# Site Security



## Mike Bobbitt (10 Apr 2014)

Folks,

Over the coming days and weeks, you will notice a few changes to the site, as we move incrementally to a more secure model. The first change you will notice is that the site URL for the forums is changing. While the old "forums.army.ca" will still work for the foreseeable future, the new default will be to drop the leading "forums" subdomain. This is a minor change on the surface, but with far-reaching impact as we have been operating as "forums.army.ca" for a very (very) long time.

This change was made to consolidate the "forums" onto the same hostname as the rest of the site. The content and hosting remains the same, it's more or less a cosmetic change. With this done, the existing SSL certificate can be used to protect forum data. (Under the previous setup, we would need to purchase a second certificate - or a more expensive variant - to protect the extra subdomain.)

The long term goal then is to have SSL encryption enabled for the site by default, providing better overall security for account information, personal messages and all other content. I will be making changes incrementally, so it won't be immediate and (too) drastic, but will get us there in a reasonable timeframe.

Now those Navy, Air Force and Milnet folks will be asking "what about me?" The unfortunate answer is that while your URLs will also be changing (losing the forums. prefix) you won't be getting SSL in the immediate term. That would require the purchase of 3 more certificates each year, at about $100 a pop. So, I'm going to show my bias here and stick with securing Army.ca only. For those who want to make use of the SSL connection, you'll have to do it on the green side of things, I'm afraid.

So, where are we now? The SSL certificate is installed and the forums. hosts collapsed, but SSL is not the default. It is ready to test, which you can do by simply changing HTTP to HTTPS in your URL. For example:

http://army.ca/forums

Becomes...

https://army.ca/forums

There are still some issues that will need to be resolved... some site content will try to load over http even when you requested https, and that will cause issues. I will pick away at these over time and when everything is "good" SSL will become the new default.

In the meantime, if anyone has issues, please let me know.

Thanks
Mike

P.S. As a sidenote, for those following Heartbleed, we are patched and all key material has been regenerated from scratch.


----------



## PMedMoe (10 Apr 2014)

Ummmm....does that post come with a link to Google translate?   ???


----------



## dapaterson (10 Apr 2014)

Using "SSL" and "Security" in the same post is rather humourous right now...



Theo de Raadt put it best, I think.  OpenSSL is not developed by a responsible team.


----------



## Mike Bobbitt (10 Apr 2014)

That's not lost on me... in fact cleanup from this situation is the driver for making changes.


----------



## Journeyman (10 Apr 2014)

Mike Bobbitt said:
			
		

> Now those Navy, Air Force and Milnet folks will be asking "what about me?"



    :nana:



Yes, I'm being more mature than usual today.  ;D


----------



## dangerboy (10 Apr 2014)

When I go to https://army.ca/forums, on a mac running OS X mavericks and using Google Chrome it does not appear in the normal fashion.


----------



## Bruce Monkhouse (10 Apr 2014)

Whatever Mike just said.... :-[


----------



## Nfld Sapper (10 Apr 2014)

The https site throught the DWAN also doesn't look right but I think it'a cause Mike hasn't coded everything in yet......


----------



## Mike Bobbitt (10 Apr 2014)

That's right. Depending on your browser, you may have to "load unsafe content" or something equivalent. In Chrome, that's a subtle grey shield in the address bar. Dangerboy, I can see it in your screenshot, next to the "Favorites" star.

The goal is to make that "unsafe" content (which is loading over HTTP not HTTPS) safe. (By - you guessed it - loading it over HTTPS.)


----------



## dapaterson (10 Apr 2014)

Won't this create more demand on the server, doing everything secure?


----------



## brihard (10 Apr 2014)

Out of curiosity, Mike, was there any consequence for the site form the Heartbleed bug?

I've already changed all my passwords for everything, I'm really just asking out of curiosity.


----------



## Mike Bobbitt (11 Apr 2014)

The most dire estimate is as follows:

Heartbleed was used to compromise server content including private keys and user information including passwords. Unfortunately due to the nature of the exploit, if that happened we have no way to know, so we just have to assume it did and plug the leaks (which we have now done).

The realistic view is that we (generally) don't use SSL anyway, so passwords are have not exactly been secure all along. Probably not the answer that most folks wanted to hear, but that's why I'm making these server changes.

With regards to the server performance question... yes. And in fact as I've been inching us towards more SSL use, I can see the server load going up. So I might have to look at some options there.

P.S. I've made a few more changes making SSL a bit more usable: https://army.ca/forums


----------



## dangerboy (11 Apr 2014)

It now loading normally on the Mac with Google Chrome.


----------



## The Bread Guy (11 Apr 2014)

Loading OK here on Firefox 24.3.0 & IE 8 as well.

Thanks for all the hard work, Mike.


----------



## Nfld Sapper (11 Apr 2014)

Could be my set up (or you are still working on it) Chrome 34.0.1847.116 m/ Windows 7 Ultimate SP 1 and the lock icon is not green but yellow....


----------



## Edward Campbell (11 Apr 2014)

NFLD Sapper said:
			
		

> Could be my set up (or you are still working on it) Chrome 34.0.1847.116 m/ Windows 7 Ultimate SP 1 and the lock icon is not green but yellow....



 :ditto:


----------



## Mike Bobbitt (11 Apr 2014)

There are some resources still loading over HTTP so the yellow warning logo will remain until I find and fix all of those. Still a few more holdouts but we will get there.

The green lock WILL BE MINE!


----------



## ArmyGuy99 (12 Apr 2014)

FYI, 

Not sure if anyone else is having this issue but the top Forums menu isn't loading properly either in https or regular http.

No images, and Forums and Admin appear as strings ( $Forums,  $Admin)

The links still work.


----------



## Nfld Sapper (12 Apr 2014)

MedTech32 said:
			
		

> FYI,
> 
> Not sure if anyone else is having this issue but the top Forums menu isn't loading properly either in https or regular http.
> 
> ...



In HTTPS mode the links are broken due to the "domain" in the links......

EDITED TO ADD

Actually even in HTTP mode on IE11 the links are still broken as they also have "domain" in them....

example: https://forums.%24domain/


----------



## Mike Bobbitt (13 Apr 2014)

Drat... I knew this was going to make a few waves. That issue is fixed, as well as the "white background" issue for non HTTPS links.


----------



## Nfld Sapper (13 Apr 2014)

Mike Bobbitt said:
			
		

> Drat... I knew this was going to make a few waves. That issue is fixed, as well as the "white background" issue for non HTTPS links.



No worries Mike, just think of us as your beta testers.... ;D


----------

