RMweb Gold westerhamstation Posted February 4, 2017 RMweb Gold Share Posted February 4, 2017 (edited) Hi just a bit of information/help. Whenever I log in this padlock with the red bar appears at the top left corner, is it something to be concerned about. I am using Windows 10. Thanks for any advice Adrian. Edited February 4, 2017 by westerhamstation Link to post Share on other sites More sharing options...
gordon s Posted February 4, 2017 Share Posted February 4, 2017 (edited) Just checked my Apple Mac and it says something similar...... As you say, it does indicate a non secure site. Just a gentle reminder though, I would normally associate a secure site with one that has financial transactions associated with it. If the site is non secure you shouldn't use the same password that you use for internet banking or other financial/taxation/government sites etc. I suspect most websites that are without on line ordering etc would be similar, so this is not unusual. Edited February 4, 2017 by gordon s Link to post Share on other sites More sharing options...
RMweb Premium njee20 Posted February 4, 2017 RMweb Premium Share Posted February 4, 2017 ^^ that doesn't say anything, other than it's not https, which i'd not expect a forum to be. It's not insecure, it's not secured encryption. Link to post Share on other sites More sharing options...
RMweb Gold westerhamstation Posted February 4, 2017 Author RMweb Gold Share Posted February 4, 2017 Thank you all for your speedy replies, I will stop worrying and get back on with some railway modelling. All the best Adrian. Link to post Share on other sites More sharing options...
RMweb Gold Market65 Posted March 8, 2017 RMweb Gold Share Posted March 8, 2017 Hi. In Firefox 52.0 we now have a box giving a warning that HTTP is not secure for logins. It can be changed in about:config. Regards, Rob. Link to post Share on other sites More sharing options...
Guest Posted March 9, 2017 Share Posted March 9, 2017 Hi. In Firefox 52.0 we now have a box giving a warning that HTTP is not secure for logins. It can be changed in about:config. I noticed that yesterday after Firefox upgraded itself. I did change the correct setting in about:config from true to false but it still shows as an insecure login. No big deal... it's only an extra click to get in. Link to post Share on other sites More sharing options...
BG John Posted March 9, 2017 Share Posted March 9, 2017 I'm only on Firefox 51.0.1, so another little irritation to look forward to at some time! It seems that Linux updates take longer to appear than Window$ ones. Link to post Share on other sites More sharing options...
RMweb Gold Market65 Posted March 9, 2017 RMweb Gold Share Posted March 9, 2017 (edited) Hi. I've found that there are two sdttings rather than one that you have to change. I'm on a smartphone on a train just now, but will post both later on. Best regards, Rob. Edited March 9, 2017 by Market65 Link to post Share on other sites More sharing options...
RMweb Gold Market65 Posted March 9, 2017 RMweb Gold Share Posted March 9, 2017 Here we go. In about:config, the two settings, both of which need to be changed to False are: security.insecure_field_warning.contextual.enabled security.insecure_password.ui.enabled Those are given in the order in which they appear in about:config. You can change them back to True at anytime if needed. Regards, Rob. Link to post Share on other sites More sharing options...
Guest Posted March 9, 2017 Share Posted March 9, 2017 Here we go. In about:config, the two settings, both of which need to be changed to False are security.insecure_field_warning.contextual.enabled security.insecure_password.ui.enabled Problem solved, many thanks. Link to post Share on other sites More sharing options...
RMweb Premium maq1988 Posted March 12, 2017 RMweb Premium Share Posted March 12, 2017 HTTP is not secure for logins, the username and password combination is sent in plain text. In best practice the passwords you use for online services should all be different, but I would recommend the admins do look at introducing HTTPS for the login system. 1 Link to post Share on other sites More sharing options...
mjkerr Posted March 12, 2017 Share Posted March 12, 2017 It has been a legal requirement (here in the UK) to use a Digital Certificate for at least 12 months now when requesting specific data Hence why browsers were updated for the default settings Of course you can ignore the settings and lower them, but that increases the risk when using a website Amazes how many websites out there do not use a Digital Certificate for receiving personal information Family found one at Christmas (2016) and was for Credit Card purchase! Link to post Share on other sites More sharing options...
