Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGeekzoneGeekzone and https warnings in browsers


1508 posts

Uber Geek


# 208186 30-Jan-2017 21:49
Send private message

I see that for a number of pages, such as login pages, Geekzone has https enabled. Now that Chrome and Firefox are applying stricter controls to pages, is Geekzone going to go full https? I thought I had seen somewhere I could use https, but https://www.geekzone.co.nz just redirects back to http.

 

For most pages everything seems OK, but now clicking in to a thread generates an https warning in the URL bar:

 

 

 

This is Firefox 51 just updated today. Chrome 56 is still giving the grey circle of indifference.

 

Google and now Firefox are apparently going to get tougher on this quickly. https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html.

 

I am sure I read somewhere that by mid 2017, all http pages, not just login and payment pages, were going to be marked insecure. I have not been able to find that reference again though.

 

If the site is hosted in IIS, URL_Rewrite is a quick and pretty effective tool to redirect all links to https.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
22608 posts

Uber Geek

Trusted
Subscriber

  # 1713027 30-Jan-2017 23:07
Send private message

Considering you are not entering a login on the insecure page I don't see what the problem is with it being insecure?




Richard rich.ms

311 posts

Ultimate Geek


  # 1713031 30-Jan-2017 23:12
Send private message

Making a complex site "full https" is far from easy, specially if they load content from third-parties (ad networks,...)

 
 
 
 


15339 posts

Uber Geek

Trusted
Subscriber

  # 1713052 31-Jan-2017 06:55
Send private message

I just updated to Firefox 51, no warnings or problems on the Geekzone login page. Chrome is working fine too.

BDFL - Memuneh
64809 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713194 31-Jan-2017 11:00
One person supports this post
Send private message

It's not a "Warning" per se but a status. The page is not encrypted so the browser just reflects that. A "Warning" would be an encrypted page that has been compromised (MITM attack, invalid certificated, mixed content, etc).

 

Even our non-encrypted pages have content served over HTTPS (images, CSS and scripts) and the main reason is speed. All those elements are served using HTTP/2 and this gives a speed boost. Also we do serve encrypted pages (login, messages, profile, gallery) and the reasons are obvious.

 

I'd like to serve the whole site over HTTPS but there are (as mentioned) two reasons why this is not possible at the moment: advertising and mixed content.

 

One network we use is not able to provide HTTPS yet. Dropping this network would mean big cut in revenue so we keep pushing them to have this added.

 

Mixed content is another area that involves a lot of "training". It seems people rather post images from third party sites (sometimes their own servers) instead of uploading to Geekzone (where the images are available as HTTPS). These third-party images will not appear on encrypted pages if not served over HTTPS themselves. We could block these images from being added to messages but hey...




Sharesies investment funds | Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics 

 

 



1508 posts

Uber Geek


  # 1713217 31-Jan-2017 12:08
Send private message

Thanks for the informative reply Freitasm.

 

I am more interested in how others are looking to handle the transition to https everywhere as Google, Mozilla and I believe even Microsoft start to enforce it by upgrading their browser warnings for plain http sites. Browsers have been training people to not trust sites that have red in the URL bar and soon there is going to be a whole lot more red showing up even if the page doesn't need https security. 

 

@timmay, it isn't the login page I have an issue with, that appears as secure. It is when I click into a thread I see the warning in firefox 51.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B

BDFL - Memuneh
64809 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713246 31-Jan-2017 13:10
Send private message

As I mentioned is not a warning really - a warning would be "Something is wrong here". That's more of a signal meaning "This page is not encrypted, just so you know".




Sharesies investment funds | Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics 

 

 

Mr Snotty
8910 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1713248 31-Jan-2017 13:18
Send private message

Are you accessing this from your work? At my work they have SSL inspection enabled which generates errors on Chrome with Geekzone and other SSL enabled sites - try going to https://murfy.nz to see if this is the case (as it uses the same Cloudflare SSL certificate).




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial | Sharesies

 
 
 
 


BDFL - Memuneh
64809 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713250 31-Jan-2017 13:20
Send private message

No, it's not that - I am at home on 2degrees and see the status he's talking about and it's on non-SSL pages. SSL pages have no warnings and show the green lock just fine.

 

Why would your work give an error on the cert anyway? If it's happening because of Cloudflare then I'd like to know so we can report and have that fixed.




Sharesies investment funds | Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics 

 

 

Mr Snotty
8910 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1713285 31-Jan-2017 14:04
Send private message

@freitasm SSL inspection, inspection certificate loaded on each workstation to allow for this but signed as a SHA1 certificate :) I've already bought this up with them.

Nothing with Cloudflare, it is just how my work has implemented it.




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial | Sharesies

BDFL - Memuneh
64809 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713286 31-Jan-2017 14:11
One person supports this post
Send private message

A failed MITM then... I wouldn't trust anything on that network ;)




Sharesies investment funds | Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics 

 

 

6767 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1713289 31-Jan-2017 14:16
Send private message

freitasm:

 

A failed MITM then... I wouldn't trust anything on that network ;)

 

 

My work started MITMing everything six months ago. IE and Chrome both let this happen silently, while Firefox set off the alarm bells.

15218 posts

Uber Geek


  # 1713295 31-Jan-2017 14:45
Send private message

IMO, it is more about these big companies trying to force standards. Using a secure certificate often has additional costs, eg. some servers require dedicated IPs for secure certs, and to convert some websites to https could be a major expensive job.

6767 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1713299 31-Jan-2017 14:55
Send private message

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

15218 posts

Uber Geek


  # 1713304 31-Jan-2017 15:02
Send private message

Behodar:

 

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

 

 

IMO the bigger problem is websites that use old versions of CMS like wordpress, which have security holes.  I wonder how long it will be before a warming in the browser will appear for people who visit a wordpress website running an old version? I notice that some websites detect when using an old version of Chrome of firefox, although they often incorrectly detect the wrong version, and I am actually using the latest version.

6767 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1713307 31-Jan-2017 15:07
Send private message

mattwnz: although they often incorrectly detect the wrong version, and I am actually using the latest version.

 

 

Spark's site to this day tells me that my fully-updated Firefox derivative is "pretty retro" and that some of the site's features will not work. As far as I can tell, everything works fine.

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08

Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55

Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19

Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48

CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42

Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41

Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30

BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14

Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24

2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35

New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13

OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32

Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27

D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07

LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.