News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

My SMF Forum 1.1.21 is "NOT SECURE"!

Started by azarober, April 26, 2017, 12:19:03 PM

Previous topic - Next topic

azarober

Hello there!
From some day ago and suddenly, Chrome and Firefox declared my SMF Forum 1.1.21 as "NO SECURE".
This forum is closed, and used as tool for the basketball clinics, no CC is asked for nothing neither any "sensitive information" is required OUT OF READING THE ARTICLES!

I need some help to understand issue: casually or causally one month ago my account was banned from adsense, and till now ( and perhaps NEVER!) I do not know WHY?

If the reason, as I think, is that is an old version of SMF, I WANT TO RECEIVE FROM A CERTIFIED MEMBER OF THE SMF TEAM a paid help to UPGRADE my forum: no any complications, default theme, no components neither applications were added to the original SMF:

http://www.ebaforums.com

Thanks in advance for any help and to for recommend to me a CERTIFIED SMF TECHNICIAN to do the paid upgrade!

Roberto

Arantor

The issue is that you're not using HTTPS and don't have an SSL certificate.

Also, there is no such thing as a 'certified SMF technician' as there is no such thing as a certification program.

Sir Osis of Liver

https://wiki.simplemachines.org/smf/Upgrading

It's easy, just make sure you back up your forum files and database.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

Upgrading won't fix the 'not secure' warning.

Sir Osis of Liver

I know, but OP should upgrade anyway.  Some hosts have SSL option in cpanel, some don't and have to do it for you, and some charge for it.  OP would have to check with host to set it up.  Meanwhile, could post a notice on forum advising members that the warning is not a real problem.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

azarober

Thanks a lot for the replies!
My intention with CERTIFIED is to be sure that someone of the SMF team can do the work!
The ssl is a paid option and during 17 years I had not this problem!
I know it is easy ... but for ALL OF YOU not  for ME! Therefore asked for a paid help!
Thanks again!

Illori

if you want paid help then you should post in the help wanted board. do be aware that does not mean that someone from the SMF team will take on your request.

azarober

I did not make the  upgrade with someone that is  not from the SMF Team... to be assured!

Illori

then you may never get the upgrade done as the team members are often busy doing other things.

Arantor

QuoteThe ssl is a paid option and during 17 years I had not this problem!

Except that browsers have now decided that this is a requirement seeing that Let's Encrypt provides free certificates.

Elmacik

You aldready don't have "that" problem anyway? Maybe you had your hosting company fix it for you. HTTPS is an option to be switched on/off from your hosting control panel. The word "secure" has nothing to do with the website security in a manner you understood. It's all about serving a website over HTTPS protocol without having a proper SSL certificate installed.

That means, if you have an SSL certificate installed on your server; you can turn HTTPS on. If you don't have a certificate; you turn it off and that's it.

Your hosting provider seems to have seperated HTTP and HTTPS content.

http://www.ebaforums.com (This works as it's expected. Nothing is "not secure" here.)
https://www.ebaforums.com (Now this is practically a wrong usage; not because the website is vulnerable; but because you need to have a certificate installed to use this URL. Plus, if you ever decide to use this option; you will need to either move your forum into httpsdocs (not in httpdocs); or you will need to configure your hosting account to serve the same files over both HTTP and HTTPS protocols.)

If you really need to have an SSL certificate (which actually you don't), you can check Let's Encrypt which issues certificates at zero cost.

I feel like I need to repeat that; your site is not insecure. Learn more about SSL certificates here. It's completely a different concept than you perceived.
Home of Elmacik

Kindred

Except, you are wrong.

Modern browsers now require all Sites with a form that has a password field to be https period any site that does not have HTTP and does have a password field will be marked as unsecured
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Elmacik

Quote from: Kindred on April 27, 2017, 07:46:05 AM
Except, you are wrong.

Modern browsers now require all Sites with a form that has a password field to be https period any site that does not have HTTP and does have a password field will be marked as unsecured

"Unsecured connection" is way different than "insecure website". I think you are causing a great confussion now. Because he thinks his web site has some vulnerable code that could let it be hacked. But this is not the case indeed. Plus; modern browsers would always indicate "not secure" for all HTTP pages regardless of a password field's essence.

For example browse http://www.example.com and you will see that Chrome indicates "Your connection to this website is not secure"; while there is no password field in this page; in contrast to what you say. So to repeat; there is a huge misconception here. This ain't imply anything about the "security or vulnerability of the software" (it's SMF here). Rather it's regarding the encrpytion of the information you exchange with that page.

Note: Using an SSL is encouraged these days and this is completely unrelated to the software you are using.
Home of Elmacik

Arantor

Non technical users don't know the difference, it just says "Not secure" next to the address in the address even though the issue is nothing to do with the software.

But upgrading will be important, getting ready for 2.0.14 which has full HTTPS support.

Linkjay

Quote from: Arantor on April 27, 2017, 11:53:15 AM
Non technical users don't know the difference, it just says "Not secure" next to the address in the address even though the issue is nothing to do with the software.

But upgrading will be important, getting ready for 2.0.14 which has full HTTPS support.

What else is different inside the 2.0.14 update in terms of HTTPS support? Isn't it only a proxy that's added for HTTPS support?
I play games in my free time and volunteer my knowledge and support to the gaming communities of the internet.

You can contact me by these methods:
Use my Contact Script • PM me here • Add me on Steam

Arantor

It's got PHP 7 support plus the proxy which is the big thing that makes forums not suck on HTTPS when you can have all the pictures show up whether they were on HTTPS links or not.

Linkjay

Quote from: Arantor on April 27, 2017, 04:02:35 PM
It's got PHP 7 support plus the proxy which is the big thing that makes forums not suck on HTTPS when you can have all the pictures show up whether they were on HTTPS links or not.

Yeah, I was very pleased to see that it went to the extent to where it actually took ALL images and made them run through the proxy. Very nice SMF team!

Still, my question was, is there anything else in the terms of HTTPS support? Not to say that that isn't enough, just simply curious.
I play games in my free time and volunteer my knowledge and support to the gaming communities of the internet.

You can contact me by these methods:
Use my Contact Script • PM me here • Add me on Steam

Kindred

what else is there in terms of "https support"

SMF already supports https "out of the box" with the exception of external images like BBC and avatars....   and adding the proxy to 2.0.14 now works around that.

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

azarober

My server does not support Let's Encrypt, therefore an SSL certificate was purchased, according with the recommendations in this post,   and the problem was solved! https://www.ebaforums.com is NOW SECURE!

The problem of the paid help to upgrade is still open... NOW, if my 1.1.21 is working fine... IS REALLY necessary to upgrade?

Illori

yes it is, SMF 1.1.* is basically without support at this time. that means no patches will be made moving forward. also SMF 1.1.* does not support the latest versions of php/mysqli and as a result if you dont upgrade before your host upgrades php version your forum will no longer function.

Advertisement: