Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[DE]

“Website not secure” seems to be a malady that is going around to several Forum sites lately. Don’t know what is causing it just hope it doesn’t show it’s ugly head on this site. Has happened to one mfg site that I own one of their PG, and another site I used to own one of their smokers. One completely updated their forum software and the other is still showing unsecure.

[Chris__M]

Specific to that site is that although they have enabled HTTPS on their site, they are not forcing HTTP to HTTPS, which is recommended.

i.e. if you hit a site as http://your.site.here it will ideally immediately force you to https://your.site.here

So on that basis alone it is a crapshoot, whether you hit it as a secure site or not depends on whose link you are following, and whether the link uses HTTPS or HTTP.

But that isn't the problem other forums are having, and this forum can have too. More on that in the next reply.

[Chris__M]

The general forum problem with "website not secure" is that they have taken an extremely stringent view of things. In some ways this is good, but I wish they had used a wide range of messages to explain to what degree a website is insecure. This would have avoided panicking people.

Basically even if  your site is secured with a certificate, using HTTPS, any content on your page that isn't secure will render your page as a whole insecure.

To illustrate. As I type this, this topic page is showing as "Secure Connection". But now I am going to add a link to an image from my own website, which is not secure:



Bingo! Simply by adding an image, I have rendered this page insecure.

So the security of your page is controlled by the least secure element on the page. Forums suffer disproportionately from this problem, as so many people contribute, some of who will be using HTTP links. Which causes people to panic and email the admins saying "your site is insecure", when the only thing insecure is that image.

Consider, that much of this concern could be avoided if - instead of "website not secure" - the message under such circumstances was "some elements or images on this page are insecure". it would save a lot of grief.

So there is not a lot you can do about the forums/"website not secure" problem, except stop people linking to http sites, which seems extreme. Eventually the problem will resolve itself, as HTTP becomes less common, but I think we are still a couple of years away from that.

[Chris__M]

Actually, it seems that Firefox does deal with this a little better than MS Edge.

[Kristin Meredith]

Thanks for the explanation Cgris.

[DE]

Yes, what Kristin said, thanks for the explanation!

[Chris__M]

Yup, I see what you mean.  Attached is a screenshot with the messaeg MS Edge displays, plus Edge shos a warning in the address bar.

Yes. It is the warning in the address bar in Edge and the broken padlock in Firefox that are the real problem. Most non-technical ordinary users will never actually click through to get the longer messages that are more informative. They will simply see "Not secure" and then distrust the security of the website as a whole.

[ArborAgent]

Simple Machines accounts for this! I’m guessing PelletFan just needs to turn on the proxy.

From: https://www.simplemachines.org/community/index.php?topic=553857.0

Where is HTTPS-support in SMF? As you may have noticed, we have just released SMF 2.0.14 which introduces full support for HTTPS. It also includes an image proxy feature to ensure that images are always served through HTTPS. Whenever it encounters an image that is hotlinked from a website without HTTPS, it temporarily caches the remote image on your server and subsequently serves it to your visitors through the HTTPS connection of your own website. This way, SMF can achieve a full HTTPS environment without warnings and notices of insecure/mixed content. The upcoming SMF 2.1 release also includes this image proxy.

Basically even if  your site is secured with a certificate, using HTTPS, any content on your page that isn't secure will render your page as a whole insecure.

To illustrate. As I type this, this topic page is showing as "Secure Connection". But now I am going to add a link to an image from my own website, which is not secure:
....
Bingo! Simply by adding an image, I have rendered this page insecure.

[Chris__M]

What an excellent feature!

[Bobitis]

I'll cut some slack to PH when they allow me to log back in. At that time, I will question if it's ethical to manipulate personal PM's. The mods there seem to have free reign to do what ever they 'feel', yet they have NO say in any other means of the site development.     

[GREG-B]

I went over there just to see if I could log back on.   I did.   Felt like I was entering a dimension foreign to me and I logged back out.   I'm home here and here is where I will stay until I get kicked to the curb.  I believe I can garner more and better information here also.

[SurfAndTurf]

my chromebook says

"your connection to this site is not fully secure"

about THIS site, Pelletfan.com

?

[Kristin Meredith]

my chromebook says

"your connection to this site is not fully secure"

about THIS site, Pelletfan.com

?

I don't know the answer because we pay extra money for a secure site.

[Chris__M]

my chromebook says

"your connection to this site is not fully secure"

about THIS site, Pelletfan.com

?

Right - read Chris_M's post.  Links to images not hosted on PF's server(s) cause an unsecure path, thus the warning.  ArborAgent's posts shows that SMF has a version (the forum software people), that addresses this hole.

Yes, that's exactly the problem I am talking about - and no-one's fault here on this site. One can't blame a user for thinking something is wrong if their browser is telling them "insecure".

The browser designers have got to stop writing code for their own level of knowledge, and aim their product at users with less technical expertise, so they don't scare the bejesus out of them. If that means more wordy error messages, so be it.

[ArborAgent]

The browser makers are doing this to force the internet to be more secure. Encrypting all connections and forcing siites to have certificates prove their identity makes us more secure. Eventually they will drop the “secure” on encrypted sites and we will only have insecure and secure.

It’s more work on site owners but better for the public. A worthwhile tradeoff