Site is not safe?

MaryLouW · March 09, 2017, 01:57:43 AM

Ever since Firefox and Chrome updated their software today, when someone logs into my forum, they get a message on the login screen that says the site is not safe. Why is this happening and how can I fix it? The message is attached. It's freaking my users out.

Chen Zhen · March 09, 2017, 02:10:22 AM

ref.
http://www.simplemachines.org/community/index.php?topic=551519.20

You need to set your site up with a legitimate ssl encryption certificate.
Once you get that set up a cron job needs to be made to update it just prior to every 90 days (or whatever term for ssl host you use).
Then you can either adjust SMF to use it for logging in or you can adjust all url setting to https via ie. the repair settings tool.

If you do the latter then I suggest disabling external avatars for your users.
If your whole site is set to https then any external http links on a page (including avatars) will flag the page as unsafe even though the rest is encrypted.

Arantor · March 09, 2017, 02:31:56 AM

2.0.14 will ship with things to make the "disabling of avatars and external images" unnecessary.

Antechinus · March 09, 2017, 02:34:42 AM

Quote from: MaryLouW on March 09, 2017, 01:57:43 AM
Ever since Firefox and Chrome updated their software today, when someone logs into my forum, they get a message on the login screen that says the site is not safe. Why is this happening and how can I fix it? The message is attached. It's freaking my users out.

You may not want to leave members' emails in that screenshot.

MaryLouW · March 09, 2017, 02:58:16 AM

What if I just don't do anything? What's the worse thing that could happen? It doesn't happen with Edge so maybe I should have my users log in with that browser? The "fix" is WAY above my head.

I fixed the one visible email. The rest are all mine.

Antechinus · March 09, 2017, 03:34:04 AM

If you don't do anything, the worst that will happen is your members will see a warning.

Kindred · March 09, 2017, 06:44:30 AM

however.... google is going to start penalizing sites that do not use https for any page with a login form (in SMF, that would be pretty much every page, for guests)

One thing...

Quote from: Chen Zhen on March 09, 2017, 02:10:22 AM
Once you get that set up a cron job needs to be made to update it just prior to every 90 days (or whatever term for ssl host you use).

If you have a decent host (and do not use an unmanaged dedicated server), this should not be necessary...

Arantor · March 09, 2017, 07:12:47 AM

That depends. Certificates expire. It just so happens that Let's Encrypt certificates expire after 90 days rather than a year or two years. But LE certs can be completely automated away with cron jobs to auto renew them...

Kindred · March 09, 2017, 08:26:43 AM

like I said... AFAIK, my host does that for me (so, I assumed that most good hosts would do so as well)

Shambles · March 09, 2017, 08:47:12 AM

My cPanel has an auto-renew option for SSL certs, which kicks in every 90 days. The cert is provided free by cPanel Inc.

Arantor · March 09, 2017, 09:12:20 AM

Quote from: Shambles on March 09, 2017, 08:47:12 AM
My cPanel has an auto-renew option for SSL certs, which kicks in every 90 days. The cert is provided free by cPanel Inc.

Courtesy of Let's Encrypt

MaryLouW · March 09, 2017, 01:35:24 PM

The problem is, it scares people away from the site. As soon as they see the warning, they don't log in. I can see now by reading these posts that it's not an SMF problem.

Thanks for the comments - I am not versed in certificates so for now, I'm not going to do anything.

br360 · March 09, 2017, 02:54:10 PM

I would try contacting your host and see if they can help. There are a lot of decent hosts out there that are willing to do the entire set up for you. Some may charge you for the service but it usually isn't a lot of money.

Might be worth looking into as having members log into your site, might be important

MaryLouW · March 09, 2017, 04:33:04 PM

I already checked the information on the host site and they want $49 per year per domain. I have two domains where one needs to log in and to be honest, I cannot afford that much money. It's out of the question for me. I, and most of my members are all retired and only get a social security check which isn't a lot so asking them to foot the bill is also not an option.

I don't think it's fair that sites like mine, which contain no personal data other than an email address and password are being targeted like this. It almost sounds like a plan to force one to pay even more for having a web site.

Arantor · March 09, 2017, 04:36:02 PM

The fact it has a password is why it is being 'targeted'. To be some kind of fair to Google/Firefox, they didn't roll this out until free certificates were made available, but it's a headache to roll out free certificates unless you're pretty technical.

To put it into context, I work for a firm that has 6 developers/server administrators on staff. Only two of us actually know how to get a Let's Encrypt certificate onto the servers without breaking anything and have it work again afterwards.

Sir Osis of Liver · March 09, 2017, 04:44:20 PM

Move to a host that provides SSL support in cPanel. Crocweb has it, though I've had no reason to use it. Their base host package is inexpensive, and you can search for promo codes that will reduce cost. Support is excellent, I'm sure they can help you with the move and setting up SSL certificates. You can contact them and discuss your situation before setting up an account.

MaryLouW · March 09, 2017, 04:59:59 PM

Thanks for the information.. I will look into it.

MaryLouW · March 10, 2017, 04:41:25 PM

How can I modify the login box to say "this site is safe" in red? I don't want to move as I've been with the same host for the last 9 years and am very happy with the service. I cannot afford the $49 per year for the certificate and I know people are not going to join my forum when they see that message that the site may not be safe. I am looking for a way around it.

LiroyvH · March 10, 2017, 06:05:46 PM

Quote from: Arantor on March 09, 2017, 09:12:20 AM
Courtesy of Let's Encrypt

COMODO, actually. They do the Cpanel Inc. certs.
LetsEncrypt can be enabled as alternative, but is not the default.

$49 per year is an outrageous fee.
Can you add your own SSL certificate? If so, its fairly easy to get one for aroubd 10 bucks a year hassle free, or for free through a service like LetsEncrypt.

Antechinus · March 10, 2017, 08:12:14 PM

Quote from: MaryLouW on March 10, 2017, 04:41:25 PM
How can I modify the login box to say "this site is safe" in red?

The point being that if you really were running a dodgey site that you knew was flagged as dangerous, a red warning like that is probably what you would put up. "Bears? What bears? Nope, no bears here." So it may not help much if people are already paranoid. It may be better to link to a post where you explain the situation, or even to this topic, just so members can get the whole story.

However, adding extra content to the login form or anywhere else is easy enough.

Code (index.template.php - Find) Select

<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>

Code (index.template.php - Replace) Select

					<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '<br /><span style="color: red;">This site is safe (really).<span></div>

News:

Site is not safe?