Why is https://community.elgg.org using a self-signed certificate? This opens all accounts to a "man in the middle attack." Cloudflare and Letsencrypt issues free, unlimited certificates signed by legitimate Certificate Authorities. Even if this is only for a subdomain that isn't used, it is a major link for Elgg. I'm positive the "This is unsafe, turn back now," type of warning most browsers give, ward off many prospective users!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- rahul@rahul
rahul - 0 likes
- Steve Clay@steve_clay
Steve Clay - 0 likes
- Steve Clay@steve_clay
Steve Clay - 0 likes
- iionly@iionly
iionly - 1 like
- Jerome Bakker@jeabakker
Jerome Bakker - 0 likes
You must log in to post replies.It is not unsafe but there is a little problem in implementation of certificate.
You can visit the unsafe pages by:-
click on unsafe URL and remove s from https, it would become like http://community.elgg.org instead of https and then visit the page. you will find that you are automatically redirected to https.
There is no kind of problem in security, even SSL certificate just encrypts the form data and I don't think, there is any need of SSL certificate for a site like elgg community but still SSL certificate provides that this site is safe which is good thing from the view point of visitors.
Report all security issues to security@elgg.org. Thankfully this is not one.
@lionheart, where online do you see a link to community.elgg.org? We need to change them.
@Steve I think there are still a lot of links with "community" subdomain in old discussions, replies and on plugin pages. I don't know if it's possible to update them all without spending much time on it. There's even still an open issue about this (https://github.com/Elgg/Elgg/issues/9818).
If I'm not mistaken the cause of the problem with the "community"subdomain is simply that it's not considered in the Let's encrypt certificate config (the "learn" subdomain seem to be and there's no issue with learn.elgg.org). I think I already suggested to fix the problem by considering the "community" subdomain in the certicate handling/config (maybe to Juho back then). But it seems to have been forgotten all the time...
I have included community.elgg.org in our Let's Encrypt certificate and the issue should now be solved