HTTPS / SSL *urgent*

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS / SSL *urgent*

jmnscj
I love this forum and dont want to leave Nabble but I need SSL/HTTPS on my domain. How do I get nabble to work properly this way?

It must all be HTTPS so that the padlock is green and trusted.

Regards
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL *urgent*

Hugo <Nabble>
Administrator
We don't have an easy solution for this problem. We would have to install a certificate on our end and this isn't simple because each Nabble forum has its own domain name. We won't support this in the near future. May I ask you why you need this?
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL *urgent*

jmnscj
That is a great shame, I think I will have to migrate in that case. People feel far more comfortable with a little padlock in the corner showing HTTPS, in addition it looks more professional and so if it is a forum for a business it adds a higher implied level of professionalism for that company in comparison to those without SSL.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

Coleen_Astalos
In reply to this post by Hugo <Nabble>
Hugo,
I would like Nabble to revisit adding SSL/https support - even if it's something like paying Nabble to install a security certificate that we have purchased elsewhere.

As you are aware, Firefox has recently updated their browser to warn users when they click on the password field that they're logging into a site that is insecure.   The future of the web is that more and more browsers are adding these warnings and may eventually not even serve pages at all that are not secure.

Quote from https://www.thesslstore.com/blog/firefox-chrome-warning-about-insecure-login-pages/
For any sites out there still using HTTP, make sure a migration to HTTPS is in your immediate plans. The encrypted web is coming, and the warnings are only going to get more severe. In fact, a Google engineer recently wrote “eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.”
You asked, why a secure site is needed for a forum without sensitive data?  This is why...  I run a membership site of which my Nabble forum is a portion of.  I need to have a secure site to process payments for those memberships.  My site is a WordPress site and while my payment pages are secure and payment data is stored on a secure site, with the recent changes (warnings) to Firefox, my members are asking about whether it's safe to login to my site.  I know it is, I know that payment & personal information is stored offsite, but they don't.  Being able to secure my site with SSL gives my members the sense of security (and even more so professionalism) that they expect.

The discussion regarding SSL and the recent change of Nabble to remove all ads has me wondering about the future of Nabble.  For a service to remain successful, there needs to be a revenue stream.  So how is Nabble recouping the loss of advertising revenue to remain a viable service?

I like (ahem - Love?) Nabble, it provides me with features that I've been unable to find elsewhere (specifically - full post content delivered via email and the ability to subscribe to specific sections of a forum and not others).  I've been with Nabble for about 4 years and I do not wish to jump ship and move to another platform (and I'm not even sure there is another platform to move to that meets my requirements).  But I also need to be realistic and ensure that this portion of the service I provide to members will continue to be here for the long haul.

I would appreciate a response to this post and if I need to pay for support to receive a response, please let me know.

Sincerely,
Coleen

Hugo <Nabble> wrote
We don't have an easy solution for this problem. We would have to install a certificate on our end and this isn't simple because each Nabble forum has its own domain name. We won't support this in the near future. May I ask you why you need this?
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

Hugo <Nabble>
Administrator
The SSL/https implementation is really hard and we don't see an easy way of implementing it at this point. I will give it more thoughts, but we can't promise anything for the future.
Coleen_Astalos wrote
The discussion regarding SSL and the recent change of Nabble to remove all ads has me wondering about the future of Nabble.  For a service to remain successful, there needs to be a revenue stream.  So how is Nabble recouping the loss of advertising revenue to remain a viable service?
We have another business that can pay for the Nabble expenses. We all know that ads are annoying, so we have decided to disable them.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

Coleen_Astalos
Hugo,
Thanks for the response.

In working with my server support folks last night, it "appears" that things would work if you just installed a SSL certificate on your server for our sub domain name (as all the URLs resolve to that address).   However, since we don't control the forum.sudsol.org sub domain (I'm assuming you do - it resolves to IP address 162.253.133.81) we can't even get a certificate for it.

If we paid for a month of support would you be willing to get a free certificate (https://ssl.comodo.com/ has a free 90 day certificate for testing) and just install it on your site?  This would be a good test to see if this approach would work for those forums that are using a custom domain name for Nabble and embedding their site on their page.

Let me know.
Thanks,
Coleen
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

Hugo <Nabble>
Administrator
Coleen_Astalos wrote
In working with my server support folks last night, it "appears" that things would work if you just installed a SSL certificate on your server for our sub domain name (as all the URLs resolve to that address).   However, since we don't control the forum.sudsol.org sub domain (I'm assuming you do - it resolves to IP address 162.253.133.81) we can't even get a certificate for it.
It is not that simple (unfortunately). The HTTPS protocol runs on port 443 and we don't have this setup on our servers (Nabble has lots of custom code and that would require changes). Also, the forum code would have to detect if the certificate is available and always pick the right protocol (HTTPS or HTTP). These changes are not simple and we can't work on that at this point.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

dennisroczek
Hugo <Nabble> wrote
It is not that simple (unfortunately). The HTTPS protocol runs on port 443
and we don't have this setup on our servers (Nabble has lots of custom code
and that would require changes). Also, the forum code would have to detect
if the certificate is available and always pick the right protocol (HTTPS or
HTTP). These changes are not simple and we can't work on that at this point.
Are there any "long term plans" to provide a solution (or workaround) for that?

Dennis

(sorry hugo, missclicked, didn't want to send you a PM)
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS / SSL & the future of Nabble

Hugo <Nabble>
Administrator
dennisroczek wrote
Are there any "long term plans" to provide a solution (or workaround) for that?
Unfortunately, no.