RMweb Premium polybear Posted March 14, 2017 RMweb Premium Share Posted March 14, 2017 Here we go. In about:config, the two settings, both of which need to be changed to False are: security.insecure_field_warning.contextual.enabled security.insecure_password.ui.enabled Those are given in the order in which they appear in about:config. You can change them back to True at anytime if needed. Regards, Rob. Does the changing of these settings simply remove the warning, or cure the problem; i.e. are there any potential security implications when doing this? Many thanks Link to post Share on other sites More sharing options...
RMweb Premium maq1988 Posted March 14, 2017 RMweb Premium Share Posted March 14, 2017 (edited) Hi, It just removes the warning, the security implication is still there with the login system. An argument could be made that changing those Firefox settings could potentially introduce more problems as other sites who also do not use secure pages will also then not display an error. Edited March 14, 2017 by maq1988 Link to post Share on other sites More sharing options...
MikeOxon Posted March 16, 2017 Share Posted March 16, 2017 This means that the 'password protected' login to this site is almost meaningless, since the password is passed over the internet in plain text. The solution is for the site owner to implement a secure login. Until that happens, make sure you use a password that is different from that used for any other site and don't disable the warning in Firefox, because other sites can then invite you to submit personal information in an insecure manner. Link to post Share on other sites More sharing options...
RMweb Gold martin_wynne Posted July 8, 2017 RMweb Gold Share Posted July 8, 2017 Hi Andy, Time to get this fixed? https://www.rmweb.co.uk/community/index.php?app=core&module=global§ion=login RMwebbers not wishing to see this warning can clicked Advanced and then Add Exception... This won't affect any site except RMweb, unlike other security changes in Firefox. regards, Martin. Link to post Share on other sites More sharing options...
BG John Posted July 8, 2017 Share Posted July 8, 2017 I've been logged in since I installed Linux several months ago, so haven't seen that! Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted July 8, 2017 RMweb Gold Share Posted July 8, 2017 (edited) Hi Andy, Time to get this fixed? https://www.rmweb.co.uk/community/index.php?app=core&module=global§ion=login insecure_rmweb.png Martin. Martin, you are only seeing this because you have specified https:// in the URL. If you knock the "s" off the end, and go to http://www.rmweb.co.uk/community/index.php?app=core&module=global§ion=login it works fine. RMWeb does not currently use https, and therefore has no valid SSL certificate for that domain. You cannot arbitrarily try and force https on sites that are configured to serve on http. Al Edited July 8, 2017 by acg_mr Link to post Share on other sites More sharing options...
RMweb Gold martin_wynne Posted July 9, 2017 RMweb Gold Share Posted July 9, 2017 Martin, you are only seeing this because you have specified https:// in the URL. If you knock the "s" off the end, and go to http://www.rmweb.co.uk/community/index.php?app=core&module=global§ion=login it works fine. Hi Al, Yes, I know that. I posted the link and the resulting screenshot to suggest to Andy that it ought to be fixed to allow secure logins. I tried the https secure protocol, because on http without it Firefox tells me this: Neither way is satisfactory for the more easily alarmed members. Where Firefox leads, other browsers will surely follow. regards, Martin. Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted July 9, 2017 RMweb Gold Share Posted July 9, 2017 (edited) Hi Al, Yes, I know that. I posted the link and the resulting screenshot to suggest to Andy that it ought to be fixed to allow secure logins. I tried the https secure protocol, because on http without it Firefox tells me this: insecure_rmweb1.png Neither way is satisfactory for the more easily alarmed members. Where Firefox leads, other browsers will surely follow. regards, Martin. Hi Martin. Unfortunately, whilst I agree that it is nowadays best practice to enforce https for any authentication over the internet, it is not a simple thing to implement on a public forum such as RMWeb. In order to enable https on RMWeb in such a way that no browser warnings are generated, you would have to ensure that all content that appears on the site is served over https. For a public forum, which allows its members to link to images hosted elsewhere, and also serves adverts from a number of providers, this is an impossible task. I notice that you have this problem on your templot site - a browser warning is generated because not all of your content is https. One method that is in common use to get around this problem is to only protect the login with https, by applying an SSL certificate to a different domain for the