[Security Related] Request that planetminecraft.com get a HTTPS SSL security certificate..

Ticket #2171
Opened by: doubledogdare610
Status: Closed- Finished
Feature Request
2016-08-20 17:20:43
2017-06-14 08:39:37


It kind of bothers me that planetminecraft.com does not have a SSL security certificate.
It is highly critical for the saftey of PMC users.. I'd ask that administration implements one.

Here is a small list of well known and trusted Certificate Authorities in which a certificate can be obtained:

1. VeriSign (Lol, just found out that they no longer give out certificates without the purchase of other services.)
2. DigiCert
3. Symantec
4. GoDaddy
5. Comodo CA

Thank you for taking the time to read this ticket!

EDIT: I have noticed that when I am using https://, I am not able to post replies to comments.. Looks like there is an even bigger problem..

Comments (20)

said 2017-06-14 08:39:37
Cyprezz set status to Closed, set resolution to Finished.
All traffic is redirected to https.
Cyprezz said 2017-03-23 17:07:14
Chat now has https support.
All image tags in member content including submission descriptions, pms, comments, wall posts, etc retroactively support https & all future image tags going forward.
All internal links (www.planetminecraft.com) in member content will now maintain protocol choice.
Made several SSL fixes & changes to the current forums but they unfortunately won't maintain https while browsing until forced.
Closer to defaulting all traffic to https.
superalgae said 2017-03-21 00:16:55
Great news! Thanks Cyprezz! I just tried https, and everything is working so far. I'll comment here if I see any issues beyond the remaining work you listed.
said 2017-03-17 16:51:10
Cyprezz set status to In Progress.
Site can be viewed via https. Still needs attention before closing this ticket. Some random images, advert tags and chat need attention before we can consider pushing all traffic to https but progress has been made.
Cyprezz said 2017-03-17 16:44:31
testing comments. Made significant progress on this today. Will continue testing and eliminating any non-secure assets. Feel free to test https now.
Cyprezz said 2017-03-17 10:02:43
You're right. We're getting this taken care of as we speak and in the longer term, we will be supporting site wide https by default after the new forum launch.
superalgae said 2017-03-16 01:16:04
Supporting HTTPS might not be trivial, but such basic security should be higher priority than anything else on the site.
Ralex said 2017-03-12 15:13:43
Chat is a perfect example of something that would break unless it also moved to SSL, because of how browsers work.

Websockets will force that the same method be used (so if you use HTTPS, the socket has to be secured) otherwise it will be refused. It's not a simple "enable it on the site" because there are parts that may not work correctly. That's why I said it's not simple. There's more than just a flag that's changed.

I believe we have the certificate already somewhere, but it's not a simple change to do.
SupremeMortal said 2017-03-12 09:53:01
You can actually load HTTP data under a HTTPS connection however the browser will see the HTTP sources and mark the page as insecure.
Ralex said 2017-03-11 16:59:21
It's not "simple" to just go HTTP to HTTPS. Having done so myself, and seeing how MCF does it, it's not a simple "flip"

There is a huge amount of testing that has to go into it to make sure all services work correctly, because some pages will *refuse* to work if you load them in HTTPS but it still uses HTTP for stuff (like chat).
SupremeMortal said 2017-03-11 11:13:30
It's not like you even need to pay for it. You could just get a LetsEncrypt certificate.
leasoncre said 2017-02-23 12:40:20
with all the hype for security these days, where's the security PMC?
CactusTato said 2016-08-31 13:15:57
I mean, they should make it http:// because its usually what my computer teacher said "type www.site.com"
doubledogdare610 said 2016-08-21 12:40:44
That's because there is a "protection" that your browser is using. It's blocking the CSS file because it is linked in the page source using http.. Disable that and you will still be able to use some encryption as my browser says. Can't wait till we sort this out. PMC is a great site that I'd like to continue using for many years.. Lots of work on the way.
Pepijn said 2016-08-21 12:29:58

This is all I get from the https address. Reloaded it a couple of times without much result.

About the SSL, it's a certificate from TrustWave apparently.
said 2016-08-21 12:27:57
doubledogdare610 modified ticket description.
doubledogdare610 said 2016-08-21 12:23:58
Yes.. the https:// address does redirect to the actual site.. I don't
see a certificate anywhere and my browser is not receiving one from
Pepijn said 2016-08-21 01:08:57
AFAIK PMC already has a "SSL certificate". The https address just doesn't redirect to the actual site (I think, probably simplified a lot if true).
said 2016-08-20 23:12:13
Midnight assigned Developers/Administrators.
said 2016-08-20 17:26:55
doubledogdare610 modified ticket description.




© planetminecraft.com