News:

Wondering if this will always be free?  See why free is better.

Main Menu

Site is not safe?

Started by MaryLouW, March 09, 2017, 01:57:43 AM

Previous topic - Next topic

MaryLouW

Ever since Firefox and Chrome updated their software today, when someone logs into my forum, they get a message on the login screen that says the site is not safe.  Why is this happening and how can I fix it?  The message is attached.  It's freaking my users out.

Chen Zhen

ref.
http://www.simplemachines.org/community/index.php?topic=551519.20

You need to set your site up with a legitimate ssl encryption certificate.
Once you get that set up a cron job needs to be made to update it just prior to every 90 days (or whatever term for ssl host you use).
Then you can either adjust SMF to use it for logging in or you can adjust all url setting to https via ie. the repair settings tool.

If you do the latter then I suggest disabling external avatars for your users.
If your whole site is set to https then any external http links on a page (including avatars) will flag the page as unsafe even though the rest is encrypted.

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

Arantor

2.0.14 will ship with things to make the "disabling of avatars and external images" unnecessary.

Antechinus

Quote from: MaryLouW on March 09, 2017, 01:57:43 AM
Ever since Firefox and Chrome updated their software today, when someone logs into my forum, they get a message on the login screen that says the site is not safe.  Why is this happening and how can I fix it?  The message is attached.  It's freaking my users out.
You may not want to leave members' emails in that screenshot. ;)

MaryLouW

What if I just don't do anything?  What's the worse thing that could happen?  It doesn't happen with Edge so maybe I should have my users log in with that browser?   The "fix" is WAY above my head.   

I fixed the one visible email. The rest are all mine.

Antechinus

If you don't do anything, the worst that will happen is your members will see a warning.

Kindred

however.... google is going to start penalizing sites that do not use https for any page with a login form (in SMF, that would be pretty much every page, for guests)


One thing...
Quote from: Chen Zhen on March 09, 2017, 02:10:22 AM
Once you get that set up a cron job needs to be made to update it just prior to every 90 days (or whatever term for ssl host you use).

If you have a decent host  (and do not use an unmanaged dedicated server), this should not be necessary...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

That depends. Certificates expire. It just so happens that Let's Encrypt certificates expire after 90 days rather than a year or two years. But LE certs can be completely automated away with cron jobs to auto renew them...

Kindred

like I said... AFAIK, my host does that for me (so, I assumed that most good hosts would do so as well)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Shambles

My cPanel has an auto-renew option for SSL certs, which kicks in every 90 days. The cert is provided free by cPanel Inc.

Arantor

Quote from: Shambles on March 09, 2017, 08:47:12 AM
My cPanel has an auto-renew option for SSL certs, which kicks in every 90 days. The cert is provided free by cPanel Inc.

Courtesy of Let's Encrypt ;)

MaryLouW

The problem is, it scares people away from the site.  As soon as they see the warning, they don't log in.  I can see now by reading these posts that it's not an SMF problem. 

Thanks for the comments - I am not versed in certificates so for now, I'm not going to do anything.

br360

I would try contacting your host and see if they can help. There are a lot of decent hosts out there that are willing to do the entire set up for you. Some may charge you for the service but it usually isn't a lot of money.

Might be worth looking into as having members log into your site, might be important ;)

MaryLouW

I already checked the information on the host site and they want $49 per year per domain.  I have two domains where one needs to log in and to be honest, I cannot afford that much money.  It's out of the question for me.  I, and most of my members are all retired and only get a social security check which isn't a lot so asking them to foot the bill is also not an option.

I don't think it's fair that sites like mine, which contain no personal data other than an email address and password are being targeted like this.  It almost sounds like a plan to force one to pay even more for having a web site.

Arantor

The fact it has a password is why it is being 'targeted'. To be some kind of fair to Google/Firefox, they didn't roll this out until free certificates were made available, but it's a headache to roll out free certificates unless you're pretty technical.

To put it into context, I work for a firm that has 6 developers/server administrators on staff. Only two of us actually know how to get a Let's Encrypt certificate onto the servers without breaking anything and have it work again afterwards.

Sir Osis of Liver

Move to a host that provides SSL support in cPanel.  Crocweb has it, though I've had no reason to use it.  Their base host package is inexpensive, and you can search for promo codes that will reduce cost.  Support is excellent, I'm sure they can help you with the move and setting up SSL certificates.  You can contact them and discuss your situation before setting up an account.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

MaryLouW

Thanks for the information..  I will look into it. 

MaryLouW

How can I modify the login box to say "this site is safe" in red?   I don't want to move as I've been with the same host for the last 9 years and am very happy with the service.  I cannot afford the $49 per year for the certificate and I know people are not going to join my forum when they see that message that the site may not be safe.  I am looking for a way around it.

LiroyvH

Quote from: Arantor on March 09, 2017, 09:12:20 AM
Courtesy of Let's Encrypt ;)

COMODO, actually. They do the Cpanel Inc. certs.
LetsEncrypt can be enabled as alternative, but is not the default.

