Users self-hosted images broken, non-SSL options?

[birkie]

Forum URL: monitortop.freeforums.net

Hello,

Some users on our forum host images externally, but do not currently have SSL available from their provider(s).  I'm not sure exactly how many images are affected, but I estimate it to be in the hundreds.  For example, this post has two images that do not appear because of mixed content.  We're looking into what can be done about that.  If it turns out we're stuck and SSL isn't possible, I'm wondering what our immediate options are. 

Specifically,

* If we figure out an alternate means of hosting them, is there any way to detect which posts have plain http links in them so that images can be migrated? 

* In order to buy time to make fixes, is there any way to host the forum in plain http?  If it's not possible to disable SSL for our forum, would it work to register a vanity domain name, but *not* register SSL for that domain?

Thanks!

  -Aaron

[Michael]

Hi,

It would not be possible to opt-out of SSL. As far as I am aware there is no way to detect where http images are located. A lot (the majority) of image hosts will already support SSL so most of your images should automatically convert but if your forum is one where a lot of people self-host images then it will involve a lot of manual location of where those images are hosted and updating that hosting to serve via SSL.

Edit: If any of the locations that images are hosted externally are owned/controlled (as in, you own the domain/hosting) you can get a free SSL certificate by signing up for Cloudflare: www.cloudflare.com/ssl/

[birkie]

Feb 18, 2020 16:55:22 GMT -8 Michael said:

Hi,

It would not be possible to opt-out of SSL. As far as I am aware there is no way to detect where http images are located.

Thanks,

Can you (or somebody else) confirm that if I were to use a custom domain for our forum (say, monitortop.org, which I own), that would be forced to SSL as well?  I can see technical need for all forums under freeforums.net or proboards.com to be handled uniformly, but I was hoping that transitioning to a custom domain could afford some flexibility, or at least buy us some time. 

Unfortunately, the situation looks rather grim for us, as many images are hosted on external ISP-owned domains that are out of our control.  i.e. we cannot simply use cloudflare, as we do not own the ISPs domain, and we are at the whim of the ISPs timelines with regard to their own support of SSL.  Given the number of images and the rather large search space of past posts, a reasonable timeline to locate alternative hosting options, find such links, and perform a conversion by hand would be on the order of months.

"Use a custom domain and allow that domain to be non-SSL" would seem to be an ideal non-disruptive way to momentarily stop the bleeding.  Is there any way to make that happen?

[Michael]

Hi,

Custom domains get the same SSL treatment as ProBoards domains. Unfortunately this is not a situation where we have any leeway and we've put off this process for much longer than we really should have. You should immediately contact anywhere you have images hosted and ask about SSL.