Security Issue: Image by URL

The VexForum uses HTTPS, which is great, however, because BBCode allows for linking of images by URL, there are some security risks

  1. Unintentional Page Tracking. For example, I could embed a 1x1px image into my signature that tracks information about everyone who loads that page, including User-Agent data, IP Address, and possibly even VF credentials depending on cookie settings
  2. Breaks HTTPS sanctity. User Agents treat any HTTP requests within Secure Domains as breaking the domain, and that page gets downgraded to a standard page in the eyes of the browser. In Firefox, for example, this is displayed like this:

Now there are some possible solutions to this issue:

  1. Enforce Strict-Transport-Security. I know esoTalk can be somewhat limiting when it comes to what exactly you can do, so one good solution is to use a Strict-Transport-Security HTTP header on all pages. However, this would cause errors with embedded resources that do not serve securely
  2. Host every embedded image This is the better, if annoying solution. Allowing users to embed images by URL is bad practice because of the aforementioned security risks, and merely hosting everything would be much more secure.

I hope you consider these suggestions to make the VEX Forum a more secure place for everyone.

Side Note: From what I can tell, the main HTTP resource being embedded is a single Use PROS frog by a user. Make sure images in your signature are securely stored, especially if it’s just hosted on Imgur

@MayorMonty, thanks for bringing this to our attention. We’ve enabled HSTS for the Forum, so this should eliminate the security risks that you mentioned.