Jump to content
 

insecure site

westerhamstation
 Share

Recommended Posts

gordon s

gordon s

Posted
Posted (edited)

Just checked my Apple Mac and it says something similar......

 

As you say, it does indicate a non secure site.  

 

Just a gentle reminder though, I would normally associate a secure site with one that has financial transactions associated with it.  If the site is non secure you shouldn't use the same password that you use for internet banking or other financial/taxation/government sites etc.  

 

I suspect most websites that are without on line ordering etc would be similar, so this is not unusual.

Edited by gordon s
Link to post
Share on other sites
  • 1 month later...
Guest

Guest

Posted
Posted

Hi. In Firefox 52.0 we now have a box giving a warning that HTTP is not secure for logins. It can be changed in about:config.

 

I noticed that yesterday after Firefox upgraded itself. I did change the correct setting in about:config from true to false but it still shows as an insecure login. No big deal... it's only an extra click to get in.

 

post-17811-0-01238200-1489045376.jpg

Link to post
Share on other sites
  • RMweb Gold
Market65

Market65

Posted
  • RMweb Gold
Posted (edited)

Hi. I've found that there are two sdttings rather than one that you have to change. I'm on a smartphone on a train just now, but will post both later on.

 

Best regards,

 

Rob.

Edited by Market65
Link to post
Share on other sites
  • RMweb Gold
Market65

Market65

Posted
  • RMweb Gold
Posted

Here we go. In about:config, the two settings, both of which need to be changed to False are:

 

security.insecure_field_warning.contextual.enabled

 

security.insecure_password.ui.enabled

 

Those are given in the order in which they appear in about:config. You can change them back to True at anytime if needed.

 

Regards,

 

Rob.

Link to post
Share on other sites
Guest

Guest

Posted
Posted

Here we go. In about:config, the two settings, both of which need to be changed to False are

security.insecure_field_warning.contextual.enabled

security.insecure_password.ui.enabled

 

Problem solved, many thanks.

Link to post
Share on other sites
  • RMweb Premium
maq1988

maq1988

Posted
  • RMweb Premium
Posted

HTTP is not secure for logins, the username and password combination is sent in plain text.

 

In best practice the passwords you use for online services should all be different, but I would recommend the admins do look at introducing HTTPS for the login system.

  • Like 1
Link to post
Share on other sites
mjkerr

mjkerr

Posted
Posted

It has been a legal requirement (here in the UK) to use a Digital Certificate for at least 12 months now when requesting specific data 
Hence why browsers were updated for the default settings 
Of course you can ignore the settings and lower them, but that increases the risk when using a website 

Amazes how many websites out there do not use a Digital Certificate for receiving personal information 
Family found one at Christmas (2016) and was for Credit Card purchase!

Link to post
Share on other sites
  • RMweb Premium
polybear

polybear

Posted
  • RMweb Premium
Posted

Here we go. In about:config, the two settings, both of which need to be changed to False are:

 

security.insecure_field_warning.contextual.enabled

 

security.insecure_password.ui.enabled

 

Those are given in the order in which they appear in about:config. You can change them back to True at anytime if needed.

 

Regards,

 

Rob.

Does the changing of these settings simply remove the warning, or cure the problem; i.e. are there any potential security implications when doing this?

 

Many thanks

Link to post
Share on other sites
  • RMweb Premium
maq1988

maq1988

Posted
  • RMweb Premium
Posted (edited)

Hi,

 

It just removes the warning, the security implication is still there with the login system.

 

An argument could be made that changing those Firefox settings could potentially introduce more problems as other sites who also do not use secure pages will also then not display an error.

Edited by maq1988
Link to post
Share on other sites
MikeOxon

MikeOxon

Posted
Posted

This means that the 'password protected' login to this site is almost meaningless, since the password is passed over the internet in plain text. The solution is for the site owner to implement a secure login.

 

Until that happens, make sure you use  a password that is different from that used for any other site and don't disable the warning in Firefox, because other sites can then invite you to submit personal information in an insecure manner.

Link to post
Share on other sites
  • 3 months later...
  • RMweb Gold
martin_wynne

martin_wynne

Posted
  • RMweb Gold
Posted

Hi Andy,

 

Time to get this fixed?

 

  https://www.rmweb.co.uk/community/index.php?app=core&module=global&section=login

 

post-1103-0-26955200-1499535408.png

 

RMwebbers not wishing to see this warning can clicked Advanced and then Add Exception...

 

This won't affect any site except RMweb, unlike other security changes in Firefox.

 

regards,

 

Martin.

Link to post
Share on other sites
  • RMweb Gold
Alister_G

Alister_G

Posted
  • RMweb Gold
Posted (edited)

Martin, you are only seeing this because you have specified https:// in the URL. If you knock the "s" off the end, and go to

 

http://www.rmweb.co.uk/community/index.php?app=core&module=global&section=login

 

it works fine.

 

RMWeb does not currently use https, and therefore has no valid SSL certificate for that domain.

 

You cannot arbitrarily try and force https on sites that are configured to serve on http.

 

Al

Edited by acg_mr
Link to post
Share on other sites
  • RMweb Gold
martin_wynne

martin_wynne

Posted
  • RMweb Gold
Posted

Martin, you are only seeing this because you have specified https:// in the URL. If you knock the "s" off the end, and go to

 

http://www.rmweb.co.uk/community/index.php?app=core&module=global&section=login

 

it works fine.

 

Hi Al,

 

Yes, I know that. I posted the link and the resulting screenshot to suggest to Andy that it ought to be fixed to allow secure logins.

