Page 1 of 1

Unsecure login notification

Posted: Fri Mar 24, 2017 3:34 pm
by Dave
I get this message in firefox for both user name and password.
Pic attached for your info.

Re: Unsecure login notification

Posted: Mon Mar 27, 2017 9:29 pm
by richard
Yes it is because we still aren't using SSL. There has been no change to the site, just certain organisations (Google are another) are pushing for greater use of SSL.

A good SSL license costs a bit - especially if I was to multiply it across my websites. The Electronic Frontier Foundation offer some for free that don't offer full id information - and that might be an option. However it has been shown that a lot of scammers use the free EFF licenses - that defeats the identity side of things, although the improved in-transit security should be no different.

There is also the issue that the bulletin software would need to be updated to work with a certificate. Definitely possible but Here be Dragons! It could be a hairy experience! Also it would make sense if the entire site was converted at the same time. All those http:// refs would have to auto-forward to https://

As it happens only a few days I was thinking about looking at SSL again - and despite the hurdles, there is some logic to starting with the website as a guinea pig.

Re: Unsecure login notification

Posted: Tue Mar 28, 2017 8:03 pm
by richard
By coincidence, my webhost have just introduced a $10 SSL certificate that was announced today. Even if this offers no more than the free EFF certificates, the $10 would be worth it for the integration/etc (it is very easy to get SSL installation wrong).

Continuing to investigate but it is likely that I'll be installing this in a few weeks time.

Re: Unsecure login notification

Posted: Thu Mar 30, 2017 8:45 pm
by richard
SSL/https installed!

For secure login, use:

Your browser will probably show an exclamation mark next to the 'padlock' symbol for SSL: This is because not everything is currently using https - eg. static images and style sheets. Also some images are not currently appearing - I think this is a template issue (I think it is explicitly set to use insecure http ).

Working on it but it might take a few days.
Once I'm happy that most things are working, I'll add a redirect so if you enter "http://" it will forward to the secure version.

Also I should apply the latest set of site upgrades. The site may go down a few times over the next few hours/days, as I do all this.

Re: Unsecure login notification

Posted: Mon Apr 03, 2017 9:36 am
by Dave
Thank you Richard, that explains a lot.
Sorry for the late reply I've been on my hols.