login page. As you probably know, an SSL certificate is bound to a specific web domain - for RMweb, that would be the domain www.rmweb.co.uk. Any content or pages that appear after the domain name: e.g. www.rmweb.co.uk/community/index.php are protected by that Certificate and allow an https session to be established, thus protecting the traffic. But as I've noted above, that means that everything under that domain, including any content linked to from a page under that domain, must be served using https, ot a browser alert will occur. However, if you created a sub-domain called, for example, signin.rmweb.co.uk, you could apply an SSL certificate to that domain, and serve the login pages by https. Once a user has successfully authenticated, they could then be redirected to the main www.rmweb.co.uk domain which could be served by http. This works well, and is fairly easy to implement, so long as you are in a position to code the site in this way. However, not so easy when you are using a commercial piece of software like IP.Board, which is what the whole of RMWeb is built on. To the best of my knowledge, at the moment, IP.Board does not offer a facility to allow you to implement seperate login pages served from a different domain. Andy and his team would therefore have to look for an alternative forum software provider, or custom build their own. I would suggest that at the moment, preserving the status quo is the more attractive option. Using https allows you to send user names and passwords over a secure connection. This protects people from having their passwords stolen by someone intercepting that traffic - a process termed a Man-In-The-middle attack. The chances of anyone performing a Man-In-The-Middle attack to harvest passwords from RMWeb logins are very, very slim, compared with the chances of members having their passwords stolen from some poorly secured database such as Talk Talk, T Mobile, Dropbox, Adobe, LinkedIn or any of the other leaks that have taken place recently. The most important thing is that all the members of RMWeb are educated about the way they use passwords on the internet. You should never use the same password on more than one site, and certainly never ever use a password which you use for something important like internet banking for anything else. All the best, Al. Edited July 10, 2017 by acg_mr 1 Link to post Share on other sites More sharing options...
RMweb Gold martin_wynne Posted July 10, 2017 RMweb Gold Share Posted July 10, 2017 Hi Al, Well yes, but it doesn't seem too difficult to use https for the login page, if not for the topic pages. I would be interested to know what warnings you are getting for the Templot Club login page, because for me it is showing a green padlock. According to Firefox that means fully secure: https://85a.co.uk/forum/login.php regards, Martin. Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted July 10, 2017 RMweb Gold Share Posted July 10, 2017 Hi Martin, Here's what I get in Firefox 54.0.1 Al. Link to post Share on other sites More sharing options...
RMweb Gold martin_wynne Posted July 10, 2017 RMweb Gold Share Posted July 10, 2017 (edited) Hi Al, Yes, but that is not the forum login page. That's just a plain http web site like millions of others. Try the Templot Club login page: https://85a.co.uk/forum/login.php Some of the other forum pages are not secure, but no-one is going to be entering login details on those. regards, Martin. Edited July 10, 2017 by martin_wynne Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted July 10, 2017 RMweb Gold Share Posted July 10, 2017 I think we are at cross purposes, Martin, I didn't mention your Templot forum, only the site. However, the real point is that yes, on your forum, using your choice of software, you have been able to implement https for the login page. On the RMWeb forum, using the current software, that isn't possible. (I've investigated this a bit today, and there is an option in the configuration to do this, however there are hundreds of posts on the IP.Board support forums saying that it doesn't work properly). So for the moment, Andy will have to leave it as it is. Al. 1 Link to post Share on other sites More sharing options...
mjkerr Posted July 11, 2017 Share Posted July 11, 2017 (edited) I've investigated this a bit today, and there is an option in the configuration to do this, however there are hundreds of posts on the IP.Board support forums saying that it doesn't work properlyIt is actually very easy, it depends on the server configuration I have been setting up accounts on secure server for a few years now, and made easier last year by cPanel performing this by default The issue is converting existing accounts to secure server, but again that is very easy and takes no more than one hour to complete Yes, there is the issue of mixed content, but again that too is easy to resolve Edited July 11, 2017 by mjkerr Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now