Website not secure ?

Post here for any improvements, ideas, thoughts you might have.
crr003
Posts: 951
Joined: Fri Oct 02, 2015 5:32 pm

Website not secure ?

Postby crr003 » Fri Jun 01, 2018 5:42 pm

Logging in here from an iPad, it displays "website not secure".
Living life to its limits, I logged in anyway, but just wondered if there was an issue?

User avatar
GTR1400MAN
Posts: 2209
Joined: Fri Apr 29, 2016 12:23 pm

Re: Website not secure ?

Postby GTR1400MAN » Fri Jun 01, 2018 6:45 pm

This site doesn't use HTTPS so the message is correct but poorly worded.

What it means is anything sent is not encrypted and could be sniffed by malware on your device or unsecure public wifi.

A lot of small forums like this are the same.

I've been looking for an inexpensive solution for one I run since Chrome and Apple started scaring (informing) people.
Mike Roberts - Now riding a Triumph Explorer XRT. My username comes from my 50K miles on a Kawasaki 1400GTR, after many years on Hondas of various shapes and styles. - https://tinyurl.com/mikerobertsonyoutube

User avatar
akirk
Posts: 1659
Joined: Sun Sep 27, 2015 6:58 pm
Location: Bristol

Re: Website not secure ?

Postby akirk » Fri Jun 01, 2018 7:39 pm

as Mike says...

it is on my list to add an SSL certificate to the website - we are currently working our way down a list of websites we run / host - so we will get to it...
the SSL we use is Comodo and very good - a professional solution, not a free one, but with the nature of our hosting, it makes it more complex to set up...

it should be noted that all SSL does is encrypt the connection between your computer and our server - it has nothing to do with the inherent security of the website itself... simplest option for now is don't connect while on an open wifi connection (e.g. sitting at a cafe table) :) if you do, and you were randomly hacked a) I suspect that no-one would be that interested in what is on that connection and b) a proportion of it is public anyway...

interestingly - malware can often sniff through browser / keyboard hacks even when there is an SSL connection - SSL encrypts from browser to server - it doesn't affect either side of that section of communication (what you type in the browser / what the server does)

hope that helps

Alasdair

User avatar
GTR1400MAN
Posts: 2209
Joined: Fri Apr 29, 2016 12:23 pm

Re: Website not secure ?

Postby GTR1400MAN » Wed Jun 27, 2018 1:22 pm

With July looming ever closer where Google have decided they will display 'Not Secure' for every Non-SSL site displayed in Chrome (and allegedly down rank them in search results), I have bitten the bullet and upgraded my Group's site and forum to SSL. On investigation I found that the hosting company had already put in place a certificate from Let's Encrypt, that is automatically renewed. All that was needed was some URL Rewrite statements in the HTACCESS file and a cookie change in PHPBB and it was all working ... well almost. As our site has http headers set to strict there were several pages that needed updating to allow embedded content from third parties to display.

Now to convince Google our address has changed. Sadly despite their forthcoming big brother enforcement, their maintenance tools still see HTTP and HTTPS versions of the same site/content as different sites!
Mike Roberts - Now riding a Triumph Explorer XRT. My username comes from my 50K miles on a Kawasaki 1400GTR, after many years on Hondas of various shapes and styles. - https://tinyurl.com/mikerobertsonyoutube

User avatar
akirk
Posts: 1659
Joined: Sun Sep 27, 2015 6:58 pm
Location: Bristol

Re: Website not secure ?

Postby akirk » Wed Jun 27, 2018 3:50 pm

It is something still on my list - not sure I want the extra cost across a large number of not so important websites (commercially that is - i.e. they don't bring in any money to me, all hosting costs come out of my pocket...) Actually what Google are doing is I think irresponsible - because there is no need for many sites to be https - so, they should not be downgrading them unless it is necessary... yes, fine for eCommerce etc. - but if I have a site (which some of my clients have) which is basically an online business card - where you can not interact, then there is absolutely and categorically no need to have SSL...

now it will only take someone to sue Google based on restraint of business / abuse of monopoly... ;)
could be interesting!

Alasdair

User avatar
jont-
Posts: 1522
Joined: Mon Sep 28, 2015 7:12 am
Location: Herefordshire

Re: Website not secure ?

Postby jont- » Wed Jun 27, 2018 5:27 pm

We still have to log in on here, which means a password is going unencrypted. I'm sure everyone has good hygiene and uses a different and secure password for each site ( :lol: ), but it's still a good idea to make people think more about online security.

User avatar
GTR1400MAN
Posts: 2209
Joined: Fri Apr 29, 2016 12:23 pm

Re: Website not secure ?

