As the MyBB 2.0 development gains traction again — a joint effort of the Team and our technical Community — we are passing an important milestone in the area of the Project’s organization. Entirely new concepts, de-facto standards and unspoken rules, either improving the fluency within the Team or aimed at increasing MyBB’s maturity (and sometimes both), are being continuously brainstormed. We would like to share our progress so far in areas we are confident about.

PSR standards conformance from MyBB 2.0

World Standards Day / International standards day is celebrated internationally each year on 14 October. […] The United States held a 2014 U.S. Celebration […] on 23 October […].

Currently our coding standards are rather specific when compared to other projects in the PHP Community, and may be perceived unnatural (exhibit A: 1.8 development standards) — starting from 2.0, MyBB’s source will be fully conformant with PSR standards. While this means that we will be inevitably choosing a standardized side in one of the greatest arguments in the history of programming, which we have been avoiding for some time (exhibit B: 2.0 Dev Post #5), this decision will assure that our code preserves compatibility of coding style with other PHP projects and frameworks. This should lessen the confusion in Pull Requests and allow new contributors to adapt more easily.

Secure connections to *.mybb.com websites

A simple visit to any of our websites involves many platforms and servers: by connecting to our Documentation on docs.mybb.com, your requests go through our reverse proxy (currently provided by CloudFlare) to hit our Jekyll-powered website hosted on GitHub Pages from the Docs repository, whereas requests to the Blog you are reading this article on go to WordPress.com platform servers instead after following a similar path. Spreading our web presence in such decentralized manner has great advantages with independent availability being the most significant one, however maintaining them all becomes more complicated and introduces security risks with each addition.

In order to aid that, we have launched efforts to start enforcing HTTPS traffic to our websites and inserting security-related HTTP headers — although we don’t control external servers, we were able to set up the most important redirects and directives using the reverse proxy; these changes, combined with Subresource Integrity hashes for external content served on mybb.com and docs.mybb.com, provide a reasonable level of security given access limitations for any project that decides to set up their infrastructure in this fashion. If you happen to randomly browse the Chromium source code, you will discover that the mybb.com domain is now present on the HSTS preload list, making derived browsers enforce HTTPS upon first visit out of the box, helping our case a great deal.

Having control over the server hosting the Community forums and download Resources, we set up additional security headers that are now sent to the browser from both locations and our MyBB installation to serve cookies with the Secure flag, a feature shipped with MyBB 1.8.10. By using a MyBB plugin with a Node.js proxy server, external resources on our forums are now being delivered to users over a secure connection, resolving the issue of insecure content and enhancing their privacy by eliminating the necessity of downloading data directly from third party servers. Even when either one breaks, the Content-Security-Policy header will prevent insecure content from being loaded (the next major version of MyBB will make it possible to include all common security headers, as we will be aiming to eliminate obstacles like inline JavaScript).

You can take a closer look at the gritty details of our current setup here and here.

Team members’ PGP keys now available

The transition of our development process, now headed towards MyBB 2.0, largely impacts the organizational matters of the Project itself — one of recent preparations for an improved release management protocol that are easy to spot is the rollout of PGP keys that can be used to contact Team members, if you have a feeling that your messages sometimes have more recipients than they should (or if you’d rather be safe than sorry and use it out of principle, like we do). These can be found on our refurbished Team page that now also links accounts on social media, acting as backup channels of communication.

Packages integrity and authenticity measures

While keys and fingerprints present themselves excellent on our website, they won’t be used (only) for aesthetic purposes: we will start signing MyBB releases. Designated Team members will be able to submit a public key that will be added an announced on our website and and social media feeds for transparency purposes.
Further, while the hashing algorithm used for internal file verification and passwords in MyBB 1.8 is weak in today’s standards due to the codebase’s age, there is a lot of room for improvement when it comes to verifying the packages. If you’ve been paying attention to the release notes, you’ve probably noticed that we started publishing additional, stronger checksums for each release package as of MyBB 1.8.8. These actions are intended to provide webmasters with a degree of confidence when it comes to integrity of MyBB packages while still maintaining focus on the development of MyBB 2.

Vulnerability assessment with CVSS v3

We always have been trying to provide as much information as we could when it came to security patches after an update, however we were not quite satisfied with limiting the security issue index to a simple low-medium-high scale used in MyBB 1.x. MyBB’s RFC #9 has established one of major foundations of the security process, starting with MyBB 2.0: Each vulnerability fixed in given release will have a CVSS v3 score assigned, as specified in the Common Vulnerability Scoring System, V3 document. The 8 basic metrics will allow us and any third party user, team or organization to assess the exploitability, scope and impact of vulnerabilities and to adjust the rating by adding extra details within the same scale using Temporal and Environmental Metrics, allowing system administrators to prioritize and organize proper responses. For example, a SQL Injection vulnerability in the Moderator Control Panel could be assigned a score of 6.3 (Medium) comprising of base metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, all of which would be published in release notes of corresponding releases.

Spotlight on security research

Another significant part of the Project’s organization plans is to launch a Security Hall of Fame. Researchers reporting security issues and vulnerabilities, provided they follow responsible disclosure standards, will be placed on a dedicated list in recognition of their time and cooperation. In accordance, MyBB will promote post-incident analyses and write-ups, aiming at increasing security awareness and promoting community-based code reviews. To supply you with latest details and articles related to MyBB’s state of security, we have launched a dedicated, technical Twitter feed — make sure to follow @mybbsecurity to let us help you maintain a strong grip on your board’s security.

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →