HTTPS support?

[kovidgoyal]

Hi,

I'd really like to see mobileread made available over https. This is particularly important since it is used to distribute code that runs on users systems (sigil and calibre plugins).

Thanks to the Let's Encrypt intiative HTTPS certificates are now free and automated. https://letsencrypt.org/

I recently (in the last 6 months) enabled Let's Encrypt on the calibre websites and it was pretty painless, so I can recommend it.

Thanks.

P. S. I am happy to help with any technical issues, if needed.

[WT Sharpe]

It sounds like a good idea. Have you mentioned this to Alex?

[eschwartz]

(I thought calibre plugins are mirrored on the calibre website. So at least it is only vulnerable between your server and MobileRead, when you scrape the index for updates. At least that is my justification for saying Debian is silly for calling the plugin updater a massive security hole and disabling it universally.)

I too would like to see MobileRead use HTTPS.

[kovidgoyal]

Quote:

Originally Posted by eschwartz

(I thought calibre plugins are mirrored on the calibre website. So at least it is only vulnerable between your server and MobileRead, when you scrape the index for updates. At least that is my justification for saying Debian is silly for calling the plugin updater a massive security hole and disabling it universally.)

calibre plugins are (the lack of https was one of my primary motivations in setting up the mirror in the first place), but Sigil plugins are not. And generally speaking, not using https does not fill me with confidence with regard to account security. For instance, the other day I spent some time looking into how logins are implemented here, and what happens is that javascript running on the client side hashes the password you enter, replaces it in the form field and the form is then submitted to the server. So if you happen to log in to MR with JS disabled, it will leak your password in plaintext. Not to mention that it is trivial for a MITM attacker to steal your password by simply injecting a bit of malicous JS into the page served over HTTP.

@WT Sharpe: I am sure Alex reads this forum. He has posted here a few days back.

[Alexander Turcic]

Thanks Kovid. You are absolutely right - I am not feeling great that MR is still using non-HTTP. The issue is not technical in terms how to properly install the certificates etc. - it's the forum software and its style sheets that is so old that it requires quite some modifications to run well with HTTPS. Instead, I want to push forward with moving over to a modern forum software (xenForo). Now that I am back more frequently it's the first big thing I want to do - and with the move everything will be HTTPS-only.

[eschwartz]

Right... IIRC you were discussing that about a year ago, in reference to @member notifications.

So, do we have an ETA?

[Alexander Turcic]

Quote:

Originally Posted by eschwartz

Right... IIRC you were discussing that about a year ago, in reference to @member notifications.

Yup.

Quote:

So, do we have an ETA?

As soon as possible. Hopefully even sooner than that. In other words, I will do everything I can to get things rolling quickly (a lot has been done already but needs to revisited to make it compatible with the latest version of xenForo).

[kovidgoyal]

@Alex: Cool, glad to hear it.

[Tenzin_la]

If you ever have down & out encryption issues, I've recently published in a peer review journal about Prime Number Theory, Encryption, and Quantum Computing. It's very dry! I've been working with encryption for many years. I just aged out of a NDA for work I did about 20 years ago when I worked at a non-descrypt office at Ft. Bragg.

Thanks for bringing it up Kovid.

[enuddleyarbl]

And, according to:

https://www.testimpulse.com/index.ph...ure-http-sites

Quote:

Google have announced that, starting with Chrome 56, their popular browser will start giving users security warnings when they visit HTTP-served websites.

[kovidgoyal]

I'm glad to see that MR is now HTTPS -- thx Alex

[Alexander Turcic]

Thanks Kovid. Still ironing out a few small issues, but I am also glad we finally moved over.

[WT Sharpe]

Thanks for the added security of HTTPS, Alex!

[Dazrin]

Is this possibly the reason why the images in my 2017 challenge list no longer work?

See this post: https://www.mobileread.com/forums/sh...78&postcount=9

These images worked last time I checked (less than 2 weeks ago) and are the same ones I have been using for the last couple years but they now do not show up.

[Alexander Turcic]

Quote:

Originally Posted by Dazrin

Is this possibly the reason why the images in my 2017 challenge list no longer work?

See this post: https://www.mobileread.com/forums/sh...78&postcount=9

These images worked last time I checked (less than 2 weeks ago) and are the same ones I have been using for the last couple years but they now do not show up.

Interesting. Yeah, it's definitely related. For security reasons, we now proxy external images in posts (via https://usercontent.mobileread.org). This way we can protect your privacy by preventing browser information to be leaked to third-parties that may be snooping information (and do other nasty stuff like "cookie stuffing" or IP logging).

I'll investigate why the proxy won't load these particular images.

Fixed. Proxy didn't like HTML entities in URLs...