Website security problem?

[Russell EberhardtParticipant @russelleberhardt48058]

When I visit this site using Firefox 116.0.3 on Linux Mint it is flagged as an insecure site.  I get the following message:

“Your connection is not private. Information you submit can be viewed by others (like passwords, messages, credit cards, etc.).” together with one telling me to delete cookies and data!

If I switch to Chromium browser it tells me the connection is secure.

Something strange is going on.

Russell

P.S. In Firefox the line with links for new topic and follow are missing.

[Russell Eberhardt]

On 26 October 2023 at 10:48 Russell Eberhardt Said:

When I visit this site using Firefox 116.0.3 on Linux Mint it is flagged as an insecure site.  I get the following message:

“Your connection is not private. Information you submit can be viewed by others (like passwords, messages, credit cards, etc.).” together with one telling me to delete cookies and data!

If I switch to Chromium browser it tells me the connection is secure.

Something strange is going on.

Russell

Been reported.  It would be a security problem if the site took money or collected sensitive information, but it doesn’t.

Firefox has detected that the forum is sending a mixture of encrypted and unencrypted web pages (HTTPS and HTTP).   Originally the entire internet was unencrypted, but as this is no good for banks and online shopping etc, HTTPS was introduced to ensure security.

Although HTTP is allowed, it’s gradually being replaced by HTTPS for everything, even websites that don’t need strong security because encryption generally makes life difficult for the bad guys.

HTTP has been deprecated for several years; not supposed to used by new websites, and old websites encouraged to convert to HTTPS.  A few years ago browsers started issuing warnings when they found HTTP and HTTPS on the same page.   Firefox was the first, others following later.  I suspect your Chromium is a little out-of-date.

I walk away ff the warning appears when accessing a Bank or online shop – the risk is too high for me.   As this forum doesn’t collect sensitive data, I’m not too worried about it.  Nonetheless, the problem should be fixed.

It appears that part of the problem is simply that some forum pages include icons downloaded with an HTTP address, rather than getting exactly the same with HTTPS – the code is a little old-fashioned.

Dave

 

[vic neweyParticipant @vicnewey60017]

My old website from years ago is HTTP as are countless millions of others, if I wanted to convert it to HTTPS I have to buy an SSL certificate which can be expensive and has to be renewed every year apparently.

[SillyOldDuffer]

On SillyOldDuffer Said:
Been reported.  It would be a security problem if the site took money or collected sensitive information, but it doesn’t.

Firefox has detected that the forum is sending a mixture of encrypted and unencrypted web pages (HTTPS and HTTP).   Originally the entire internet was unencrypted, but as this is no good for banks and online shopping etc, HTTPS was introduced to ensure security.

 

Dave

 

I’m happy enough that the site is suitably low risk for me, as there’s no money transcactions here; unlike the subscription site for Classic Magazines, which would be more concerning.

If anyone is interested, Google Transparency Report can be read for individual sites, and updates regularly, including this one.

Bill

[Russell EberhardtParticipant @russelleberhardt48058]

Thanks for the explanations all.

I have just restarted my computer and the problem on Firefox has gone.  I suspect the problem was on a specific forum page that I had visited and then Firefox remembered it for all pages on the site.

Russell

[vic newey]

On vic newey Said:

My old website from years ago is HTTP as are countless millions of others, if I wanted to convert it to HTTPS I have to buy an SSL certificate which can be expensive and has to be renewed every year apparently.

You don’t have to buy a certificate if you are managing the website yourself, you just have to learn how to create certificates and how to reconfigure the server. If you are on a hosted service, your millage may vary.

[vic newey]

On vic newey Said:

My old website from years ago is HTTP as are countless millions of others, if I wanted to convert it to HTTPS I have to buy an SSL certificate which can be expensive and has to be renewed every year apparently.

The problem isn’t the sites that only use HTTP like Vic’s.

It’s websites that send a mixture of both HTTP and HTTPS that are potentially dangerous.   They have certificates, but aren’t using them  consistently.  You have to ask why, and there isn’t a good answer!  One or the other, not both.

This forum probably mixes HTTP and HTTPS by mistake, harmless because the site doesn’t handle money or sensitive data. Other reasons are sinister.  For example, mixed HTTP and HTTPS is symptomatic of a spoofed website and is highly indicative of poorly maintained websites.

Hackers search for poorly maintained websites because they typically develop loopholes enabling them to be used for various nefarious purposes.  Whilst site owners save a bob or two, don’t have to think, and may not suffer themselves, negligently maintained websites are a risk to their users and to the rest of the internet.   I don’t ignore security warnings unless I know exactly what the risk is.  Things like the Google Transparency report are helpful: wishful thinking and ignorance aren’t!

Dave

[Michael GilliganParticipant @michaelgilligan61133]

Comforting to see that NetCraft rates this site Low Risk

https://sitereport.netcraft.com/?url=https%3A%2F%2Fmodel-engineer.co.uk

… largely attributable to CloudFlare, I presume

MichaelG.

.

Edit: __ sucuri was not permitted to scan the site, and is therefore more cautious about it:

https://sitecheck.sucuri.net/results/https/model-engineer.co.uk

[Author]

Posts