News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

SMF2: Non-secure passwords will trigger warnings in Chrome.

Started by kitz, January 20, 2017, 06:53:12 PM

Previous topic - Next topic

kitz

Hi - I've recently received the following email from google

QuoteNon-Secure Collection of Passwords will trigger warnings in Chrome 56 for http://kitz.co.uk/
To: owner of http://kitz.co.uk/
Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as "Not Secure" unless the pages are served over HTTPS.
The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users' data. The list is not exhaustive.
http://forum.kitz.co.uk/index.php?topic=12341.0
http://forum.kitz.co.uk/index.php?topic=13597.0
http://forum.kitz.co.uk/index.php?topic=14457.45
The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as "Not Secure".
Here's how to fix this problem:
Use HTTPS pages to collect sensitive information
To prevent the "Not Secure" notification from appearing when Chrome users visit your site, move collection of password and credit card input fields to pages served using the HTTPS protocol.    Read the WebFundamentals article


Obviously this is a concern for me that must affect many other SMF forum users?  As an aside I also use the SMF SSI on the front page of the main site.

I don't have an SSL certificate because I don't collect payments and the only passwords used are for SMF forum login. 
Its a community help site and not for profit.  Because of how busy it is, the server running costs cripple me as it is (too big for any type of shared hosting).

I'm also concerned about the effects of http -> https, as the site is currently well ranked in google.co.uk and any adverse effects for searches.  But if I dont do so it's also going to have a bad effect on the site and surely raise concerns for users if they are going to be flagged with non secure messages.

I don't have a clue how I'd even go about changing SMF over to https, nvm the additional expense.    I cant be the only one in this position?

Any thoughts, help, suggestions etc would really be appreciated.

vbgamer45

Yeah everyone got that. I got it for my sites.


Going to suck. Now will have to pay for each website/setup ssl, remember when it expires. Make sure all content on your site is https etc
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Dzonny

Quote from: vbgamer45 on January 20, 2017, 06:54:45 PM
Yeah everyone got that. I got it for my sites.


Going to suck. Now will have to pay for each website/setup ssl, remember when it expires. Make sure all content on your site is https etc
Yeah, it's a PITA to handle all of those, especially when you just run a discussion forum without payments/subscriptions and stuff. But I guess we'll have to deal with this eventually.

kitz

Jeeeeeeeeze wept.    For forums?    What a PITA. 

Not to mention how its going to affect any searches on the old urls.   Rankings are going to take a massive hit.   
Its taken >10 yrs of blood, sweat and tears and tens of thousands of unpaid hours to keep it running.  :(
This is going to cripple community sites >:(

vbgamer45

Wish it was built into browsers instead of people forced by every single website owner. There are over 300 million domains so that means 300 million SSL certs maybe needed....someone is making money.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

kitz

Thanks guys for the prompt responses. 

Even though it wasnt what I wanted to hear (I was hoping it was some sort of mistake),  at least I'm not alone on this.

nend

Another thing is the handshakes cost. I got https in December, notice the rise in response time.

vbgamer45

Yeah pages will load slower. If you have ads your earnings will decrease since a lot of ads are not https based either..
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Shambles

My cPanel generates a (free) certificate for me. It costs nothing (obviously) and the whole site 'conversion' took 30 minutes.


Arantor

This is why Let's Encrypt is a thing. It can be set up to auto renew for you - for free. Chrome wasn't going to do this until such a thing was already available.

tinoest

Let's Encrypt is a great idea, and is the reason that most people should run their websites via https almost exclusively now. There is no excuse not to have https, which is why Chrome and Firefox forcing it is great imo.

It is really quite simple to install and set up, as detailed in the following two links.

https://wiki.debian.org/LetsEncrypt
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8

Also the performance impact should be minimal if you tune your httpd server.

Lighttpd is slightly more complex than nginx and apache as not as many people use it, but its all standard stuff for a competent sysadmin.

Arantor

Therein lies the problem: most people here are not sysadmins. That's why they have hosts for that kind of thing.

tinoest

Quote from: Arantor on January 21, 2017, 08:33:38 AM
Therein lies the problem: most people here are not sysadmins. That's why they have hosts for that kind of thing.

https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

The list of supported hosts is growing quite quickly.

natasa (NT)

I need dedicated IP for https, but I can stay on shared hosting, right?

Shambles

I'm on shared hosting and do not have a dedicated IP.

Yet, spookily, my site remains https (secure).

tinoest

Quote from: Shambles on January 22, 2017, 06:06:49 AM
I'm on shared hosting and do not have a dedicated IP.

Yet, spookily, my site remains https (secure).

SSL Certs are not tied to an IP Address, or have'nt had to have been since SNI was introduced. Which was after Windows XP was released and before Vista, as XP is the last OS not to support it.

Shambles


Ben_S

Quote from: nend on January 20, 2017, 07:37:40 PM
Another thing is the handshakes cost. I got https in December, notice the rise in response time.

You need to implement http/2, although unless you control the server you may struggle as your host will need to do it.
Liverpool FC Forum with 14 million+ posts.

MobileCS

I sort of solved this issue by :

Leaving "Show a quick login on every page" enabled.

Commenting out the entire "elseif (!empty($context['show_login_bar']))" section in index.template.php file and replacing it with :


elseif (!empty($context['show_login_bar']))
{
    echo '<div class="info login-register">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>';
}


CSS :

.login-register { font-size: 12px; line-height: 20px; }
.login-register a:link { text-decoration: underline; }


Now the browser warnings only show up on the actual login / register pages - instead of every forum page.

Also, guests still see the login / register / activation email links.



vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Advertisement: