book-House is going to stop the migration and we have to pay for a certificate and be totally sure that it won't give anyone an error.
For another example of what can go wrong, I'm getting that error at forum.rpg.net RIGHT NOW, with the error message being that the certificate expired yesterday. Somebody forgot to renew their certificate on time...

User avatar
Big Mac
Giant Space Hamster
Posts: 24358
Joined: Sun Jun 15, 2008 3:52 pm
Gender: male
Location: London UK
Contact:

Re: What would it take for The Piazza to use HTTPS?

Post by Big Mac » Thu Feb 14, 2019 12:03 pm

JoeNotCharles wrote:
Tue Jan 22, 2019 12:52 pm
Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
SSL Certificates (required to stop HTTPS warnings) cost between £25-£125 UKP per annum (from our current hosting company) and phpBB would probably require some tweaks to switch over to the new URL.
Certificates from letsencrypt.org are free.
Thanks for that.

I'll have to confirm that we can use one of them with our hosting service (in case we are tied in with our contract) but that could really help.
JoeNotCharles wrote:
Tue Jan 22, 2019 12:59 pm
Tim Baker wrote:
Sat Jan 05, 2019 5:03 am
Thanks for the quick responses. It's helpful to understand where things stand.
Big Mac wrote:
Fri Jan 04, 2019 6:12 pm
But it's not quite as easy as throwing money at the problem and changing a couple of settings. We have a ton of internal links, and I'm not sure what would happen when people click HTTP links that are already on the forums. Worse case scenario, is that we would need to scan the entire database for HTTP links and edit them.
This should probably be handled with an HTTP 301 response to any HTTP request. The redirect would point to the HTTPS version of the same URL. It should be something that your hosting provider can implement, as it's a standard way of handling this. You shouldn't need to change any links. Even more importantly, external links to pages on The Piazza would continue to work.
Another way is to uses HSTS: https://en.m.wikipedia.org/wiki/HTTP_St ... t_Security

Instead of treating HTTP and HTTPS differently you just add a single header to all responses. Any browser that's new enough to complain about HTTP being insecure will recognize that header and switch to HTTPS.
That sounds good. I'm not sure how phpBB might react to a split of traffic coming in from both HTTP and HTTPS connections. And if people are going to crosspost links in topics, it might be confusing to have some of them as HTTP links and others as HTTPS links. But it's good to have options.

As for forgetting to renew a certificate, that's not quite as bad as forgetting to renew a URL and having it stolen by cybersquatters. :o

(But it is another admin thing to remember.)
David "Big Mac" Shepheard
Please join The Piazza's Facebook group, The Piazza's Facebook page and follow The Piazza's Twitter feed so that you can stay in touch.
Spelljammer 3E Conversion Project - Spelljammer Wiki - The Spelljammer Image Group.
Moderator of the Spelljammer forum (and administrator). My moderator voice is green.

Post Reply

Return to “The Kippin' Griffin”