[2018-07-30] "Not secure" browser warnings, all is normal

29 posts / 0 new
Last post
sb56637
sb56637's picture
Offline
Last seen: 1 hour 29 min ago
Joined: 01/08/2010 - 09:29
Posts: 6528
Location: The Light
[2018-07-30] "Not secure" browser warnings, all is normal

Hi everyone,

You might have noticed that some web browsers are displaying a scary looking “Not secure” warning for BLF. Everything is normal, and there is NO reason for concern.

Basically, it has to do with the simple fact that BLF doesn’t use SSL (the https:// protocol). Since BLF doesn’t process any sensitive information it’s not imperative to implement SSL. The site has NOT been compromised, nor does it have viruses or anything of that nature. It’s just an overly-alarming warning from the browser that it displays on all sites that use the http:// protocol with any sort of user login feature.

When it comes to “web security”, there are a huge number of factors that are often confused:

1. The risk of malware on your device that logs your personal data and “phones home” to the attacker. This is by far the most common attack.

  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, I can’t do anything to protect users from this risk.

2. The risk of somebody tricking you into revealing your password(s) and/or financial information by pretending to be somebody else. This is also a common attack vector.

  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, I can’t do anything to protect users from this risk.

3. The risk of somebody hacking into the web server and installing something malicious that infects visitors. This is also relatively common.

  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, it is entirely my responsibility to protect my users against this sort of attack, and I take it very seriously. There are a huge number of best practices for administrating a web server that I adhere to to keep the server as secure as possible. Usually if there is a sudden unplanned maintenance window for BLF, it’s because I’m applying security patches.

4. The risk of somebody hijacking the webpage data while it’s in transit “on the wire” between the web server and the visitor and modifying and/or stealing the data. This is not common.

  • This is what SSL (https://) is designed to protect against.

So I don’t see any imminent risk for BLF users by not immediately implementing SSL. I’m sure I will eventually, but it’s not a priority. A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic. The BLF server is already under rather heavy load most of the time, and SSL would surely push it over the edge, requiring another server upgrade or even a migration to a different host.

Thanks for reading. Have fun!

Budget Light Forum ...where Frugal meets with Flashlight!

Edited by: sb56637 on 11/22/2018 - 09:27
MRsDNF
MRsDNF's picture
Offline
Last seen: 7 hours 1 min ago
Joined: 12/22/2011 - 21:18
Posts: 12983
Location: A light beam away from the missus in the land of Aus.

Thanks for the update sb. l’m glad the forum is secure. Beer
Now can you do something about the insecure members here? I know I am not the only one. Silly

 

djozz quotes, "it came with chinese lettering that is chinese to me".

                      "My man mousehole needs one too"

old4570 said "I'm not an expert , so don't suffer from any such technical restrictions".

Old-Lumens. Highly admired and cherished member of Budget Light Forum. 11.5.2011 - 20.12.16. RIP.

 

raccoon city
raccoon city's picture
Offline
Last seen: 1 hour 15 min ago
Joined: 10/06/2010 - 02:35
Posts: 13272
Location: रॅकून सिटी Palm Desert CA USA

security

:THUMBS-UP: 

sb56637
sb56637's picture
Offline
Last seen: 1 hour 29 min ago
Joined: 01/08/2010 - 09:29
Posts: 6528
Location: The Light

MRsDNF wrote:
Thanks for the update sb. l’m glad the forum is secure. Beer
Now can you do something about the insecure members here? I know I am not the only one. Silly

Big Smile

Budget Light Forum ...where Frugal meets with Flashlight!

Barkuti
Barkuti's picture
Online
Last seen: 59 sec ago
Joined: 02/19/2014 - 14:46
Posts: 4269
Location: Alhama de Murcia, Spain

I use the pickiest Android browser (Chrome), and I've not seen a single warning. 

Now that we're here sb56637, I am going to suggest a forum improvement in emojis/emoticons. The available range via simple post editor is a little bit Crying limited and definitively Oops outdated (and not to say the advanced post editor is a @#$% in this regard) . I know you just have to host a good handful of emoji images and make them available for insert via some small applet, there are plenty of nice emoji sources free to use nowadays. Hijacking outside bandwidth to make use of them is uncomfortable and worries  me a little bit.

Thanks. 

 

Cheers Smile

Man Without Shadow
Man Without Shadow's picture
Online
Last seen: 8 min 55 sec ago
Joined: 02/20/2017 - 18:17
Posts: 435
Location: Wisconsin

He didn’t say it was secure, just that it wasn’t necessary to be secure…as we don’t process transactions on the site or share detailed personal information.

