PHP-Fusion 9 and SSL Upgrades Coming Soon

Last updated on 3 years ago
Routh Posted 3 years ago
Happy New Year folks!

The 5th version of The Den is still in an early alpha stage and won't likely be ready until next year. In the meantime, the PHP-Fusion team has just released the next version of their framework, version 9. Version 8 is apparently so vastly different from PHP-Fusion 7, they decided to rename it, and then work on a version 9 to update this aging framework.

I've been working with the support team since version 9 RC1 was released on Dec 23rd, and I'm nearing something that is fully stable. This will improve mobile compatibility for the site greatly, allow me to improve the interface of this site, and has better defenses against spammers.

Despite the "Release Candidate" status of the new version, once I work out the theme and upgrade the writings infusion a bit, I plan to move forward with releasing this update some time in January.

Additionally, StartSSL who we once used as an SSL certificate provider, has made great limitations to the ability to get free certs from them. They are also only giving out free SHA1 certificates, which will start being rejected by Chrome and Firefox as of tomorrow. This is why The Den is using HTTP only right now, which is not good.

Thankfully Mozilla and the Linux Foundation have launched the public beta of Let's Encrypt! which allows anyone to get free certificates that are of high encryption. Thus on Monday I will be changing the site back to HTTPS with one of these new certs. I've already tested them on other sites, and they work fantastic.

I did find one possible issue with these new certs. They only support TLS 1.1 and 1.2. After careful consideration of the positives and negatives, I have chosen to go forward with this. What this means is that a very small subset of users may have issues if TLS support is not enabled on their system. This will only affect users on old, outdated systems that should be updated. Only users on early versions of Windows 7 and older operating systems like XP and Vista will be affected. So far the users affected on Windows 7 have only been one. However some early editions of Windows 7 did ship with TLS disabled.

Background Information on TLS vs SSL

Few people realize that SSL = TLS. The name for the protocol was changed with SSL version 3.1, which was named TLS 1.0.

SSL 1.0 was never released to the public as it contained serious security flaws. SSL 2.0 was released in 1995, however was quickly redesigned and released as SSL 3.0 in 1996 due to more 'serious security flaws'. All of this was done by Netscape. The project was taken over by open source initiatives in 1999 as TLS 1.0. TLS 1.1 was then released in 2006, and TLS 1.2 was released in 2008.

Needless to say SSL 2.0 is dead. SSL 3.0 should have died in 2014 due to the POODLE attack. It was made obsolete in 2015 as a result of this, but many sites still use it. TLS 1.0 was determined to be dangerous as it was created with the ability to downgrade the connection to SSL 3.0, leaving it vulnerable to the same attacks.

To be perfectly clear, if you aren't using TLS 1.1 or 1.2 protocols and at least a SHA256 encryption level certificate when sending a password over the Internet, your connection is not secure. The other protocols are hackable, and SHA1 encryption has been confirmed compromised, as powerful botnets and supercomputers can now break it.

With all this in mind we will proceed to this updated security level as of Monday. You can have your browser tested for security protocol support here:

Please correct your system if it cannot support TLS 1.1 at minimum. As an additional advised step, I recommend you look into disabling SSL 3.0 and TLS 1.0 support on your systems to ensure your browser does not use them for sensitive connections.
Chris Routh
Founder of The Den of Amateur Writing

"Don't try to be a great man; just be a man and let history make its own judgments." - Riker, Star Trek The Next Generation
last edited by Routh on 31-12-2015 19:43
Routh Posted 3 years ago
Stage 1 of this update, deploying SSL has been completed. All pages should show secure in your browsers and Chrome should report that it is using a "modern cipher suite".

I believe I have found all instances of "mixed insecure content" which usually means an image is being loaded with HTTP instead of HTTPS. I may have missed one or two. Please notify me if you find any by replying to this post.
Chris Routh
Founder of The Den of Amateur Writing

"Don't try to be a great man; just be a man and let history make its own judgments." - Riker, Star Trek The Next Generation
You can view all discussion threads in this forum.
You cannot start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You cannot download attachments in this forum.