Site unsecure at login warning ?

AliGorie · March 2017

using Firefox on a Mac / Sierra I'm getting this warning @ password login - ?
described here -
https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

TTony · March 2017

Slightly further down the page that you linked ...

About insecure pages

Pages that need to transmit private information, such as credit cards, personal information and passwords, need to have a secure connection to help prevent attackers from stealing your information. (Tip: A secure connection will have "HTTPS" in the address bar, along with a green lock icon.)

Pages that don’t transmit any private information can have an unencrypted connection (HTTP). It is not advised to enter private information, such as passwords, on a web page that shows HTTP in the address bar. The information you enter can be stolen over this insecure connection.

AliGorie · March 2017

thanks TT

robinbowes · March 2017

And you're submitting passwords over http, aren't you? I've brought this up before. Should really switch to https.

monquixote · March 2017

Yep but the http linked images all over the site would trigger warnings all over the place unfortunately

robinbowes · March 2017

Insist on https links. Better that warning than passwords over http, IMHO.

monquixote · March 2017

robinbowes said:

Insist on https links. Better that warning than passwords over http, IMHO.

Unfortunately we need a time machine to fix that several years ago when the forum started.

digitalscream · March 2017

robinbowes said:

Insist on https links. Better that warning than passwords over http, IMHO.

Yep. Broken Javascript, broken image links everywhere...that's much preferable to having a functional site.

We've been here before

robinbowes · March 2017

Bah.

Strat_a_tat_tat · March 2017

Surely... if the site is insecure... it just needs a few kind words of reassurance. Something to help boost its self esteem.

crunchman · March 2017

Just changed my password. My old password was used for some other sites.

robinbowes · February 2018

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
https://blog.cloudflare.com/https-or-bust-chromes-plan-to-label-sites-as-not-secure/

digitalscream · February 2018

robinbowes said:

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
https://blog.cloudflare.com/https-or-bust-chromes-plan-to-label-sites-as-not-secure/

Yes, I'm aware.

If you'd be so kind as to tell me which bits of the site to switch off in order to make it happen, it would be ever so helpful. I'm sure everyone can live without the text editor and just type HTML in the box, right?

robinbowes · February 2018

Gosh, you're right. There are absolutely no working sites on the internet right now that have text editors.

digitalscream · February 2018

robinbowes said:

Gosh, you're right. There are absolutely no working sites on the internet right now that have text editors.

Don't be a dick. *This* website, with its reliance on plugins which are coded by PHP monkeys rather than experts, relies on an editor which doesn't currently work with HTTPS. In fact, none of the editor plugins do except the stock one, which is broken in just about every other way.

I mean...I could just take the site down for a year or so while I rewrite everything properly. Do you think that would be useful to anyone?

robinbowes · February 2018

So what is your plan? You can't just ignore it. It's not going to go away. It will all stop working some day soon. Then what?

digitalscream · February 2018

robinbowes said:

So what is your plan? You can't just ignore it. It's not going to go away. It will all stop working some day soon. Then what?

I was actually just thinking of switching over to HTTPS and putting your email address on the front of the site for support queries, since you seem to think it's so simple :P

As I've said every single other time that you've brought it up, I'm working on it. It's nowhere near as simple as you appear to think it is, and this site is not the focus of my entire life. Therefore...it'll happen when it's done and working.

m_c · February 2018

This argument was had on another forum I visit occasionally, and as somebody summed it up, what are hackers going to gain from hacking your forum account?

digitalscream · February 2018

m_c said:

This argument was had on another forum I visit occasionally, and as somebody summed it up, what are hackers going to gain from hacking your forum account?

To be fair, most people use the same password everywhere - and thus if somebody manages to get a sniffer between you and the server, they can gain access to your other accounts. However, there are so many moving parts involved in doing so that it makes such attacks extremely effort-intensive for not a lot of gain; you can't harvest many passwords in a reasonable time frame that way, and it's usually more "sensible" to go straight for vulnerabilities in the server (or its software) itself.

As I said, this is not something I'm ignoring, I'm just fighting against a lot of extremely poorly-developed third-party code to try to make it work.

robinbowes · February 2018

m_c said:

This argument was had on another forum I visit occasionally, and as somebody summed it up, what are hackers going to gain from hacking your forum account?

That's not particularly the point.

The issue is that at some stage relatively soon, browsers are going to stop working with http altogether.

R.

robinbowes · February 2018

digitalscream said:

robinbowes said:

So what is your plan? You can't just ignore it. It's not going to go away. It will all stop working some day soon. Then what?

I was actually just thinking of switching over to HTTPS and putting your email address on the front of the site for support queries, since you seem to think it's so simple :P

As I've said every single other time that you've brought it up, I'm working on it. It's nowhere near as simple as you appear to think it is, and this site is not the focus of my entire life. Therefore...it'll happen when it's done and working.

Happy to help, if I can.

R.

digitalscream · February 2018

robinbowes said:

The issue is that at some stage relatively soon, browsers are going to stop working with http altogether.

They won't, for many many reasons. Certainly not before another secure-only protocol replaces HTTP/HTTPS.

PVO_Dave · March 2018

Any appetite to change to a different forum platform @digitalscream ? Might make it easier for you in the long run, does seem (from reading some of your posts) like you have to do a fair bit of manual work to get stuff working with Vanilla.

Might be worth considering? (as long as it's not VBulletin!) Not that the https thing bothers me btw

digitalscream · March 2018

PVO_Dave said:

Any appetite to change to a different forum platform @digitalscream ? Might make it easier for you in the long run, does seem (from reading some of your posts) like you have to do a fair bit of manual work to get stuff working with Vanilla.

Might be worth considering? (as long as it's not VBulletin!) Not that the https thing bothers me btw

None of the available platforms are problem-free. My plan - which I'm also working on as we go - is to replicate the back-end in API form using Rails, which will feed into other development that we need to complete in order to meet our overall goals of turning this into more-than-just-a-forum.

Once I've rebuilt the data structures and logic in a more sensible (and scalable) form, it opens up the possibility of using much better (and more modern) front-end libraries to solve all of these problems.

PVO_Dave · March 2018

Headless forum!

Funkfingers · March 2018

All those in favour of reverting to communication via weekly or monthly print publications, say aye.

olafgarten · April 2018

You could setup a proxy page that serves insecure content over https. It would increase server load but you could also implement a caching system for content in popular posts to improve speed.

thebreeze · October 2018

Can I just ask a basic question please? When people buy and sell gear on here a lot of that, if not all, takes place via PM including the exchange of a fair amount of private details. Are PM's secure? I'm no techy, so just need a yes or no I think so I can act accordingly. Many thanks.

digitalscream · October 2018

thebreeze said:

Can I just ask a basic question please? When people buy and sell gear on here a lot of that, if not all, takes place via PM including the exchange of a fair amount of private details. Are PM's secure? I'm no techy, so just need a yes or no I think so I can act accordingly. Many thanks.

They're secure as in "there's no way to access the database, and the only other way to get them is to be involved in the thread". The only person outside a conversation who can read them is me, and I don't ever do that unless there's a serious legal issue at hand.

thebreeze · October 2018

Thanks @digitalscream - that’s good to know.

PVO_Dave · April 2019

Not a moan as completely understand and have no issue with the https position, but bit of a heads up that it’s starting to show the warning now on my iPhone in Safari, hadn’t noticed it before, don’t know if it’s 12.2 release addition but might drive some more ‘enquiries’ your way

Howdy, Stranger!

Categories

In this Discussion

Become a Subscriber!

Site unsecure at login warning ?

Comments

About insecure pages