Why is this site, "not secure"??

speeder · 04-02-2019, 05:38 PM

I've never noticed this before, in the address bar it says, "Not Secure--forums.pelicanparts.com

What the what?

A930Rocket · 04-02-2019, 05:41 PM

I’ve asked that as well. I remember Erik at PP told us but don’t recall the answer.

Maybe it’s because it’s not worth paying for the security certificate or similar?

id10t · 04-02-2019, 05:42 PM

It is delivered via plain HTTP and not SSL/TLS wrapped HTTP (aka HTTPS, the "green icon/lock")

So the only thing insecure about it is the traffic across the wire isn't encrypted between your browser and the forum servers.

You are just starting to see it now because the browser companies have finally started trying to get non-technical people to understand what they are doing, how they are doing it, and possibly who they are doing it with.

Since all you are sending/receiving is ending up in public anyway, no issues. You'll note if you log out and log back in that your login is processed via HTTPS. No issues here, just change in browser behavior.

URY914 · URY914's Garage

Russians.

masraum · 04-02-2019, 05:53 PM

When I click the warning, it says "parts of this page are not secure (like images)"

piscator · 04-02-2019, 06:17 PM

id10t, nice explanation!

stomachmonkey · 04-02-2019, 06:17 PM

Because it does not need to be.

Encryption slows things down and there is no sensitive data being passed here beyond what we already voluntarily reveal ourselves.

Bill Douglas · 04-02-2019, 06:19 PM

Quote:

Originally Posted by URY914

Russians.

Chinese

Brando · Brando's Garage

When this was brought up last year (and the year before that) some elements of the site are still served up on HTTP instead of HTTPS. The forums are behind the rest of the site because a lot of content (images and scripts) are still referencing HTTP.

RSBob · RSBob's Garage

Quote:

Originally Posted by Bill Douglas

Chinese

Iranians

KFC911 · 04-03-2019, 01:07 AM

Quote:

Originally Posted by stomachmonkey

Because it does not need to be.

....

^^^ This....and encryption/decryption is NOT free in terms of overhead costs and performance.

cabmandone · cabmandone's Garage

Da Russians..

No SSL certificate for the page. No e-commerce done, no real need for a SSL... but google and others have been driving this nonsense and if you don't have the SSL, you get the scary red triangle. I had to purchase the SSL because browsers weren't allowing customers to get to my website or the customer was too worried about "not secure". I don't take any payments through my website... but have to have the stupid SSL if I don't want customers being freaked out and thinking I'm a scammer.

stomachmonkey · 04-03-2019, 03:45 AM

For those of you who think you may need SSL look at Let’s Encrypt, https://letsencrypt.org

Free and works.

id10t · 04-03-2019, 03:55 AM

Quote:

Originally Posted by stomachmonkey

For those of you who think you may need SSL look at Let’s Encrypt, https://letsencrypt.org

Free and works.

Free, works, and works well. Also works for doing SMTP w/ SSL/TLS and wrapping both POP3 and IMAP in SSL.

"Only" down side is short certificate life but if you have the skills to be messing around setting up web/mail servers and needing SSL you should be able to set up a cron job to keep your certificate valid.

Neilk · 04-03-2019, 04:22 AM

Quote:

Originally Posted by URY914

Russians.

Everyone knows it is a fat kid in his mom's basement.

cabmandone · cabmandone's Garage

Quote:

Originally Posted by stomachmonkey

For those of you who think you may need SSL look at Let’s Encrypt, https://letsencrypt.org

Free and works.

Where were you a month ago!?

cstreit · cstreit's Garage

Even though the content is delivered as https (secure), images are displayed insecurely so the site is flagged.

If even one element of a page is unencrypted, browsers flag it as "not secure".

Not a big deal for a forum. HUGE deal for ecom sites. Its misleading by the browser companies to make such a big issue of this IMO, but Google led the way with "secure everything" by de-ranking sites that weren't all secure.

We saw that wind coming a few years ago and just delivered all content that way.

id10t · 04-03-2019, 05:12 AM

Quote:

Originally Posted by cstreit

Even though the content is delivered as https (secure), images are displayed insecurely so the site is flagged.

If even one element of a page is unencrypted, browsers flag it as "not secure".

Not a big deal for a forum. HUGE deal for ecom sites. Its misleading by the browser companies to make such a big issue of this IMO, but Google led the way with "secure everything" by de-ranking sites that weren't all secure.

We saw that wind coming a few years ago and just delivered all content that way.

Yup, and the issue you see with the mixed content is from here where people have posted images on other web servers, etc.

GH85Carrera · GH85Carrera's Garage

Quote:

Originally Posted by stomachmonkey

Because it does not need to be.

Encryption slows things down and there is no sensitive data being passed here beyond what we already voluntarily reveal ourselves.

This. Totally public content, no need to encrypt. If you go to the parts catalog, and place an order, you will see the site turn into a secure site. That is when security is vital.

cstreit · cstreit's Garage

Quote:

Originally Posted by GH85Carrera

This. Totally public content, no need to encrypt. If you go to the parts catalog, and place an order, you will see the site turn into a secure site. That is when security is vital.

This is whats so frustrating about Google's decision and that of the browser companies following suit.

It scares the uninformed user. THere is simply no need to encrypt static boring content, but the "warning" implies that there is something nefarious going on.