When I'm spending mony foolishly, I like to do it wi$ely...

I have all the flashlights I need, but not as many as I want...

 

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA

I understand SB. Thanks.
I vote for SSL though. It’s fast, free, and renews itself. I’d love all sites to use it.

//Install LetsEncrypt//
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache

//create certificates
certbot —apache -d example.com

//Test the renewal process. It will keep itself renewed.
certbot renew —dry-run
certbot renew

//See certificates
/etc/letsencrypt/live

everydaysurvivalgear
everydaysurvivalgear's picture
Offline
Last seen: 17 hours 30 min ago
Joined: 07/31/2015 - 10:25
Posts: 3468
Location: sydney australia (GMT+10)

Its Google they updated the verification process and if a website doesn’t have a SSL its flagged as unsafe they want all servers/websites to use HTTPS. Is the issue only with Chrome?

Henk4U2
Henk4U2's picture
Offline
Last seen: 4 hours 39 min ago
Joined: 02/13/2014 - 17:52
Posts: 2937
Location: The heart of the Netherlands (GMT+1)

Firefox gives me a warning when I log in.

You are a flashaholic if you are forced to come out of the closet, to make room for more flashlights.

raccoon city
raccoon city's picture
Offline
Last seen: 1 hour 15 min ago
Joined: 10/06/2010 - 02:35
Posts: 13272
Location: रॅकून सिटी Palm Desert CA USA

I use a lesser known browser, Opera.

I haven't received any warnings, so far, that I remember.  :BEER:

CrashOne
Offline
Last seen: 7 hours 50 min ago
Joined: 02/18/2014 - 13:29
Posts: 316
Location: The Netherlands

Joshk wrote:
I understand SB. Thanks.
I vote for SSL though. It’s fast, free, and renews itself. I’d love all sites to use it.

//Install LetsEncrypt//
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache

//create certificates
certbot —apache -d example.com

//Test the renewal process. It will keep itself renewed.
certbot renew —dry-run
certbot renew

//See certificates
/etc/letsencrypt/live

The problem is not the installation of a certificate, but all the other services that are only available through http. You will get an unsecure/mixed content loaded message (there is a workaround: Load all external content through BLF server).

But I agree, https is the way to go: https://doesmysiteneedhttps.com

Flashy Mike
Flashy Mike's picture
Offline
Last seen: 1 week 1 day ago
Joined: 01/14/2016 - 16:38
Posts: 1187
Location: Germany

I’d prefer HTTPS at least for log in data.

Barkuti
Barkuti's picture
Online
Last seen: 59 sec ago
Joined: 02/19/2014 - 14:46
Posts: 4269
Location: Alhama de Murcia, Spain

raccoon city wrote:
I use a lesser known browser, Opera.

Opera uses a Chrome engine.

And G00gl€ can $#%& my @#%$ with the security stuff and whatever, by the way. They get bully with sheesh and I hate that. I've posted a few messages in the G00gle help forums and its surprising to see how awkward and @#$% is the code/engine which runs them. Its a unbelievably freakin' mess.

G00gl€, Appl€ and the dimwits feeding them blindly need a flogging.

Off-topic again, sorry. 

 

Cheers Party

CRX
CRX's picture
Offline
Last seen: 56 min 56 sec ago
Joined: 04/02/2013 - 15:27
Posts: 3810
Location: Scotland

Man Without Shadow wrote:
He didn’t say it was secure, just that it wasn’t necessary to be secure…as we don’t process transactions on the site or share detailed personal information.

What about our personal messages?
sb56637
sb56637's picture
Offline
Last seen: 1 hour 29 min ago
Joined: 01/08/2010 - 09:29
Posts: 6528
Location: The Light

CRX wrote:
Man Without Shadow wrote:
He didn’t say it was secure, just that it wasn’t necessary to be secure…as we don’t process transactions on the site or share detailed personal information.

What about our personal messages?


In theory there could be personal information in PMs. But when it comes to “web security”, there are a huge number of factors that are often confused:


1. The risk of malware on your device that logs your personal data and “phones home” to the attacker. This is by far the most common attack.
  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, I can’t do anything to protect users from this risk.

2. The risk of somebody tricking you into revealing your password(s) and/or financial information by pretending to be somebody else. This is also a common attack vector.

  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, I can’t do anything to protect users from this risk.

3. The risk of somebody hacking into the web server and installing something malicious that infects visitors. This is also relatively common.