 

I tried the https secure protocol, because on http without it Firefox tells me this:

 

post-1103-0-85151100-1499625506.png

 

Neither way is satisfactory for the more easily alarmed members. Where Firefox leads, other browsers will surely follow.

 

regards,

 

Martin.

Link to post
Share on other sites
  • RMweb Gold
Alister_G

Alister_G

Posted
  • RMweb Gold
Posted (edited)

Hi Al,

 

Yes, I know that. I posted the link and the resulting screenshot to suggest to Andy that it ought to be fixed to allow secure logins.

 

I tried the https secure protocol, because on http without it Firefox tells me this:

 

attachicon.gifinsecure_rmweb1.png

 

Neither way is satisfactory for the more easily alarmed members. Where Firefox leads, other browsers will surely follow.

 

regards,

 

Martin.

 

Hi Martin.

 

Unfortunately, whilst I agree that it is nowadays best practice to enforce https for any authentication over the internet, it is not a simple thing to implement on a public forum such as RMWeb.

 

In order to enable https on RMWeb in such a way that no browser warnings are generated, you would have to ensure that all content that appears on the site is served over https.

 

For a public forum, which allows its members to link to images hosted elsewhere, and also serves adverts from a number of providers, this is an impossible task. I notice that you have this problem on your templot site - a browser warning is generated because not all of your content is https.

 

One method that is in common use to get around this problem is to only protect the login with https, by applying an SSL certificate to a different domain for the login page.

 

As you probably know, an SSL certificate is bound to a specific web domain - for RMweb, that would be the domain www.rmweb.co.uk.

 

Any content or pages that appear after the domain name: e.g. www.rmweb.co.uk/community/index.php are protected by that Certificate and allow an https session to be established, thus protecting the traffic.

 

But as I've noted above, that means that everything under that domain, including any content linked to from a page under that domain, must be served using https, ot a browser alert will occur.

 

However, if you created a sub-domain called, for example, signin.rmweb.co.uk, you could apply an SSL certificate to that domain, and serve the login pages by https. Once a user has successfully authenticated, they could then be redirected to the main www.rmweb.co.uk domain which could be served by http.

 

This works well, and is fairly easy to implement, so long as you are in a position to code the site in this way.

 

However, not so easy when you are using a commercial piece of software like IP.Board, which is what the whole of RMWeb is built on.

 

To the best of my knowledge, at the moment, IP.Board does not offer a facility to allow you to implement seperate login pages served from a different domain. Andy and his team would therefore have to look for an alternative forum software provider, or custom build their own. I would suggest that at the moment, preserving the status quo is the more attractive option.

 

 

 

 

Using https allows you to send user names and passwords over a secure connection. This protects people from having their passwords stolen by someone intercepting that traffic - a process termed a Man-In-The-middle attack.

 

The chances of anyone performing a Man-In-The-Middle attack to harvest passwords from RMWeb logins are very, very slim, compared with the chances of members having their passwords stolen from some poorly secured database such as Talk Talk, T Mobile, Dropbox, Adobe, LinkedIn or any of the other leaks that have taken place recently.

 

The most important thing is that all the members of RMWeb are educated about the way they use passwords on the internet. You should never use the same password on more than one site, and certainly never ever use a password which you use for something important like internet banking for anything else.

 

All the best,

 

Al.

Edited by acg_mr
  • Like 1
Link to post
Share on other sites
  • RMweb Gold
martin_wynne

martin_wynne

Posted
  • RMweb Gold
Posted

Hi Al,

 

Well yes, but it doesn't seem too difficult to use https for the login page, if not for the topic pages. I would be interested to know what warnings you are getting for the Templot Club login page, because for me it is showing a green padlock. According to Firefox that means fully secure:

 

 https://85a.co.uk/forum/login.php

 

regards,

 

Martin.

Link to post
Share on other sites
  • RMweb Gold
martin_wynne

martin_wynne

Posted
  • RMweb Gold
Posted (edited)

Hi Al,

 

Yes, but that is not the forum login page. That's just a plain http web site like millions of others.

 

Try the Templot Club login page: https://85a.co.uk/forum/login.php

 

post-1103-0-01102900-1499715075.png

 

Some of the other forum pages are not secure, but no-one is going to be entering login details on those.

 

regards,

 

Martin.

Edited by martin_wynne
Link to post
Share on other sites
  • RMweb Gold
Alister_G

Alister_G

Posted
  • RMweb Gold
Posted

I think we are at cross purposes, Martin, I didn't mention your Templot forum, only the site.

 

However, the real point is that yes, on your forum, using your choice of software, you have been able to implement https for the login page. On the RMWeb forum, using the current software, that isn't possible.

 

(I've investigated this a bit today, and there is an option in the configuration to do this, however there are hundreds of posts on the IP.Board support forums saying that it doesn't work properly).

 

So for the moment, Andy will have to leave it as it is.

 

Al.

  • Like 1
Link to post
Share on other sites
mjkerr

mjkerr

Posted
Posted (edited)

I've investigated this a bit today, and there is an option in the configuration to do this, however there are hundreds of posts on the IP.Board support forums saying that it doesn't work properly

It is actually very easy, it depends on the server configuration

I have been setting up accounts on secure server for a few years now, and made easier last year by cPanel performing this by default

The issue is converting existing accounts to secure server, but again that is very easy and takes no more than one hour to complete

 

Yes, there is the issue of mixed content, but again that too is easy to resolve

Edited by mjkerr
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...