Downloading Images (the forum itself doing so)

mbaxter · February 15, 2015, 4:47pm

You can get a PositiveSSL for like 5 dollars per year, FYI

Siguza · February 15, 2015, 5:07pm

Alright, true. But useless for people who like subdomains, if I understand the PositiveSSL website right.

mbaxter · February 15, 2015, 6:32pm

You can get a wildcard cert for 60 per year

Siguza · February 15, 2015, 7:18pm

Well that I’m interested in. Would you mind providing a link?

mbaxter · February 15, 2015, 7:43pm

https://cheapsslsecurity.com/sslproducts/wildcardssl.html

A friend has used them before for non-wildcard certs, so I at least know they work. I’m still using Namecheap myself, as I only have one cert and I’m ok with paying an extra couple dollars to keep things in one place.

lukegb · February 15, 2015, 8:10pm

You’re kidding, right? Cost is not a barrier; StartSSL is free, WoSign (yay, China) is also free, CloudFlare’s just-use-a-selfsigned-cert-and-we’ll-fix-it-at-the-frontend SSL is also free.

Dannyps · February 15, 2015, 9:04pm

I emit my own certificates. All I want is that the connections I establish to my host (which is at home btw) can be encrypted. When I feel it is necessary, I’ll move forward.

By emitting my own certificates, I’m able to customise everything about them, which is nice

Siguza · February 16, 2015, 6:09pm

@mbaxter: Thanks

@lukegb: I did find StartSSL, but that’s limited to 1 year and a single domain if I understand it right… WoSign has 2 years and 100 domains as option (looks actually kinda good), but you’re obviously right about CloudFlare, I totally forgot about that.

@Dannyps: I do that as well and it’s enough for me, but self-signed https connections are blocked by most browsers by default, afaik.

Dannyps · February 16, 2015, 6:20pm

I’ve never had any trouble circumventing those protections. Anyway, I install my CA certificate on the pcs I work most with at school (I shouldn’t be able to…) so I don’t have that kind of trouble

The_Doctors_Life · February 16, 2015, 8:33pm

Use cloudflare-giveus-a-self-signed-and-we’ll-fix-it-with-a-front-end-cert

TBotV63 · February 18, 2015, 11:33pm

This is getting kinda off-topic…

BitByte · February 19, 2015, 12:18am

What @TBotV63 said. This thread is for talking about the forum self downloading images, not about SSL certs.

Kornagan · February 22, 2015, 8:31am

I’m questionning the potential security threat of downloading and self-hosting images from a remote source.

TBotV63 · February 22, 2015, 11:37am

There is some potential. But it’s also an OCD thing.

RobodudeMC · February 22, 2015, 4:10pm

Hrm… I wonder how much they validate those images, might have an arbitrary code execution vulnerability if they don’t validate them at all.

Kornagan · February 22, 2015, 7:20pm

That’s what I was thinking yeah.

Lemonous · February 22, 2015, 7:26pm

I believe the person on these forums best suited to answer that question is @riking. How is image downloading handled? Any processing other than changing links?

riking · February 22, 2015, 11:22pm

Not much processing other than the automated thumbnail creation if the image is wider than a post, which still happens even if the images aren’t downloaded; and adding width/height markers to the HTML so that the page doesn’t jump around.

Lemonous · February 23, 2015, 4:43pm

Hm. Am I correct in guessing that it will download the image file behing a .php-source image? Otherwise it seems to me that @RobodudeMC and @Kornagan have a very valid point. If it does, however, it would at least serve as a protection for the users.

riking · February 23, 2015, 7:50pm

They could always just have the server return a 404 to just Discourse, so it’s not exactly viable as IP discovery protection.