Website Not Secure

[South_Aussie_Hiker]

For the last month or two, every time I login this site, my iPhone gives a red “website not secure” warning at the login page.

This occurs regardless of whether I’m connected via home NBN or 4g.

Once logged in, the earning disappears.

Has something changed with the security certificate of the website, or could this be related to iOS 11.3/11.4?

[michael_p]

Most likely to be related to this change that has recently been implemented in Safari: https://www.digicert.com/blog/safari-wa ... re-logins/

In a nutshell. The site login is done over a standard http connection. What all browser makers have moved to is logins using https ,which is the type of secure connection that is used for online banking, etc.

Browser makers are moving towards all website using https connections for all pages not just logins. This is just the first stage of the process. Safari is about a year behind everyone else. The warnings only started this year some time AFAIK.

Should you be worried? Well that is up to you, I can't answer that question for you. Personally, I am not that bothered about this site only having a http login. There is little usable information about me in my profile so I see it as low risk. YMMV of course.

Cheers,
Michael.

[ribuck]

An http login can be easily intercepted by anyone on the same WiFi network.

So make sure you use a password here that is different from the passwords you use anywhere else.

[north-north-west]

I've had this since a certain (can't remember which) update to Firefox.

No-one has hacked me yet. *fingers crossed*

[South_Aussie_Hiker]

Great. Thanks for the detailed explanation.

[wildwalks]

Yes -- that is right. I have not installed a SSH (https) certificate for the bushwalk.com.
This is something I should do. I am planning a fairly significant update later this year, I will include adding a SSL to part of that upgrade. A different password is good advice.

thanks

Matt

[FatCanyoner]

Matt, this is definitely worth resolving. I moved my blog over to https late last year after people started mentioning issues with this. Certain browsers really don't like http sites anymore. And depending on your security settings, some people will simply get blocked rather than getting a warning. This is only going to become more of an issue as https is further entrenched as the standard.

I'd recommend getting an SSL certificate through Let's Encrypt (https://letsencrypt.org), which is a free and effective service.

I'd also point out that, despite not being particularly technical, I managed to move both Fat Canyoners (https://fatcanyoners.org/) and the new Canyoning Australia forum (https://canyoning.org.au/forum/) over to https. Once you have the SSL certificate sorted you can simply put in place a redirect so everyone who comes to the site using an old http url (links from other sites, old search engine results, etc) is automatically redirected to the https version. People won't even notice the difference, and you'll not only provide greater security for forum users, but you'll avoid losing potential visitors.

[wildwanderer]

Can we get this sorted please?

Traffic to the forum is becoming less and less.

No doubt a contributor is the warning that the website is not secure when browsing on iphones, the chrome browser and some other mobile phones. Also from July 2018 google is now down ranking sites that do not use https so it means less people find the forum on search engines.

not secure.jpg

You do not have the required permissions to view the files attached to this post.

[FatCanyoner]

Totally agree. I avoid sites that don't use https, particularly when they involve the use of passwords. I'm sure many bushwalk.com members use the same passsword for other accounts, email, maybe even banking. It's simple to fix and protects the privacy of users. I have no IT experience, beyond what I've had to develop running a couple websites, and I managed to easily add free SSL certificates that resolve this. It isn't hard.

[ribuck]

If you use a different password here than at other sites, and you don't send this site any sensitive information (e.g. in private messages), you have nothing to fear. The lack of https only makes it possible for others to intercept your communications with this site; it doesn't enable others to hack anything else of yours.

No doubt this site will eventually be made secure. It's not hard to do if you already know how, but it's a real hassle when you have to work it out yourself for the first time.

[Hiking Noob]

Works fine on Monument Browser on my Android phone, works fine in Seamonkey on my Windows laptop, have never received any sort of warning.

[wildwanderer]

If you use a different password here than at other sites, and you don't send this site any sensitive information (e.g. in private messages), you have nothing to fear. The lack of https only makes it possible for others to intercept your communications with this site; it doesn't enable others to hack anything else of yours..

the forum has a significant e-commerce section. I think its wishful thinking to believe people are not exchanging private info when buying and selling on market square. Really they should be taking the transaction to private email.. but I wonder how many dont.

