Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User realj42
(regular) Sun 05-Feb-17 10:11:05
Print Post

New browser security warnings - do you care?


[link to this post]
 
If you are using (up to date) Chrome or Firefox browsers did you notice the security warnings they now flag up when you logged in to the forum? And do you care?

Basically Chrome and Firefox are now flagging any login page, or any form which takes 'personal information' as 'Not Secure' if they do not use HTTPS (example thinkbroadband...) Now I am not criticising TB, all such websites including the ones I run have been caught out by this, I just want to get an idea if there is a lot of feeling about this before advising clients to spend hundreds of pounds on security upgrades on sites which are not exactly huge money-earners.

It does look off-putting to me but maybe I worry too much! Yes it's a good thing to improve internet security but I worry how this will affect voluntary and low income websites which run forums etc.

Cheerts
Standard User micksharpe
(legend) Sun 05-Feb-17 11:06:03
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
The fact that this site does not use HTTPS has been a bugbear for a long time, so much so that I had forgotten all about it. I would care if it was an e-commerce site, and I would prefer at least the logon page to use SSL.
Standard User gomezz
(eat-sleep-adslguide) Sun 05-Feb-17 11:13:31
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
This is why I login to TBB and other HTTP sites using my lowest level password regime. Nothing of any real worth to lose.

BT Infinity 1 (unlimited)


Register (or login) on our website and you will not see this ad.

Standard User Kenneth
(legend) Sun 05-Feb-17 11:23:36
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
I haven't noticed on this site - but then I haven't logged in recently as it remembers who I am.

If you re-use the password anywhere important - then yes you probably should be a little concerned (you shouldn't be doing that anyway).

Hopefully most websites use standard forum software so will be updated pretty quickly and it should be a simple update as part of normal security updates

Ken

Nostalgia is memory with the pain removed
Standard User realj42
(regular) Sun 05-Feb-17 13:47:57
Print Post

Re: New browser security warnings - do you care?


[re: Kenneth] [link to this post]
 
Unfortunately this is not a simple upgrade. Each site/domain will have to install its own security certificate at a cost of £39 +VAT per annum, plus there may be at least some fixes to links around the site and setting up of 301 redirects at a minimum.
Standard User Davey_H
(learned) Sun 05-Feb-17 13:51:06
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
https://letsencrypt.org
Standard User realj42
(regular) Sun 05-Feb-17 15:39:18
Print Post

Re: New browser security warnings - do you care?


[re: Davey_H] [link to this post]
 
Cheers that is something I wasn't aware of. Looks cool but it looks like it's only suitable if you have root access to your host which is not usually the case, or if your web host company supports it directly. Will bear it in mind for future projects but for now my clients will have to pay. I will certainly try it out on my AWS hosted site though.

[Update] - wouldn't you know it I just found out my hosting company (Vidahost) do support Let's Encrypt, with the caveat that as they are new with an uncertain funding regime so your certificate may not renewed. Whatever I'll give it a go.

Edited by realj42 (Sun 05-Feb-17 15:50:28)

Standard User caffn8me
(knowledge is power) Sun 05-Feb-17 16:19:14
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
If you have no luck getting Let's Encrypt working with Vidahost, https://www.cheapsslsecurity.co.uk offers domain validated cetificates from as little as £4 a year.

Once your encryption's up and running you can fine tune security settings by checking your site at;The High-Tech Bridge SSL/TLS test and the Qualys SSL Labs test do have slight differences in what they test for and how they score so it's worth doing both.

Enjoy smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User realj42
(regular) Sun 05-Feb-17 19:35:14
Print Post

Re: New browser security warnings - do you care?


[re: caffn8me] [link to this post]
 
Cheers, but these certificates still seem to need root access. I have one website working with Vidahost and Let's Encrypt so that does work.
Standard User GeeTee
(committed) Sun 05-Feb-17 19:44:08
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
If set up correctly on the host with the supplied LetsEncrypt scripts then the certificates automagically get renewed as required with no further intervention.
Standard User ukhardy07
(knowledge is power) Sun 05-Feb-17 23:12:45
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
I messaged the admin on here a while ago as I was aware the browsers would start flagging it.
The response I received was there are no short term plans to change it.

Personally if I was joining as a new user, I would not bother signing up once I noticed HTTP in 2017 for login credentials.

Just login somewhere secure and then you won't need to relogin for now smile
Standard User nemeth782
(committed) Mon 06-Feb-17 08:33:00
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
How are you hosting without root access? How would you install any certificate without it?

For a small site I'd be hosting at home on an RPI or a VM, for anything bigger there is AWS or Google Cloud Engine... both have a free tier....

For both, letsencrypt works fine.

In AWS, they provide free SSL offloading if you set up a load balancer.

It sounds like your main "barrier" is a poor hosting provider.
Standard User realj42
(regular) Mon 06-Feb-17 09:12:56
Print Post

Re: New browser security warnings - do you care?


[re: nemeth782] [link to this post]
 
No cheap hosting is going to provide root access unless you buy a VM/Virtual Private Server account. You can always pay the hosting business to install a certificate, that is not at issue. I imagine that soon enough most cheap hosting will offer some sort of Let's Encrypt support.

Yes an AWS solution would work but it is probably beyond the scope of people who just want a simple website. I would certainly never recommend running any internet accessible web server on your home network unless (or maybe especially if) you really think you know what you are doing.
Standard User Zadeks
(experienced) Mon 06-Feb-17 15:52:35
Print Post

Re: New browser security warnings - do you care?


[re: ukhardy07] [link to this post]
 
That's a shame. It's very unacceptable for a tech-focused site to send passwords in the clear.
Standard User Lars
(newbie) Tue 07-Feb-17 12:11:57
Print Post

Re: New browser security warnings - do you care?


[re: realj42] [link to this post]
 
I recently had a look at an infography elaborating various announcements made by giant companies like, Google, Apple, etc. Have a look https://www.cheapsslshop.com/blog/encryption-everywh...
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to