  • SSL (https://) does NOT protect against this risk.
  • As the administrator of BLF, it is entirely my responsibility to protect my users against this sort of attack, and I take it very seriously. There are a huge number of best practices for administrating a web server that I adhere to to keep the server as secure as possible. Usually if there is a sudden unplanned maintenance window for BLF, it’s because I’m applying security patches.

4. The risk of somebody hijacking the webpage data while it’s in transit “on the wire” between the web server and the visitor and modifying and/or stealing the data. This is not common.

  • This is what SSL (https://) is designed to protect against.

So I don’t see any imminent risk for BLF users by not immediately implementing SSL. I’m sure I will eventually, but it’s not a priority. A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic. The BLF server is already under rather heavy load most of the time, and SSL would surely push it over the edge, requiring another server upgrade or even a migration to a different host.

Budget Light Forum ...where Frugal meets with Flashlight!

atbglenn
atbglenn's picture
Offline
Last seen: 4 months 1 week ago
Joined: 07/29/2011 - 12:04
Posts: 5767
Location: Long Island, New York

I use a unique password generated by Lastpass for each and every website. That said, I don’t give out personal information on websites that are not secure. Plus, I use a VPN. I’m no expert, but I think I’m a couple of steps above the average Joe.

Boycott Nike

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA

My home ISP injects advertising into web pages that are not encrypted.
My cell ISP severely reduces the quality of the video clips I text out if they can process them. (non iMessage encrypted deliveries)

If they have the balls to do that, they have the balls to profile me based on comments I post on BLF. For that reason I wish BLF had SSL.

Barkuti
Barkuti's picture
Online
Last seen: 59 sec ago
Joined: 02/19/2014 - 14:46
Posts: 4269
Location: Alhama de Murcia, Spain

Joshk wrote:
My home ISP injects advertising into web pages that are not encrypted.
My cell ISP _+severely+_ reduces the quality of the video clips I text out if they can process them. (non iMessage encrypted deliveries)

If they have the balls to do that, they have the balls to profile me based on comments I post on BLF. For that reason I wish BLF had SSL.

I'd tell your ISP to lick my @#$%.

With regards to advertising I have it blacklisted by default on Android thanks to AdAway (root). It can also be done by other means on Windows (done it) or Linux machines.

Adverts are an unnecesary pester illness in my honest opinion. I never buy based on advertising alone (if at all), but rather on my own needs and objective reviews.

 

Cheers Smile

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA

I have NO choices for ISP. If I want home internet, there is only one choice.

bmengineer
bmengineer's picture
Offline
Last seen: 6 hours 6 min ago
Joined: 01/26/2018 - 11:38
Posts: 857
Location: Ontario, Canada
sb56637 wrote:
Since BLF doesn’t process any sensitive information

That’s just not true. At very least, BLF processes email addresses during registration. If my contact information doesn’t fit your definition of sensitive, what more do you want?

It’s not good practice, but I’m sure enough users also use a generic password for this site as well – that could definitely be considered ‘sensitive’, depending on what else it’s used for.

Find all my reviews of flashlights and more gear at www.bmengineer.com

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA

How much money would you need to raise to add more processing resources to your system SB? I would chip in yearly. Many would. I would like to see BLF grow.

ToyKeeper
ToyKeeper's picture
Offline
Last seen: 1 hour 20 min ago
Joined: 01/12/2013 - 14:40
Posts: 9982
Location: (469219) 2016 HO3
Joshk wrote:
//Install LetsEncrypt// add-apt-repository ppa:certbot/certbot …

If I recall correctly, BLF runs on a SuSE-based platform. But I might use your cert tips for a project I’m doing… thanks! Smile

(mostly, I just need ssl for a bit of a toy project, to enable secure cross-site data transfer)

I would also find it useful if BLF acted as an oauth2 (or similar) identity provider, which requires ssl, so I could slave other sites/services off it using a single sign-on. I’ve been tempted to add some kickstarter-like features to make community projects easier for everyone. But even if BLF had identity provider features, I’m not sure I’d actually have enough time and motivation to do the rest. Too many projects.

CrashOne wrote:
The problem is not the installation of a certificate, but all the other services that are only available through http. You will get an unsecure/mixed content loaded message (there is a workaround: Load all external content through BLF server).

This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.

The server-passthrough workaround could reduce disruption, but it’s even more complication and more server load for sb to deal with. And some of the sites I’ve seen with that method end up breaking half the time anyway.

sb56637 wrote:
3. The risk of somebody hijacking the webpage data while it’s in transit “on the wire” between the web server and the visitor and modifying and/or stealing the data. This is not common.
  • This is what SSL (https://) is designed to protect against.

So I don’t see any imminent risk for BLF users by not immediately implementing SSL. I’m sure I will eventually, but it’s not a priority. A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic. The BLF server is already under rather heavy load most of the time, and SSL would surely push it over the edge, requiring another server upgrade or even a migration to a different host.

It’s certainly an open attack vector, but it hasn’t been a problem here that I’m aware of. There are probably people in the NSA and KGB quietly collecting our login data and stuff. Large-scale route hijacking attacks have been found in the wild for at least the past five years, ever since people noticed BGP attacks routing traffic through Iceland in 2013.

But if they were to ever actually use that data, we’d have much bigger things to worry about. And in the mean time, ssl is a significant cost and complication for BLF.

TL;DR: What sb56637 said. Https should probably happen eventually, but it’s a major PITA.

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA
ToyKeeper wrote:
This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.

You don’t have to force https. Just answer “no” to the force https option at install and nothing changes as far as the public sees. Leaving SB and some users free to doddle around with the https.

Joshk
Joshk's picture
Online
Last seen: 2 min 55 sec ago
Joined: 09/09/2015 - 12:12
Posts: 1632
Location: USA

As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL really is something that is going to happen soon. There are been years of marching, and some companies are now pushing hard.

ToyKeeper
ToyKeeper's picture
Offline
Last seen: 1 hour 20 min ago
Joined: 01/12/2013 - 14:40
Posts: 9982
Location: (469219) 2016 HO3
Joshk wrote:
You don’t have to force https. Just answer “no” to the force https option at install and nothing changes as far as the public sees. Leaving SB and some users free to doddle around with the https.

Oh, cool. That certainly helps. Smile

(in case it wasn’t obvious, I’ve been dragging my feet about https for a long time and haven’t really dived in yet… last time I really looked at it was before it was compatible with name-based vhosts, so I didn’t implement it then and haven’t gotten back to it since)

tenohfive
Offline
Last seen: 5 months 2 weeks ago
Joined: 08/19/2015 - 15:39
Posts: 177
Location: United Kingdom
Joshk wrote:
As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL really is something that is going to happen soon. There are been years of marching, and some companies are now pushing hard.

I’ll be honest, I expect SSL on any site I visit and it puts me off when I don’t see it. I’ve dipped into these forums over the last few months but would only login if I really needed something. Frankly there’s too much bad stuff happening on the web to be worrying about how secure my credentials are – I’d rather avoid a site entirely and avoid the issue.

Barkuti
Barkuti's picture
Online
Last seen: 59 sec ago
Joined: 02/19/2014 - 14:46
Posts: 4269
Location: Alhama de Murcia, Spain

tenohfive wrote:
Joshk wrote:
As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL …

I'll be honest, I expect SSL on any site I visit and it puts me off when I don't see it. … Frankly there's too much bad stuff happening on the web to be worrying about how secure my cred…

Right now I am not seeing such “explicit” warnings. Why? Namely because I “downgraded” my browser version a little bit. I do not update my software if the developer is screwing up. I am the one deciding how and when to update my software. Those of you who regularly go to whatever software “stores” to “upgrade” your software blindly are allowing yourselves to be manipulated, sorry to say. Nowadays software development is quite focused on milking the cows and this means speaking half truths to people (how not?). SSL is not really necessary for many stuff no matter what bullying G00gl€ says.

There's too much bad stuff happening? Sorry?  Bad stuff happens to those of you who allow it via your subconscious beliefs. My advice is for you to believe right, as the reality you experience is created via your chosen beliefs (as above, so below), not the other way around.

 

Cheers Party 

sb56637
sb56637's picture
Offline
Last seen: 1 hour 29 min ago
Joined: 01/08/2010 - 09:29
Posts: 6528
Location: The Light
tenohfive wrote:
I’ll be honest, I expect SSL on any site I visit and it puts me off when I don’t see it. I’ve dipped into these forums over the last few months but would only login if I really needed something. Frankly there’s too much bad stuff happening on the web to be worrying about how secure my credentials are – I’d rather avoid a site entirely and avoid the issue.

I understand your viewpoint, and it’s definitely commendable to be conscientious about security. But please remember to always use a different password on all different websites, which will avoid most risks.

Budget Light Forum ...where Frugal meets with Flashlight!

withoutink
Offline
Last seen: 21 min 9 sec ago
Joined: 10/05/2019 - 19:27
Posts: 97
Location: Georgia

As mentioned above let’s encrypt would be a great idea… at least the login in page. Also, Google will be prioritizing ranking based on certain security variables including SSL.

Cheers-

Withoutink

My Flashlights

Instagram | YouTube