Site "Not Secure"
Page 1 of 3 123 LastLast
Results 1 to 20 of 47
  1. #1
    Join Date
    Jun 2012
    Location
    Suffolk Co, NY, USA
    Posts
    3,630

    Default Site "Not Secure"

    Is there another issue lately?
    In the address bar there is a symbol indicating that beesource in not secure. Google Chrome.
    Below is the explanation by Google of what the symbol could mean:

    The site isn't using a private connection. Someone might be able to see or change the information you send or get through this site.

    You might see a "Login not secure" or "Payment not secure" message. We suggest that you don't enter sensitive details, like passwords or credit cards.

    On some sites, you can visit a more secure version of the page:

    Select the address bar.
    Delete http://, and enter https:// instead.
    If that doesn't work, contact the site owner to ask that they secure the site and your data with HTTPS.

  2. Remove Advertisements
    BeeSource.com
    Advertisements
     

  3. #2
    Join Date
    Oct 2010
    Location
    Pueblo, Colorado, USA
    Posts
    1,527

    Default Re: Site "Not Secure"

    This site isnt secure. https can't be forced on BS
    Zone 5 @ 4700 ft. High Desert

  4. #3
    Join Date
    Jun 2011
    Location
    Campbell River, BC, CA
    Posts
    1,654

    Default Re: Site "Not Secure"

    using https doesn't make a site secure, it just means that encryption is used on the network link. Why bother? This is a public forum, anybody can read what's posted here, so does it matter that it's not encrypted going to/from your browser ?

  5. #4
    Join Date
    Mar 2007
    Location
    Toronto, Ontario, Canada
    Posts
    331

    Default Re: Site "Not Secure"

    True. HTTPS wouldn't make a big difference here. But, we are planning on implementing it here in the future. It's becoming standard procedure in these days of internet security awareness, and in time not having the certificate will hurt the site's status with security companies, and Google and other search engines.

    No official ETA on when it will be implemented. Hoping for sooner rather then later.

    If you are ever on a site that doesn't have HTTPS, and it asks for credit card info, run the other way

    Kevin

  6. #5
    Join Date
    Jun 2011
    Location
    Campbell River, BC, CA
    Posts
    1,654

    Default Re: Site "Not Secure"

    Quote Originally Posted by Admin View Post
    True. HTTPS wouldn't make a big difference here.
    Actually, it can have a big performance impact. Browsers will cache far less when the link runs over https, any page that includes an input field, like the one I'm typing in right now, will not be cached by most browsers if it's an https connection, whereas it will get cached if the link is http.

    For an open public forum, it can indeed introduce a significant performance hit most noticeable by folks on a skinny internet connection. All it really solves, is the whining from folks about 'its not https' who dont really know much about the underpinnings, but 'I read it on the internet' told them https = secure. Dont get me started on that train, I can go on forever. A few companies have managed to create a billion dollar business out of selling certificates that make the claim of 'this means the site is secure', when in fact, all it really means is the host has spent money on a certificate that browsers 'accept'. If indeed buying an expensive certificate and switching to https made a site secure, we wouldn't be reading about massive data leaks constantly in the press.

    Now if the goal is just to switch to ssl connections to make folks happy because they read somewhere on the internet that a site is safe and secure due to the little green lock icon in the browser, that's easy to manage in 10 minutes using the automated certificate system from the folks at LetsEncrypt. I've set up a few locations with that system to pacify the folks whining about https , it gets the job done quick and easy without dumping a bunch of cash into the coffers of companies that sell expensive certificates that have no real value in terms of actually securing a website.

  7. #6
    Join Date
    Jun 2012
    Location
    Suffolk Co, NY, USA
    Posts
    3,630

    Default Re: Site "Not Secure"

    Quote Originally Posted by grozzie2 View Post
    Actually, it can have a big performance impact. Browsers will cache far less when the link runs over https, any page that includes an input field, like the one I'm typing in right now, will not be cached by most browsers if it's an https connection, whereas it will get cached if the link is http.

