Geekzone and https warnings in browsers

Forums › Geekzone › Geekzone and https warnings in browsers

toyonut

1508 posts

Uber Geek
+1 received by user: 211

#208186 30-Jan-2017 21:49

I see that for a number of pages, such as login pages, Geekzone has https enabled. Now that Chrome and Firefox are applying stricter controls to pages, is Geekzone going to go full https? I thought I had seen somewhere I could use https, but https://www.geekzone.co.nz just redirects back to http.

For most pages everything seems OK, but now clicking in to a thread generates an https warning in the URL bar:

This is Firefox 51 just updated today. Chrome 56 is still giving the grey circle of indifference.

Google and now Firefox are apparently going to get tougher on this quickly. https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html.

I am sure I read somewhere that by mid 2017, all http pages, not just login and payment pages, were going to be marked insecure. I have not been able to find that reference again though.

If the site is hosted in IIS, URL_Rewrite is a quick and pretty effective tool to redirect all links to https.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

1 | 2 | 3

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#1713027 30-Jan-2017 23:07

Considering you are not entering a login on the insecure page I don't see what the problem is with it being insecure?

Richard rich.ms

marpada

487 posts

Ultimate Geek
+1 received by user: 182

#1713031 30-Jan-2017 23:12

Making a complex site "full https" is far from easy, specially if they load content from third-parties (ad networks,...)

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1713052 31-Jan-2017 06:55

I just updated to Firefox 51, no warnings or problems on the Geekzone login page. Chrome is working fine too.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1713194 31-Jan-2017 11:00

It's not a "Warning" per se but a status. The page is not encrypted so the browser just reflects that. A "Warning" would be an encrypted page that has been compromised (MITM attack, invalid certificated, mixed content, etc).

Even our non-encrypted pages have content served over HTTPS (images, CSS and scripts) and the main reason is speed. All those elements are served using HTTP/2 and this gives a speed boost. Also we do serve encrypted pages (login, messages, profile, gallery) and the reasons are obvious.

I'd like to serve the whole site over HTTPS but there are (as mentioned) two reasons why this is not possible at the moment: advertising and mixed content.

One network we use is not able to provide HTTPS yet. Dropping this network would mean big cut in revenue so we keep pushing them to have this added.

Mixed content is another area that involves a lot of "training". It seems people rather post images from third party sites (sometimes their own servers) instead of uploading to Geekzone (where the images are available as HTTPS). These third-party images will not appear on encrypted pages if not served over HTTPS themselves. We could block these images from being added to messages but hey...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

toyonut

1508 posts

Uber Geek
+1 received by user: 211

#1713217 31-Jan-2017 12:08

Thanks for the informative reply Freitasm.

I am more interested in how others are looking to handle the transition to https everywhere as Google, Mozilla and I believe even Microsoft start to enforce it by upgrading their browser warnings for plain http sites. Browsers have been training people to not trust sites that have red in the URL bar and soon there is going to be a whole lot more red showing up even if the page doesn't need https security.

@timmay, it isn't the login page I have an issue with, that appears as secure. It is when I click into a thread I see the warning in firefox 51.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1713246 31-Jan-2017 13:10

As I mentioned is not a warning really - a warning would be "Something is wrong here". That's more of a signal meaning "This page is not encrypted, just so you know".

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1713248 31-Jan-2017 13:18

Are you accessing this from your work? At my work they have SSL inspection enabled which generates errors on Chrome with Geekzone and other SSL enabled sites - try going to https://murfy.nz to see if this is the case (as it uses the same Cloudflare SSL certificate).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1713250 31-Jan-2017 13:20

No, it's not that - I am at home on 2degrees and see the status he's talking about and it's on non-SSL pages. SSL pages have no warnings and show the green lock just fine.

Why would your work give an error on the cert anyway? If it's happening because of Cloudflare then I'd like to know so we can report and have that fixed.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1713285 31-Jan-2017 14:04

@freitasm SSL inspection, inspection certificate loaded on each workstation to allow for this but signed as a SHA1 certificate :) I've already bought this up with them.

Nothing with Cloudflare, it is just how my work has implemented it.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1713286 31-Jan-2017 14:11

A failed MITM then... I wouldn't trust anything on that network ;)

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Behodar

11094 posts

Uber Geek
+1 received by user: 6071

Trusted

Lifetime subscriber

#1713289 31-Jan-2017 14:16

freitasm:

A failed MITM then... I wouldn't trust anything on that network ;)

My work started MITMing everything six months ago. IE and Chrome both let this happen silently, while Firefox set off the alarm bells.

New World

Shop on-line at New World now for your groceries (affiliate link).

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1713295 31-Jan-2017 14:45

IMO, it is more about these big companies trying to force standards. Using a secure certificate often has additional costs, eg. some servers require dedicated IPs for secure certs, and to convert some websites to https could be a major expensive job.

Behodar

11094 posts

Uber Geek
+1 received by user: 6071

Trusted

Lifetime subscriber

#1713299 31-Jan-2017 14:55

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1713304 31-Jan-2017 15:02

Behodar:

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

IMO the bigger problem is websites that use old versions of CMS like wordpress, which have security holes. I wonder how long it will be before a warming in the browser will appear for people who visit a wordpress website running an old version? I notice that some websites detect when using an old version of Chrome of firefox, although they often incorrectly detect the wrong version, and I am actually using the latest version.

Behodar

11094 posts

Uber Geek
+1 received by user: 6071

Trusted

Lifetime subscriber

#1713307 31-Jan-2017 15:07

mattwnz: although they often incorrectly detect the wrong version, and I am actually using the latest version.

Spark's site to this day tells me that my fully-updated Firefox derivative is "pretty retro" and that some of the site's features will not work. As far as I can tell, everything works fine.

1 | 2 | 3