New browser security warnings - do you care?

If you are using (up to date) Chrome or Firefox browsers did you notice the security warnings they now flag up when you logged in to the forum? And do you care?

Basically Chrome and Firefox are now flagging any login page, or any form which takes 'personal information' as 'Not Secure' if they do not use HTTPS (example thinkbroadband...) Now I am not criticising TB, all such websites including the ones I run have been caught out by this, I just want to get an idea if there is a lot of feeling about this before advising clients to spend hundreds of pounds on security upgrades on sites which are not exactly huge money-earners.

It does look off-putting to me but maybe I worry too much! Yes it's a good thing to improve internet security but I worry how this will affect voluntary and low income websites which run forums etc.

Cheerts

The fact that this site does not use HTTPS has been a bugbear for a long time, so much so that I had forgotten all about it. I would care if it was an e-commerce site, and I would prefer at least the logon page to use SSL.

This is why I login to TBB and other HTTP sites using my lowest level password regime. Nothing of any real worth to lose.

I haven't noticed on this site - but then I haven't logged in recently as it remembers who I am.

If you re-use the password anywhere important - then yes you probably should be a little concerned (you shouldn't be doing that anyway).

Hopefully most websites use standard forum software so will be updated pretty quickly and it should be a simple update as part of normal security updates

Unfortunately this is not a simple upgrade. Each site/domain will have to install its own security certificate at a cost of £39 +VAT per annum, plus there may be at least some fixes to links around the site and setting up of 301 redirects at a minimum.

https://letsencrypt.org

Cheers that is something I wasn't aware of. Looks cool but it looks like it's only suitable if you have root access to your host which is not usually the case, or if your web host company supports it directly. Will bear it in mind for future projects but for now my clients will have to pay. I will certainly try it out on my AWS hosted site though.

[Update] - wouldn't you know it I just found out my hosting company (Vidahost) do support Let's Encrypt, with the caveat that as they are new with an uncertain funding regime so your certificate may not renewed. Whatever I'll give it a go.

Edited by realj42 (Sun 05-Feb-17 15:50:28)

If you have no luck getting Let's Encrypt working with Vidahost, https://www.cheapsslsecurity.co.uk offers domain validated cetificates from as little as £4 a year.

Once your encryption's up and running you can fine tune security settings by checking your site at;

• https://www.htbridge.com/ssl/
• https://www.htbridge.com/websec/
• https://www.ssllabs.com/ssltest/

The High-Tech Bridge SSL/TLS test and the Qualys SSL Labs test do have slight differences in what they test for and how they score so it's worth doing both.

Enjoy

Cheers, but these certificates still seem to need root access. I have one website working with Vidahost and Let's Encrypt so that does work.

If set up correctly on the host with the supplied LetsEncrypt scripts then the certificates automagically get renewed as required with no further intervention.

I messaged the admin on here a while ago as I was aware the browsers would start flagging it.
The response I received was there are no short term plans to change it.

Personally if I was joining as a new user, I would not bother signing up once I noticed HTTP in 2017 for login credentials.

Just login somewhere secure and then you won't need to relogin for now

How are you hosting without root access? How would you install any certificate without it?

For a small site I'd be hosting at home on an RPI or a VM, for anything bigger there is AWS or Google Cloud Engine... both have a free tier....

For both, letsencrypt works fine.

In AWS, they provide free SSL offloading if you set up a load balancer.

It sounds like your main "barrier" is a poor hosting provider.

No cheap hosting is going to provide root access unless you buy a VM/Virtual Private Server account. You can always pay the hosting business to install a certificate, that is not at issue. I imagine that soon enough most cheap hosting will offer some sort of Let's Encrypt support.

Yes an AWS solution would work but it is probably beyond the scope of people who just want a simple website. I would certainly never recommend running any internet accessible web server on your home network unless (or maybe especially if) you really think you know what you are doing.

That's a shame. It's very unacceptable for a tech-focused site to send passwords in the clear.

I recently had a look at an infography elaborating various announcements made by giant companies like, Google, Apple, etc. Have a look https://www.cheapsslshop.com/blog/encryption-everywh...