Postby GTR1400MAN » Wed Jun 27, 2018 7:14 pm

akirk wrote:It is something still on my list - not sure I want the extra cost across a large number of not so important websites (commercially that is - i.e. they don't bring in any money to me, all hosting costs come out of my pocket...) Actually what Google are doing is I think irresponsible - because there is no need for many sites to be https - so, they should not be downgrading them unless it is necessary... yes, fine for eCommerce etc. - but if I have a site (which some of my clients have) which is basically an online business card - where you can not interact, then there is absolutely and categorically no need to have SSL...

now it will only take someone to sue Google based on restraint of business / abuse of monopoly... ;)
could be interesting!

Alasdair

I totally agree. The other thing that will happen is that a lot of sites just won't implement SSL and users will get used to ignoring Chrome's warning ... until it is too late on an important site, like banking, and they have been redirected by malware. :o :cry:

Google's public argument is SSL prevents injection by ISP's, hackers, etc. into the packets coming to the user, so therefor even 'business card' sites, of which there are many (including most of the ones I do), still need it . Many hosting companies have in the past injected adverts etc. into the data. I think there is more to this, especially with them controlling which SSL certificates they will acknowledge. Also as many smaller hosting companies don't allow access to the server to install certificates, or provide that service, it will also kill many of these smaller hosts off. And so the further commercialisation of the web for big(ger) business continues. :evil: :geek: :ugeek:
Mike Roberts - Now riding a Triumph Explorer XRT. My username comes from my 50K miles on a Kawasaki 1400GTR, after many years on Hondas of various shapes and styles. - https://tinyurl.com/mikerobertsonyoutube

User avatar
akirk
Posts: 1659
Joined: Sun Sep 27, 2015 6:58 pm
Location: Bristol

Re: Website not secure ?

Postby akirk » Wed Jun 27, 2018 9:14 pm

the big issue is really that a decent certificate is commercial and costs money every year, people won't bother spending it, plus for real protection you need to consider firewalls, etc. as well...

and most hacking comes from a dodgy email and then something loaded on the computer, SSL only protects against a wifi hack during transmission, statistically unlikely...

hey ho :)
Alasdair

Pyrolol
Posts: 73
Joined: Sun Oct 04, 2015 1:52 am
Location: San Francisco

Re: Website not secure ?

Postby Pyrolol » Thu Jun 28, 2018 10:44 am

jont- wrote:We still have to log in on here, which means a password is going unencrypted. I'm sure everyone has good hygiene and uses a different and secure password for each site ( :lol: ), but it's still a good idea to make people think more about online security.

Seconded. It doesn't bother me personally because my passwords generally are unique, but any site that does login should be https. The reality is that most people's logins here are probably not unique. Having said that they're probably already compromised somewhere else...

Let's encrypt is fine - there's no need for commercial certificates. It's still a hassle though, so I understand where we are and am still appreciative of your hosting the site for us Alasdair.

User avatar
akirk
Posts: 1659
Joined: Sun Sep 27, 2015 6:58 pm
Location: Bristol

Re: Website not secure ?

Postby akirk » Thu Jun 28, 2018 11:32 am

Pyrolol wrote:
jont- wrote:We still have to log in on here, which means a password is going unencrypted. I'm sure everyone has good hygiene and uses a different and secure password for each site ( :lol: ), but it's still a good idea to make people think more about online security.

Seconded. It doesn't bother me personally because my passwords generally are unique, but any site that does login should be https. The reality is that most people's logins here are probably not unique. Having said that they're probably already compromised somewhere else...

Let's encrypt is fine - there's no need for commercial certificates. It's still a hassle though, so I understand where we are and am still appreciative of your hosting the site for us Alasdair.


generally agree - and this site is on my list - but we have just gone through a major exercise in the last 8 weeks in upgrading our firewall (software / rules / hardware), so it hasn't been the highest priority...

ultimately, because of the way we have our servers configured, we have made a decision to use commercial certificates - so while there are several free options (and indeed even ones embedded in the server software), this is the route ahead...

so, it will happen... regarding any website, I think everyone should be cautious about how they use online spaces - if you can't afford for it to be hacked / made public, then don't put it online... I can guarantee that we are not hack proof - if hackers can take down the White House / FBI / organisations with a much bigger budget than mine, then I am sure we can be hacked - so sometimes the best defences come from simply making it not worth while - like houses, you can spend a fortune on drawbridges and a portcullis - or you can simply not own any fancy jewellery! I suspect that our conversations are generally too boring to be worth hacking... ;)

Alasdair


Return to “This Website”

Who is online

Users browsing this forum: No registered users and 8 guests