Why is this site, "not secure"??
 

I've never noticed this before, in the address bar it says, "Not Secure--forums.pelicanparts.com

What the what? :confused:

I’ve asked that as well. I remember Erik at PP told us but don’t recall the answer.

Maybe it’s because it’s not worth paying for the security certificate or similar?

It is delivered via plain HTTP and not SSL/TLS wrapped HTTP (aka HTTPS, the "green icon/lock")

So the only thing insecure about it is the traffic across the wire isn't encrypted between your browser and the forum servers.

You are just starting to see it now because the browser companies have finally started trying to get non-technical people to understand what they are doing, how they are doing it, and possibly who they are doing it with.

Since all you are sending/receiving is ending up in public anyway, no issues. You'll note if you log out and log back in that your login is processed via HTTPS. No issues here, just change in browser behavior.

Russians. ;)

When I click the warning, it says "parts of this page are not secure (like images)"

id10t, nice explanation!

Because it does not need to be.

Encryption slows things down and there is no sensitive data being passed here beyond what we already voluntarily reveal ourselves.

Chinese :eek:

When this was brought up last year (and the year before that) some elements of the site are still served up on HTTP instead of HTTPS. The forums are behind the rest of the site because a lot of content (images and scripts) are still referencing HTTP.

Iranians

http://forums.pelicanparts.com/support/smileys/blah.gifhttp://forums.pelicanparts.com/support/smileys/blah.gif

^^^ This....and encryption/decryption is NOT free in terms of overhead costs and performance.

Da Russians..

No SSL certificate for the page. No e-commerce done, no real need for a SSL... but google and others have been driving this nonsense and if you don't have the SSL, you get the scary red triangle. I had to purchase the SSL because browsers weren't allowing customers to get to my website or the customer was too worried about "not secure". I don't take any payments through my website... but have to have the stupid SSL if I don't want customers being freaked out and thinking I'm a scammer.

For those of you who think you may need SSL look at Let’s Encrypt, https://letsencrypt.org

Free and works.

Free, works, and works well. Also works for doing SMTP w/ SSL/TLS and wrapping both POP3 and IMAP in SSL.

"Only" down side is short certificate life but if you have the skills to be messing around setting up web/mail servers and needing SSL you should be able to set up a cron job to keep your certificate valid.

Everyone knows it is a fat kid in his mom's basement.

Where were you a month ago!?

Even though the content is delivered as https (secure), images are displayed insecurely so the site is flagged.

If even one element of a page is unencrypted, browsers flag it as "not secure".

Not a big deal for a forum. HUGE deal for ecom sites. Its misleading by the browser companies to make such a big issue of this IMO, but Google led the way with "secure everything" by de-ranking sites that weren't all secure.

We saw that wind coming a few years ago and just delivered all content that way.

Yup, and the issue you see with the mixed content is from here where people have posted images on other web servers, etc.

This. Totally public content, no need to encrypt. If you go to the parts catalog, and place an order, you will see the site turn into a secure site. That is when security is vital.

This is whats so frustrating about Google's decision and that of the browser companies following suit.

It scares the uninformed user. THere is simply no need to encrypt static boring content, but the "warning" implies that there is something nefarious going on.

Most people who don't have that skill are using a hosting panel like Plesk, cPanel.

Let's Encrypt is a one button click install and configure in Plesk these days.

I think it may be in cPanel as well.

And it auto renews now so short cert life not that big a deal anymore.

Don't disagree but think about what would need to happen for the browser to make a determination on the risk of each bit of content running under a non secure directory.

It'd probably be painfully slow and then there is the "...but you said it was not that big a threat and I got hacked..." crowd.

Personally I hate it.

Did you ask the Pelican Brain Trust first?

If you did I missed it so my apologies there.

You can always go Let's Encrypt when your current cert expires.

Nope! Shoulda known better too! If it can be answered, it'll be answered here.

When I switched my company's domain over to GoDaddy last year they really pushed me for a "secure" site.
They made it sound like I better spend the extra or ....you know.
It's a content only website.

It started showing up with the latest IPhone update.

It needs to be fixed period.

The page in the concern category is the login page; meaning your username and password are sent in clear text over the internet.

Please fix Pelican

If you offer a forum with free speech there are responsibilities...
The feds will want to be able to access all your messages and what you send (even if using a 2nd account).

So, this is not a technical thing... its a "I leave you alone but cooperate" kind of deal..

I read this entire thread. It reminds me of statistics. I sat through an entire term of statistics in college and didn’t understand any of it.

Meh, as long as one is not using the same user/pass as they use for say, their bank....

Which by the way, happy to see you don't.

Yes, I checked.SmileWavy

The Pelican forums are definitely not "free speech", but are a censor at whim and will platform (not sure if you were saying it is a free speech forum, however).

Can't have yer "tits" transmitted over the Internet so the geeks can't see 'em....WAH :(!

What if it literally cost 7 figures to encrypt those pics?

I used to live this stuff too...on a rather large scale ;).

T-Rex

Computer Science, Advanced Communications, and Quantitatitive Analysis are easy peasy if yer gifted in those arenas...

I have to mow my own lawn though ;)

Sorry they do have one, it just not implemented correctly ( I would suspect to let the adds in)

http://forums.pelicanparts.com/uploa...1574805896.JPG

There have been cases where someone's ID was stolen and used in a for sale scam here.

The "already pinged" list of spam seems to have disappeared.

As noted, "secure" should only required for some functions.
Maybe it's easier to code the whole site that way?

Https removes any anonymity for visitors not using proxies.
As does the new Pelican PARF loggin requirement and Google javascript required for private messages.
More tracking.

its a cross reference thing.. if the site is secure its harder to connect to unsecure sources of advertisements.. Also allows for xsite scripting injection, so more adevertisements and things like cookies can be injected and later harvested by other sites..

This is a technical choice.

Profits over everything else. Lets not forget we are the product here

The forum should also use https as the certificate not only serves to encrypt the connection between the browser and the server, it also validates that you are connecting to the legitimate pelican forum server. In its current configuration it would be rather trivial to bring up another server and mascarade as forums.pelicanparts.com, conduct a DNS poisoning attack to redirect everyone to the imposter server and capture everyone's logins. The fact this is not their e-commerce site should not preclude them from protecting the forum servers. Attackers may be able to find their way into more sensitive areas of their operation. Remember the Target credit card breach? The attackers exploited a weakness in the HVAC systems and found their way to the credit card machines.

The go daddy cert issued to pelican parts e-commerce site can only be used on www.pelicanparts.com and pelicanparts.com. Pelican parts would need to either get another cert for forums.pelicanparts.com or update their current cert to a SAN cert that could be used for Loading, pelicanparts.com and forums.pelicanparts.com. I would opt for a separate cert so if one is compromised (say the forum cert) it doesn't affect the other (cert used for e-commerce site).

Looking at the go daddy pricing for certs, a single domain is only $63.99 per year, a san cert is $159.99 per year and a wildcard cert which can be used on *.pelicanparts.com $295 per year. Cheap insurance IMHO.

Again, meh.

Far far far more likely the person hacked used an obvious easy to guess password than it was sniffed.

I use a random pass generator along with a pass manager and two factor on every site that I can. I have accounts that I don’t even know the password for.

We can rely on others for our security or take matters into our own hands.

Obviously, I’m an advocate for the later.

Just install the browser plugin "HTTPS Everywhere". Problem solved.