Geekzone and https warnings in browsers

Forums › Geekzone › Geekzone and https warnings in browsers

toyonut

1508 posts

Uber Geek
+1 received by user: 213

# 208186 30-Jan-2017 21:49

I see that for a number of pages, such as login pages, Geekzone has https enabled. Now that Chrome and Firefox are applying stricter controls to pages, is Geekzone going to go full https? I thought I had seen somewhere I could use https, but https://www.geekzone.co.nz just redirects back to http.

For most pages everything seems OK, but now clicking in to a thread generates an https warning in the URL bar:

This is Firefox 51 just updated today. Chrome 56 is still giving the grey circle of indifference.

Google and now Firefox are apparently going to get tougher on this quickly. https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html.

I am sure I read somewhere that by mid 2017, all http pages, not just login and payment pages, were going to be marked insecure. I have not been able to find that reference again though.

If the site is hosted in IIS, URL_Rewrite is a quick and pretty effective tool to redirect all links to https.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

1 | 2 | 3

22052 posts

Uber Geek
+1 received by user: 4680

Trusted

Subscriber

# 1713027 30-Jan-2017 23:07

Considering you are not entering a login on the insecure page I don't see what the problem is with it being insecure?

Richard rich.ms

marpada

278 posts

Ultimate Geek
+1 received by user: 102

# 1713031 30-Jan-2017 23:12

Making a complex site "full https" is far from easy, specially if they load content from third-parties (ad networks,...)

timmmay

14744 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1713052 31-Jan-2017 06:55

I just updated to Firefox 51, no warnings or problems on the Geekzone login page. Chrome is working fine too.

freitasm

BDFL - Memuneh
63305 posts

Uber Geek
+1 received by user: 13843

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1713194 31-Jan-2017 11:00

One person supports this post

It's not a "Warning" per se but a status. The page is not encrypted so the browser just reflects that. A "Warning" would be an encrypted page that has been compromised (MITM attack, invalid certificated, mixed content, etc).

Even our non-encrypted pages have content served over HTTPS (images, CSS and scripts) and the main reason is speed. All those elements are served using HTTP/2 and this gives a speed boost. Also we do serve encrypted pages (login, messages, profile, gallery) and the reasons are obvious.

I'd like to serve the whole site over HTTPS but there are (as mentioned) two reasons why this is not possible at the moment: advertising and mixed content.

One network we use is not able to provide HTTPS yet. Dropping this network would mean big cut in revenue so we keep pushing them to have this added.

Mixed content is another area that involves a lot of "training". It seems people rather post images from third party sites (sometimes their own servers) instead of uploading to Geekzone (where the images are available as HTTPS). These third-party images will not appear on encrypted pages if not served over HTTPS themselves. We could block these images from being added to messages but hey...

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

toyonut

1508 posts

Uber Geek
+1 received by user: 213

# 1713217 31-Jan-2017 12:08

Thanks for the informative reply Freitasm.

I am more interested in how others are looking to handle the transition to https everywhere as Google, Mozilla and I believe even Microsoft start to enforce it by upgrading their browser warnings for plain http sites. Browsers have been training people to not trust sites that have red in the URL bar and soon there is going to be a whole lot more red showing up even if the page doesn't need https security.

@timmay, it isn't the login page I have an issue with, that appears as secure. It is when I click into a thread I see the warning in firefox 51.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

freitasm

BDFL - Memuneh
63305 posts

Uber Geek
+1 received by user: 13843

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1713246 31-Jan-2017 13:10

As I mentioned is not a warning really - a warning would be "Something is wrong here". That's more of a signal meaning "This page is not encrypted, just so you know".

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

michaelmurfy

Mr Snotty
8588 posts

Uber Geek
+1 received by user: 4492

Moderator

Trusted

Lifetime subscriber

# 1713248 31-Jan-2017 13:18

Are you accessing this from your work? At my work they have SSL inspection enabled which generates errors on Chrome with Geekzone and other SSL enabled sites - try going to https://murfy.nz to see if this is the case (as it uses the same Cloudflare SSL certificate).

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

freitasm

BDFL - Memuneh
63305 posts

Uber Geek
+1 received by user: 13843

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1713250 31-Jan-2017 13:20

No, it's not that - I am at home on 2degrees and see the status he's talking about and it's on non-SSL pages. SSL pages have no warnings and show the green lock just fine.

Why would your work give an error on the cert anyway? If it's happening because of Cloudflare then I'd like to know so we can report and have that fixed.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

michaelmurfy

Mr Snotty
8588 posts

Uber Geek
+1 received by user: 4492

Moderator

Trusted

Lifetime subscriber

# 1713285 31-Jan-2017 14:04

@freitasm SSL inspection, inspection certificate loaded on each workstation to allow for this but signed as a SHA1 certificate :) I've already bought this up with them.

Nothing with Cloudflare, it is just how my work has implemented it.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

freitasm

BDFL - Memuneh
63305 posts

Uber Geek
+1 received by user: 13843

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1713286 31-Jan-2017 14:11

One person supports this post

A failed MITM then... I wouldn't trust anything on that network ;)

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

Behodar

6557 posts

Uber Geek
+1 received by user: 1278

Trusted

Lifetime subscriber

# 1713289 31-Jan-2017 14:16

freitasm:

A failed MITM then... I wouldn't trust anything on that network ;)

My work started MITMing everything six months ago. IE and Chrome both let this happen silently, while Firefox set off the alarm bells.

mattwnz

14807 posts

Uber Geek
+1 received by user: 2007

# 1713295 31-Jan-2017 14:45

IMO, it is more about these big companies trying to force standards. Using a secure certificate often has additional costs, eg. some servers require dedicated IPs for secure certs, and to convert some websites to https could be a major expensive job.

Behodar

6557 posts

Uber Geek
+1 received by user: 1278

Trusted

Lifetime subscriber

# 1713299 31-Jan-2017 14:55

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

mattwnz

14807 posts

Uber Geek
+1 received by user: 2007

# 1713304 31-Jan-2017 15:02

Behodar:

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

IMO the bigger problem is websites that use old versions of CMS like wordpress, which have security holes. I wonder how long it will be before a warming in the browser will appear for people who visit a wordpress website running an old version? I notice that some websites detect when using an old version of Chrome of firefox, although they often incorrectly detect the wrong version, and I am actually using the latest version.

Behodar

6557 posts

Uber Geek
+1 received by user: 1278

Trusted

Lifetime subscriber

# 1713307 31-Jan-2017 15:07

mattwnz: although they often incorrectly detect the wrong version, and I am actually using the latest version.

Spark's site to this day tells me that my fully-updated Firefox derivative is "pretty retro" and that some of the site's features will not work. As far as I can tell, everything works fine.

1 | 2 | 3