    For an open public forum, it can indeed introduce a significant performance hit most noticeable by folks on a skinny internet connection. All it really solves, is the whining from folks about 'its not https' who dont really know much about the underpinnings, but 'I read it on the internet' told them https = secure. Dont get me started on that train, I can go on forever. A few companies have managed to create a billion dollar business out of selling certificates that make the claim of 'this means the site is secure', when in fact, all it really means is the host has spent money on a certificate that browsers 'accept'. If indeed buying an expensive certificate and switching to https made a site secure, we wouldn't be reading about massive data leaks constantly in the press.

    Now if the goal is just to switch to ssl connections to make folks happy because they read somewhere on the internet that a site is safe and secure due to the little green lock icon in the browser, that's easy to manage in 10 minutes using the automated certificate system from the folks at LetsEncrypt. I've set up a few locations with that system to pacify the folks whining about https , it gets the job done quick and easy without dumping a bunch of cash into the coffers of companies that sell expensive certificates that have no real value in terms of actually securing a website.
    Sounds like you are a expert in this field grozzie, a real computer programmer instead of one who just utilizes programming written by others to navigate the internet . Apparently, you don't need to rely on what others (even other programmers) have to say so why don't you enlighten all the whining laymen key punchers about security issues? Start with explaining the 3 points from Google in the first post, clear it all up for us.
    Much appreciated.

  8. #7
    Join Date
    Jun 2011
    Location
    Campbell River, BC, CA
    Posts
    1,654

    Default Re: Site "Not Secure"

    Quote Originally Posted by clyderoad View Post
    Sounds like you are a expert in this field grozzie, a real computer programmer instead of one who just utilizes programming written by others to navigate the internet . Apparently, you don't need to rely on what others (even other programmers) have to say so why don't you enlighten all the whining laymen key punchers about security issues? Start with explaining the 3 points from Google in the first post, clear it all up for us.
    Much appreciated.
    Read below.

    Quote Originally Posted by clyderoad View Post
    Is there another issue lately?
    In the address bar there is a symbol indicating that beesource in not secure. Google Chrome.
    Below is the explanation by Google of what the symbol could mean:

    The site isn't using a private connection. Someone might be able to see or change the information you send or get through this site.

    You might see a "Login not secure" or "Payment not secure" message. We suggest that you don't enter sensitive details, like passwords or credit cards.

    On some sites, you can visit a more secure version of the page:

    Select the address bar.
    Delete http://, and enter https:// instead.
    If that doesn't work, contact the site owner to ask that they secure the site and your data with HTTPS.
    Https will encrypt the information going between your browser and the web server. The point of this style of encryption is to prevent it being 'snooped' by other parties as it traverses the network. Is it important to use encryption when submitting private information? Yes, it is. Is it important to use encryption when submitting information that is going to be open to the public? Not at all. After I submit this post, it's available for everybody to read anyways, so does it make a difference if it can be seen by somebody else while traversing the network to reach the server ? Heck, they can just open a web browser and see it anyways.

    Now talk about various 'data leak' types of penetrations. A very common example of how it's done is something called 'sql injection'. This happens when a site is poorly configured such that when I post data to the site, I can embed database commands into the post in such a way that instead of going into part of my message, I trick the server to executing it as a database command. Matters absolutely not if the post was made over an http or an https request, the end result will be the same. That is a completely different kind of security issue, and it has NOTHING to do wiith wether or not the site is using https for the connection.

    Now let me get on my high horse for a minute. There are many companies out there that sell certificate for use on https connections, and they want end users to believe that using those certificates makes the site secure. It does not do that in any way shape or form. the only thing is possibly does (and this is not definitive), it tells you that the third party company has verified that the site owner is who they say they are. But, those systems are relatively easy to get around for the most part, very few of the certificate validation companies actually do any serious checking. Sign up online, send them some electronic copies of things like incorporation papers (easily forged), and voila, they issue you a certificate after you pay the bucks for it. Quite some number of years ago, those companies convinced browser vendors to include root certificates with the browsers, and pop up messages saying 'Not Secure' if the site doesn't have a certificate issued by a 'trusted authority'. How does one become a 'trusted authority', in reality it's not what most think. Reality is, the level of trust in the root certificate chain for most browsers depends entirely on how much the browser vendor was paid by the certificate company to include that root certificate in the distribution. And that's how the whole business of https certificates turned into a billion dollar rip off. I have proven this to clients in the past by getting a 'highly trusted' certificate for a corporate entity that does not exist, at a vacant address, by simply jumping thru the paperworks hoops.