$49 per year is an outrageous fee.
Can you add your own SSL certificate? If so, its fairly easy to get one for aroubd 10 bucks a year hassle free, or for free through a service like LetsEncrypt.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Antechinus

Quote from: MaryLouW on March 10, 2017, 04:41:25 PM
How can I modify the login box to say "this site is safe" in red?



The point being that if you really were running a dodgey site that you knew was flagged as dangerous, a red warning like that is probably what you would put up. "Bears? What bears? Nope, no bears here." So it may not help much if people are already paranoid. It may be better to link to a post where you explain the situation, or even to this topic, just so members can get the whole story.

However, adding extra content to the login form or anywhere else is easy enough.

Code (index.template.php - Find) Select
<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>


Code (index.template.php - Replace) Select
<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '<br /><span style="color: red;">This site is safe (really).<span></div>

Antechinus

Quote from: CoreISP on March 10, 2017, 06:05:46 PM
Quote from: Arantor on March 09, 2017, 09:12:20 AM
Courtesy of Let's Encrypt ;)

COMODO, actually. They do the Cpanel Inc. certs.
LetsEncrypt can be enabled as alternative, but is not the default.

$49 per year is an outrageous fee.
Can you add your own SSL certificate? If so, its fairly easy to get one for aroubd 10 bucks a year hassle free, or for free through a service like LetsEncrypt.

Yebbut teh ranty one says:

Quote from: Arantor on March 09, 2017, 04:36:02 PM
The fact it has a password is why it is being 'targeted'. To be some kind of fair to Google/Firefox, they didn't roll this out until free certificates were made available, but it's a headache to roll out free certificates unless you're pretty technical.

To put it into context, I work for a firm that has 6 developers/server administrators on staff. Only two of us actually know how to get a Let's Encrypt certificate onto the servers without breaking anything and have it work again afterwards.

And MaryLouW is not of the highly technical persuasion.

LiroyvH

Indeed, LetsEncrypt is not exactly easy to use at all... The options is available though.
All the same, $49 is insane. If you're not technical enough to use a service like Let's Encrypt: you can grab an SSL cert for $9 at NameCheap. (Perhaps even cheaper elsewhere.)
So should the hosting provider offer the SSL functions (signing request + install certificate), then $9 and a few minutes of work is all it takes. :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

MaryLouW

If I had one of those bills, I'd sure send it to you!!!  THANK YOU for the coding!!  That is something I can manage to do.  I appreciate your efforts here and it will definitely make my life easier as well as that of a friend of mine who also runs an SMF forum.  We have both been upset over how to handle it.   :)   I am a happy camper now!

Kindred

Marylou...   adding that text is ***NOT*** the "way to handle it"

If anything, you are actually making things WORSE by adding text like that.

My host gave me carts for free with a single click... and for the one site that I wanted a more official cert for, they helped me set it up, costing me a total of $20 for the year for the cert and zero for the service.

If your host can't do that, then why the heck are you paying them?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MaryLouW

Okay, based on what you just said, I went back to the control panel and to my surprise, I  found an advanced area where they do offer a free SSL.  I clicked on it and it created several files in my root directory , secure, and secure-cgi-bin .  Then it gave me a url  https://secure40.securewebsession.com/pirc-forum.com/  and said to make sure I moved my files.

I don't understand what all that means.   What files do I need to put in these folders and does that mean, the above will be the link to my site?

I was very much misled by one of their lower level tech who said all I needed to do was change my password every three months when I asked about adding an SSL and explained about the message that the browsers were displaying.  Apparently, he wasn't aware of that happening. 

When I checked out their services again, they do charge $49 for an SSL but apparently, it also comes free if you are hosted with them. 

Can anyone tell me what should be in those folders and what url I would use?

MaryLouW

Going to ask again just in case you guys missed it.  What goes into those folders that were created when I activated the SSL?

Illori

ideally the ssl should cover your existing domain as you want to use it, you should ask your host about that. you should not need to move things anywhere else to take advantage of the SSL.

br360

When you do talk to your host, you should ask them to upload the SSL certificate to your server for you and then add the appropriate code to force https in your .htacces file.

Most hosts will do both for you and probably at no cost to you.

After that is done, the only thing you should have to do is run repair.settings.pgp to make sure all http paths are changed to https

Ben_S

Except you will have issue with all the hotlinked content so there is no point doing anything until 2.0.14 is released!
Liverpool FC Forum with 14 million+ posts.

Kindred

well, I wouldn't say that there is "no point" - since the change will address the main index and the login page (which are the two spots that most people will notice it)


Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MaryLouW

Why would I have a problem with 2.0.14?  I don't understand all of this stuff but I will contact my host and see if they can help.  In the meantime, Thanks to all who tried.

Arantor

No-one is saying that. What people are saying is that right now if someone puts a picture on your forum without using an attachment, and the link to it is http:// it won't work on a secure site.

2.0.14 will, when released, solve this problem.

MaryLouW

OH!  Thanks for explaining that!  Maybe I will wait until the next upgrade then because we have many linked images.  Thanks for clearing that up.

Steve

If your questions have been answered for now would you mark this solved? :)
DO NOT pm me for support!

Advertisement: