Originally Posted by PianoWorld
The standard way to fix mixed content issues like this is to make an ssl proxy for images when it’s detected that they come from insecure http. What this means is that the forum server scans URLs to see if they are insecure and then downloads the image itself and then serves it as https. I’m surprised that UBB.threads doesn’t support this out of the box (and I searched a little and doesn’t appear to) but it’s literally 5 or 6 lines of php to do this. And I like to think I’m not just an “armchair expert” as I write code for a pretty big internet company and do stuff like this a lot smile Actually I’m not sure if Frank would be comfortable but I’d be happy to make the change or provide his web developer with the info on making this change. However, this would increase bandwidth costs slightly so that could be a concern.

The serious downside to a simple proxy approach is that you are routing all external resources through your own server/systems. Which is not only a liability, but also can get rather costly. It adds complexity to the page for no good reason. It also defeats any CDNs which are suppose to route to near servers or balance to idle ones.

With a simple proxy script, anything can be included and will be delivered from your domain.

http:// www .THEIRSITE. com/virus.jpg
https:// www .YOURSITE. com/?imgsrc=http:// www .THEIRSITE. com/virus.jpg

The security now becomes even worse than without the use of a pseudo-SSL proxy script. With this, your site could appear to be hosting malicious files.

Expanding on that, if a random user would copy that new SSL link with "your domain url + malicious file link" across the web, you get the "site credibility ding" for "hosting" the malicious file, even though you are only passing it through as a third party. The random user could also apply any link to the proxy tool they wanted to add.

Real-time tracking of all HTTP URLs and requesting them again if SSL connection failed is highly inefficient and overall sounds like a bad idea.

Its highly unlikely that there are going to be any core workarounds of this type written for UBB.threads, especially because the vast majority of websites today use SSL anyway, and the rest can either get on with the program or have their content treated as a second-class citizen. UBB.threads 7.7.2 provides a optional forum setting to replace hotlinked insecure embedded images with a plain URL that the end user can click through to view if they choose to.

That said, nobody is going to stop you from adding any sort workaround with custom code or server modules. good luck.

Current developer of UBB.threads PHP Forum Software // 7.7.3 released!
isaac @ id242.com // my forum @ CelicaHobby.com