    So, what does that little green lock in the address bar really mean? It means the site is using an https certificate, and that certificate has been issued by a 'trusted authority'. It means NOTHING about how the server has been secured against penetration attacks, or any other kind of attack vector. Does it matter here on beesource ? Are you submitting confidential data in any of your posts here ? If so, why are you doing that, this is a public forum, anybody can read what is posted in a public forum. Whole different story if you are posting credit card numbers etc, but that's not the case here. there is a time and a place for everything, but, getting excited about the green lock on a public forum is the wrong place to be excited about https, and it's mostly a result of bad information being fed to the masses by the folks who 'market by magazine article' type of stuff. It gets propogated tremendously by the script kiddie crowd who think they know a lot because 'I read it online'. I had somebody trying to tell me that our little farm website was a huge security problem a few weeks back, because it didn't show the little green lock when they connected. I went online to the LetsEncrypt folks, spent 5 minutes jumping thru hoops and added a 'trusted' certificate, you can see it here: https://www.rozehaven.ca/farm/ . Yup, now my little farm website has the green lock, it's https, so therefore 'must be secure' according to some folks. Well, no, not really. All that lock means, I jumped thru some hoops to validate site ownership online, and voila, I have a certificate now, and it's derived from a 'trusted root'. Nobody did any kind of audit to ensure there are no security holes in that website. It's a personal website, so I dont really care, there is no confidential data there, and never will be. It's a basic wordpress install where my wife and I can keep a bit of a journal of what we are doing with our little farm property, mostly to show folks 'yes it can be done, and it can be done on a small plot'. We started with a 2 acre wasteland, and now between bees, garlic, and chickens, net revenues are enough to carry a mortgage on this property. It's very much an 'in your face' thing for all the naysayers. And hey, now we have a little green lock, so, it must be secure. Well, no, not really, it's still just a basic wordpress install, that happens to have a certificate browsers deem 'trusted'.

    Dont get me wrong on one point tho, I think what the folks at LetsEncrypt have done is fantastic, it just shows how much of a scam some companies have built on the 'https certificate' business. Anybody with a modest amount of computer savvy can sit down and set up a certificate authority in 15 minutes, I've done it many times. The certificates generated by that authority will not give the little green lock in a browser address bar, unless I convince the browser vendors to include my fresh new root certificate into the browser distribution as a 'trusted root'. the folks at LetsEncrypt have put together a neat little automated system that can verify the person requesting a certificate does indeed have control of the website in question, and issue a certificate based on that. Enough browsers now include the LetsEncrypt root as a 'trusted source' that it's made the process of getting the little green lock icon trivial and easy on a website. But the reality of it is, it still does nothing to validate site security, so it's a false indicator that fools everybody that doesn't really understand what web security really means, an elegant workaround for something that was becoming a serious hassle for small websites, certs from some of the vendors run in the thousands of dollars. Then to really add insult to those costs, virtually all vendors that have been in the business for a lot of years, over time, have had root certificates compromised, and have had to do lots of certificate revocations and replacements because of it. If you take a close look at the history of root certificates in various browser distributions, lots and lots have been revoked over time, to be replaced by new uncompromised root certificates.

    The real big confusion, and I believe this confusion is propogated intentionally by certificate sellers, there is a HUGE difference between 'trusted', and 'secure'. A certificate just says the site is 'trusted' to be who they claim to be, nothing more. it says absolutely NOTHING about wether or not that site is 'secure', but the marketing of certificates intentionally confuses those two issues.

    In that respect, it's much like keeping bees. If you read enough at various places on the internet, you will end up convinced that the ONLY way to be successful keeping bees is to throw them in a box, deprive them of both food and medications, then sit back and wait for them to become super bees that are immune to mites and can survive a dearth just fine right after you strip off the honey supers and steal their food supply. Just because one read this mumbo jumbo online, does not make it so.

    The little green lock tells you two things, and ONLY two things.

    a) Somebody jumped thru some hoops somewhere, to validate that the person requesting the certificate indeed has control of the website. It may or may not validate the person requesting is actually who they say they are, you have to look carefully at the certificate itself to check that part out.
    b) The data is travelling over an https connection, so, it is unlikely (not impossible) to be intercepted by a third party between your computer and the server.