Never the less I don’t think the risk is severe if people follow the suggested security precautions you mentioned ribuck. Not reusing passwords being the most critical.

I’m more concerned with the reduction of forum traffic. I’m sure many people who might become great members of the bushwalk.com community are not signing up because they get a warning about the site being insecure on their browser. and of course less publicity for the site on search engines due to downranking.

[shehaal]

it's a real hassle when you have to work it out yourself for the first time.

I disagree; it takes about 5 minutes with Cloudflare (which has a free tier), so long as you can move your DNS to them. They set up and renew the certificate automatically for you, and a couple of checked boxes on their dashboard will force a redirection from unsecured to secured.

If you buy a cert from a cert authority and manually install it, then yes, it's likely an absolute pain!

[Mischa]

Hey, just bumping this as it's concerning that in 2020 a website that has logged in users is not using HTTPS. As mentioned in the post above, it's not difficult to do, and there are free options around these days I believe. Cheers!

[FatCanyoner]

+1

I have zero IT training or formal experience, yet manage to run three websites that all use HTTPS. I use Cloudflare, which was mentioned above. Completely free, great product, and easy to use.

[wildwalks]

Howdy Guys
Sorry this has taken forever....... Had some technical issues a while ago and it fell off my todo list
Turned out to be a fairly simple configuration step I oops'ed on.

https:// is finally setup and working

Thanks for the advice on all the free options, unfortunately the way bushwalk.com is means we can't access most of these free services. All good, got our own (free) certificate installed on the server and is seems happy

Happy secure bushwalking

Matt

[Son of a Beach]

Thanks Matt. Seems to be working fine now when I put an "https://" in front of the URL.

I wasn't too worried about it, as I use a different password here than elsewhere, etc. But it's good for everybody's peace of mind, and the search engines will now give it a bit more favour.

NB: Some people might notice that some pages (including the front page) still show as "not secure" in some browsers even though they are using TLS (https://). I think this may be because those pages include images or links to non-secure content. Eg, the forums front page has http:// images of (and links to) the eMag.

Last edited by Son of a Beach on Mon 07 Sep, 2020 9:46 am, edited 1 time in total.

[wildwalks]

Some people might notice that some pages still show as "not secure" in some browsers. I think this may be because those pages include images or links to non-secure content.

Yes, thanks for this, I am working on this, seems to be mostly due to with the magazine images on the home page. But all content posted and passwords etc is HTTPs.
Hope to fix this issue today or tomorrow

Thanks

[FatCanyoner]

Great stuff Matt!

[wildwalks]

Great stuff Matt!

Thanks

[Mountain Rocket]

Awesome thanks for this Matt.

[ribuck]

Thank you!

[north-north-west]

The browser is now showing a lovely little padlock. Neat, and thank you.

[wildwalks]

Thanks guys -- sorry it took forever

[Franco]

I still had the bookmark for the original Tasmania Bushwalks (or something like that...)
That worked till a couple of days ago.
So now I Googled Bushwalk Australia, the site came up so I have a new bookmark that works.

[Chris]

Screen Shot 2020-09-10 at 5.47.33 pm.png

Screen Shot 2020-09-10 at 5.47.17 pm.png

Sorry Matt, maybe the answer to my problem is already here but ...
For the last few days I've been getting these messages whenever I try to access the site. I use https://www.bushwalk.com/forum/search.p ... ive_topics.

It worried me at first, but I eventually decided to go ahead. It's still a pest though

I see NNW''s lovely little padlock, and include https://, so have run out of options from the recent posts.

Is this easily fixable?

You do not have the required permissions to view the files attached to this post.

[ribuck]

Try it without the "www.", Chris.

[wildwalks]

Is this easily fixable?

Hi Chris
Yes thanks for this. For now just got to https://bushwalk.com (no www.) That will solve the issue.
Weird, because the website should redirect and drop the www., so I will look into that and if needed I will add the www to the certificate to fix it for others.
Thanks for letting me know.
Matt

[Chris]

Thanks Matt. Done

[Son of a Beach]

Looks like the YouTube tags are no longer working (at least at viewtopic.php?f=10&t=31483&view=unread#unread ). I'm not sure if its related to this change but the timing is about right.