    FYI, item b) above applies to any site on https, irrelavent of wether or not the lock is green, as long as it is actually an ssl connection. Then again, not all ssl connections are created equal either. Older forms of the standard have shown weaknesses over time, so, it is still possible to end up with the little green lock showing that says 'yes this is an encrypted connection going to a validated destination', but, if using very old ssl libraries, fairly strait forward for an expert to perform a man in the middle snoop on that data, assuming they have physical access to the network somewhere in between the client and server. The most common vector for that kind of penetration is to compromise consumer routerrs where the interconnect with the rest of the internet. If you subscribe to mailing lists dealing with this subject, and are a bit adept at writing firmware for these things, you would be astounded at how easy this vector is, and how many compromised consumer routers there are out there in the world running with malicious code injected into them.

    As someone who has dealt with network security for most of the last 30 years, it is my opinion, the propogation of this idea that the 'little green lock' in a web browser url means the site is secure, is just a figment of some marketing folks imagination, and, they have built up a huge revenue stream by convincing the public this is the case. the green lock has nothing to do with site security, and everything to do with 'who did you pay for the certificate', or at least for a lot of years, that's what it was. Hopefully the folks at LetsEncrypt can continue to kick the legs out from under that bogus business model.

  9. #8
    Join Date
    Mar 2007
    Location
    Toronto, Ontario, Canada
    Posts
    331

    Default Re: Site "Not Secure"

    ^^ Ditto! (LOL, sorry! Tough post to follow)!

    Please feel free to reach out if you have any further questions or concerns!

    Cheers,

    Erik

  10. #9
    Join Date
    Jun 2012
    Location
    Suffolk Co, NY, USA
    Posts
    3,630

    Default Re: Site "Not Secure"

    Thanks for your reply.
    Phooey on Google Chrome and those money bilking certificate companies pushing the green locks that
    are pretty much worthless as far as security goes.
    I can claim to all who ask how I know, that I read it on the internet!

  11. #10
    Join Date
    Jul 2013
    Location
    Cullman, Alabama, USA
    Posts
    1,240

    Default Re: Site "Not Secure"

    Thank you Grozzie, for sharing that information. CE
    Started summer of 2013, just another new guy, tinkering with bees.

  12. #11
    Join Date
    Dec 2008
    Location
    syracuse n.y.
    Posts
    5,245

    Default Re: Site "Not Secure"

    Thank Grozzie really nice write up
    mike syracuse ny
    Whatever you subsidize you get more of. Ronald Reagan

  13. #12
    Join Date
    Mar 2007
    Location
    Toronto, Ontario, Canada
    Posts
    331

    Default Re: Site "Not Secure"

    Thanks!

    Very informative. But yes, we are doing major testing with HTTPS right now
    No exact ETA on this but hopefully soon!

    Cheers,

    Ed

  14. #13
    Join Date
    Jun 2011
    Location
    Campbell River, BC, CA
    Posts
    1,654

    Default Re: Site "Not Secure"

    Quote Originally Posted by Admin View Post
    Thanks!

    Very informative. But yes, we are doing major testing with HTTPS right now
    No exact ETA on this but hopefully soon!

    Cheers,

    Ed
    if you do enable https, please leave the un-encrypted option available. Adding ssl overhead to every browser request adds a significant overhead, not noticeable to folks on fat connections, but, really annoying when on a skinny connection, ie, sitting at an airport killing time waiting for a flight using highly throttled public wifi.

    I think the number of folks that peruse beesource over skinny data links is much higher than a typical website, it's the nature of the beast. Beekeepers tend to be in the backwoods a lot, for many, the only options for internet connections come via satellite links or a local WISP.

    Just my $0.02, and now that we dont use pennies anymore, it rounds to $0.00 at the till...

  15. #14
    Join Date
    Apr 2006
    Location
    Pepperell, MA.
    Posts
    6,102

    Default Re: Site "Not Secure"

    Quote Originally Posted by grozzie2 View Post
    if you do enable https, please leave the un-encrypted option available. Adding ssl overhead to every browser request adds a significant overhead, not noticeable to folks on fat connections, but, really annoying when on a skinny connection, ie, sitting at an airport killing time waiting for a flight using highly throttled public wifi.

    I think the number of folks that peruse beesource over skinny data links is much higher than a typical website, it's the nature of the beast. Beekeepers tend to be in the backwoods a lot, for many, the only options for internet connections come via satellite links or a local WISP.

    Just my $0.02, and now that we dont use pennies anymore, it rounds to $0.00 at the till...
    I agree with this completely.
    "My wife always wanted girls. Just not thousands and thousands of them......"

  16. #15
    Join Date
    Mar 2007
    Location
    Toronto, Ontario, Canada
    Posts
    331

    Default Re: Site "Not Secure"

    Thanks, we update you as soon as we know more when HTTPS is being implemented.

    Niall

  17. #16
    Join Date
    Jul 2016
    Location
    Port Angeles, WA, USA
    Posts
    469

    Default Re: Site "Not Secure"

    Quote Originally Posted by grozzie2 View Post
    if you do enable https, please leave the un-encrypted option available. Adding ssl overhead to every browser request adds a significant overhead, not noticeable to folks on fat connections, but, really annoying when on a skinny connection, ie, sitting at an airport killing time waiting for a flight using highly throttled public wifi.

    I think the number of folks that peruse beesource over skinny data links is much higher than a typical website, it's the nature of the beast. Beekeepers tend to be in the backwoods a lot, for many, the only options for internet connections come via satellite links or a local WISP.

    Just my $0.02, and now that we dont use pennies anymore, it rounds to $0.00 at the till...
    Even with a low end connection, the overhead of HTTPS is absolutely minimal. Any site involving a login, or any form of messaging should be https by default, if not mandatory.

    If you want make a site more reliable for low end connections, you have far better options, such as a text only viewing option.
    Instrumental Insemination & Northern VSH Queens

  18. #17
    Join Date
    Jun 2012
    Location
    Suffolk Co, NY, USA
    Posts
    3,630

    Default Re: Site "Not Secure"

    Quote Originally Posted by jcase View Post
    Even with a low end connection, the overhead of HTTPS is absolutely minimal. Any site involving a login, or any form of messaging should be https by default, if not mandatory.

    If you want make a site more reliable for low end connections, you have far better options, such as a text only viewing option.
    I read it on the internet that https and that little green lock are worthless as far as security goes and nothing more than a money bilking scheme
    by certificate companies. Yup.

  19. #18
    Join Date
    Jul 2016
    Location
    Port Angeles, WA, USA
    Posts
    469

    Default Re: Site "Not Secure"

    Quote Originally Posted by clyderoad View Post
    I read it on the internet that https and that little green lock are worthless as far as security goes and nothing more than a money bilking scheme
    by certificate companies. Yup.
    Sarcasm right? Hard to tell sometimes, working in infosec i hear some strange things at times. I mean you can get a ssl cert for free now a days from at least one certificate authority.
    Instrumental Insemination & Northern VSH Queens

  20. #19
    Join Date
    Jun 2012
    Location
    Suffolk Co, NY, USA
    Posts
    3,630

    Default Re: Site "Not Secure"

    Quote Originally Posted by jcase View Post
    Sarcasm right? Hard to tell sometimes, working in infosec i hear some strange things at times. I mean you can get a ssl cert for free now a days from at least one certificate authority.
    Sarcasm? I honestly don't know if it is or not. Probably more ignorance and confusion than sarcasm.
    See post #7 and #9 above.

  21. #20
    Join Date
    Jul 2016
    Location
    Port Angeles, WA, USA
    Posts
    469

    Default Re: Site "Not Secure"

    Quote Originally Posted by clyderoad View Post
    Sarcasm? I honestly don't know if it is or not. Probably more ignorance and confusion than sarcasm.
    See post #7 and #9 above.
    Ah sorry. HTTPS is not worthless at all, it is pretty much the main source of any security for almost all web traffic. Only thing keeping someone from snatching up your bank logins, etc.

    The cost of a certificate is hardly anything, in fact now a days it is literally free from letsencrypt.org.

    Saying that it is a money grab, is like saying seatbelts are just a money grab from the auto industry.

    HTTPS does not secure a site, it secures a connection preventing anyone between the site and you from reading or tampering with your data.

    Post 7 is too long to read, post 9 is just wrong.

    BS not having it means any of the 100s of systems between you and BS could snatch up your BS login details, or read your private messages.
    Instrumental Insemination & Northern VSH Queens

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •