|
Joined: May 2006
Posts: 243 Likes: 1
Enthusiast
|
Enthusiast
Joined: May 2006
Posts: 243 Likes: 1 |
Mozilla released Firefox 52 in early March, 2017. Now when users on that browser log in, they see a security warning. It occurs on this UBB Central forum site too. If you click the "Learn More" link, firefox gives you this web page.I would sure like to fix the problem on my site. What can I do? Here is the warning on UBB Central:
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
How can you fix it? Purchase an SSL/TLS Cert and upgrade your website from HTTP to HTTPS In Layman's terms could you give a simple step by step how to do that?
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Configuring your site for SSL/TLS is out of the scope of forum support; feel free to Google Search " How do I setup SSL?"
|
|
|
|
Joined: May 2006
Posts: 243 Likes: 1
Enthusiast
|
Enthusiast
Joined: May 2006
Posts: 243 Likes: 1 |
I see that my hosting service (DreamHost) offers some help with the free 'Let's Encrypt' certificate. Questions for the experienced UBB admins: If I install the certificate, will visitors' browsers automatically find the https URL, or will there be a period of questions and problems while everyone has to figure out the change? Is it reasonable to encrypt the sign-in and leave the rest un-encrypted, so that the main forums remain under the http://... URL while the sign-in screen uses the secure https://..., or is that a pain to set up? Thanks!
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
I see that my hosting service (DreamHost) offers some help with the free 'Let's Encrypt' certificate. Because they're free, it's a great project. If I install the certificate, will visitors' browsers automatically find the https URL, or will there be a period of questions and problems while everyone has to figure out the change? You'll have to send traffic over an SSL connection, you can find examples on forcing all URLs to use SSL through .htaccess on Google, I force mine over CloudFlare. Is it reasonable to encrypt the sign-in and leave the rest un-encrypted, so that the main forums remain under the http://... URL while the sign-in screen uses the secure https://..., or is that a pain to set up? You get a significant search engine bonus for having a full SSL site, I'd advise against what you're wanting to do.
|
|
|
|
Joined: May 2006
Posts: 243 Likes: 1
Enthusiast
|
Enthusiast
Joined: May 2006
Posts: 243 Likes: 1 |
You get a significant search engine bonus for having a full SSL site, I'd advise against what you're wanting to do. I don't want to do that. My main goal is to make it as seamless as possible for the regular/repeat users. Will their old bookmarks find the new https:// site, or will that be a problem for them?
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
The answer would be no, UBB.threads does not have an option for the login or registration page to always be SSL, you could probably dig into the templates and specifically write the URLs to be such, but it'd send them back to the forums over SSL after the login/registration. HTTP and HTTPS are seen as different URLs, just like your WWW vs non-WWW domain. Having an SSL certificate installed doesn't just automatically make their browsers use it. UBBCentral has an SSL certificate and it's not used here on the forums, that's ultimately the same thing that'd happen for you. HTTP vs HTTPS
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
SteveC, you may not care about the SEO ranking factors on your own website, but for others who may come across this post, here is a link which may be helpful to them: The Big List of SEO Tips and Tricks for Using HTTPS on Your WebsiteBy Cyrus Shepard (September 8th, 2014) https://moz.com/blog/seo-tips-https-ssl
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
I was just looking for some generalized steps. Some of the links provided helped a bit with that.
Please tell me if I have things right here, or if I forgot anything.
Need static IP address Determine what type of SSL is needed and purchase Install, (or have it installed) on server Set up a Redirect HTTP >> HTTPS (with 'Wildcard')
End result is any old links using HTTP will be redirected to New HTTPS secure page
Is that basically right?
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
Last edited by isaac; 09/23/2017 3:49 PM.
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
Is there any way to test a website (prior to HTTPS change) for potential problems?
I mean problems with the existing content...
Last edited by ECNet; 03/19/2017 10:59 AM.
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
The third item on the list: • Do the HTTP migration on a test server to test first
|
|
|
|
Joined: Jul 2006
Posts: 4,057
|
Joined: Jul 2006
Posts: 4,057 |
I'm just going to go for it lol. And pick up the pieces as i go along. Thats a great checking list you posted above. I'm still looking in to this addition and that is to force https via a .htaccess file RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] I done a test on a basic site of mine with out forums, using the following via my server. Use a symbolic link from private_html to public_html - allows for same data in http and https Which then deletes the private_html leaving only the publc_html However i was not getting the secure icon etc... until i added the htacces lines above and that seems to be working as expected. Hopefully migrate over later this week using my forums. I'm not on version 7.6 at this time. I want to get https settled in on a working forum and then upgrade. My thinking anyways.
BOOM !! Version v7.6.1.1 People who inspire me Isaac ME Gizmo
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
The third item on the list: • Do the HTTP migration on a test server to test first Not sure what you mean exactly, but that sounds like it might be over my head. Is the 'HTTPS compliance' issue about existing Absolute Links or might some things just stop working, or throwing up obvious Alerts? If I don't see popup warnings on the website now would that change because of SSL and HTTPS? Or, I guess... (Assuming SSL and 301 Redirect are set up correctly) what's the worst that could happen?
Last edited by ECNet; 03/19/2017 2:01 PM. Reason: added last line
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Unless your host supports Let's Encrypt; Let's Encrypt's SSL offerings can be used on shared ip addresses. Plus, they're free. Determine what type of SSL is needed and purchase Unless you're providing order processing and your merchant requires location information, you can get away with any StarterSSL certificate (the cheap ones). Set up a Redirect HTTP >> HTTPS (with 'Wildcard') There are a lot of snippits on Google for "Force HTTPS htaccess". End result is any old links using HTTP will be redirected to New HTTPS secure page Yes, but you'll likely want to update old links, which would involve database maintenance. Keep in mind that 3rd party assets (embedding content from other sites that are not SSL, such as Photobucket) will give a warning on pages using them (basically that elements on the page are not provided over SSL).
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
Thanks for the additional info. As far as the Forum goes I'd probably just want to get the minimum needed to make the FF warning go away. I also have an Ecommerce site at: www.LicensedElectrician.com where I'd be looking to get something better. All the online orders currently get processed thru PayPal, but I think I should have something there even if only for appearances. As far as 3rd party assets go, do you mean like an 'in your face' obvious warning message will appear that doesn't appear now?
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
It'll show the "insecure content" message on pages embedding images/files from a non-https address.
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
sorry for the Newbie type questions, but here goes another... - If I purchase SSL and it is installed on server, but I don't do 301 redirect to HTTPS does the website function as before? (I mean, no insecure errors that weren't there before)
- Can I access a page using https prefix to see if there are any compliance issues?
Would that work as a method of testing SSL/HTTPS compatibility? Bill
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
"HTTP" and "HTTPS" are two different protocols. Think of them as if they are two different "cars" (yes, another car analogy). 1) "HTTP" is made of transparent glass and anyone who wants to see inside it, can. 2) "HTTPS" is made of solid lead, and only the user driving it will be able to see inside of it. Each "vehicle" has its own key. In this case, the key is called a cookie. To get from one and to another, you would literally be switching vehicles, since HTTP and HTTPS are not the same vehicle. So if you are taking a trip from one to "the store" up the street, the other one would be left in your garage. As a user on a website which uses session information, there really is no switching back and forth on the fly between the two of them, when only one key can control one vehicle. With the HTTP "vehicle," you will always get that warning from Firefox and Chrome, as long as they continue to notify users that they are currently using that "transparent glass" HTTP vehicle
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
I'm confused. Maybe I didn't explain it right. I'm just trying to understand how SSL and HTTPS works. Hypothetically, say I have an existing website, and I want to install SSL to reassure visitors, but are apprehensive about possible incompatibilities that may then be exposed and need fixing. Right now, in FF there are no 'in your face warnings' unless there's a page with a form. If I have SSL installed on the server but no Redirect to HTTPS set up yet does the website appear as before? (Does the HTTPS prefix force the page to use the SSL?) In other words I can access a page via http://www.myDomain.com - and it appears as before And, can I also access that same page via https://www.myDomain.com - which may then more visually warn of insecure items? (this way I could see and fix some problems before forcing HTTPS redirect) Would that work?
|
|
|
|
Joined: May 2008
Posts: 753 Likes: 1
Old Hand
|
Old Hand
Joined: May 2008
Posts: 753 Likes: 1 |
sign up for a free cloudflare account, and you can get a free generic SSL cert, don't have to spend a dime.
just have to enable in the control panel on CF.
there are several htaccess tricks that you can implement that will redirect people visiting your site via http to https
I have also noticed if you have any non-https links on your site/login page, they will cause you to get the non secure warning as well.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
|
|
|
|
Joined: May 2008
Posts: 753 Likes: 1
Old Hand
|
Old Hand
Joined: May 2008
Posts: 753 Likes: 1 |
I'm confused. Maybe I didn't explain it right.
If I have SSL installed on the server but no Redirect to HTTPS set up yet does the website appear as before? (Does the HTTPS prefix force the page to use the SSL?) if people don't type in https, and you have no redirect, they will always be on the non secure version.. you have to tell them to enter https, and/or enable a redirect that automatically converts/redirects folks to https.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
The HTTP session cookie is for HTTP The HTTPS session cookie is for HTTPS You basically have two session cookies. One for each protocol. If you are on HTTPS and try to access files which are on an HTTP address, Firefox/Chrome will warn you that that the page is not secure -- because you are attempting to send unencrypted HTTP data in to your encrypted HTTPS connection. >> Further reading <<
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
I'm confused. Maybe I didn't explain it right.
If I have SSL installed on the server but no Redirect to HTTPS set up yet does the website appear as before? (Does the HTTPS prefix force the page to use the SSL?) if people don't type in https, and you have no redirect, they will always be on the non secure version.. you have to tell them to enter https, and/or enable a redirect that automatically converts/redirects folks to https. Good reply, BadFrog Here is the .htaccess code to do exactly what BadFrog is talking about: RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] SOURCE (posted earlier in this thread): https://www.ubbcentral.com/forums/u...e-password-warning-firefox-52#Post259881
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
Maybe I'm asking the wrong questions.
I've done hours of searching about SSL and HTTPS. I think I have the basic idea of the steps involved.
What I have been unable to find out is how a website reacts after doing that.
Example: Existing website on FF, no visual warnings on any pages other than the little gray information icon in address bar.
All the embedded content works - linked images & videos from other sites, js Menus, Rotating Banners, etc.
If that website now has SSL installed and HTTPS redirect does the website look as before? same little gray info link in Address bar - or gets a padlock (or Greenbar) if everything is secure?
Or... does a message bar or popup appear alerting visitor of insecure links on that page or empty boxes where my js menu or Banners or embedded videos once were, etc.
In other words, does SSL and HTTPS force the page to examined more closely and give much more visual alerts to insecure content or links?
Last edited by ECNet; 03/23/2017 12:49 PM. Reason: Added last sentence
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
If every item on the HTTPS page is from the same domain and using the HTTPS protocol (or just using the HTTPS protocol), Chrome and Firefox will not display insecure content warnings. (edit: this assumes that the domains are using a valid certs) If any single element on an HTTPS page is coming from an HTTP page, there will be an "insecure content" warning. Because now you are delivering mixed content to your users.http = insecure content and mixed content on https = insecure content insecure content triggers insecure content warnings in Firefox and Chrome. further reading at: https://support.volusion.com/hc/en-...-on-Secure-Volusion-Store-Pages-With-SSLhttps://www.globalsign.com/en/blog/how-to-fix-mixed-content-warnings-on-your-ssl-site/
Last edited by isaac; 03/23/2017 1:05 PM. Reason: to add valid cert comment
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
If every item on the HTTPS page is from the same domain and using the HTTPS protocol (or just using the HTTPS protocol), Chrome and Firefox will not display insecure content warnings. (edit: this assumes that the domains are using a valid certs)
If any single element on an HTTPS page is coming from an HTTP page, there will be an "insecure content" warning. Because now you are delivering mixed content to your users.
http = insecure content and mixed content on https = insecure content
insecure content triggers insecure content warnings in Firefox and Chrome. I get that. As is there's a little gray icon that, if I click on it tells me it's not secure. Now, if I install SSL and HTTPS redirect would I still see just the little gray icon if insecure content was on that page? Or, would I get a more forceful indication like a popup or information bar that wasn't there before SSL?
|
|
|
|
Joined: May 2008
Posts: 753 Likes: 1
Old Hand
|
Old Hand
Joined: May 2008
Posts: 753 Likes: 1 |
if there is any insecure links on the page, you will still get the gray icon
best bet? implement SSL and see.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Note, configuring or purchasing an security certificate is outside of the scope of forum support.
Your users will not see the SSL page unless they're sent there, you can test before you move.
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
best bet? implement SSL and see. I want to +1 this comment so much!
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
if there is any insecure links on the page, you will still get the gray icon I understand, if that's all that happens I can deal with it. I can fix things behind the scenes until it reads as secure. I think most people just Browsing a site wouldn't even notice the gray icon. If SSL causes popups and other obvious warnings that's a different story. That's what I'm trying to find out in advance. sorry, I thought it was an easy question.
|
|
|
|
Joined: May 2008
Posts: 753 Likes: 1
Old Hand
|
Old Hand
Joined: May 2008
Posts: 753 Likes: 1 |
if there is any insecure links on the page, you will still get the gray icon I understand, if that's all that happens I can deal with it. I can fix things behind the scenes until it reads as secure. I think most people just Browsing a site wouldn't even notice the gray icon. If SSL causes popups and other obvious warnings that's a different story. That's what I'm trying to find out in advance. sorry, I thought it was an easy question. I have recently received emails from people on my site concerned about chrome and FF big bad warning about security.. I got a free SSL cert from my free cloudflare.com account, I spent a few days cleaning up links and problem solved.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
And if you're on CloudFlare, the following page rule will redirect all of your traffic to use SSL: Match: example.com/* Forwarding URL 301 Redirect Destination: https://www.example.com/$1
|
|
|
|
Joined: May 2006
Posts: 243 Likes: 1
Enthusiast
|
Enthusiast
Joined: May 2006
Posts: 243 Likes: 1 |
I have recently received emails from people on my site concerned about chrome and FF big bad warning about security.. I got a free SSL cert from my free cloudflare.com account, I spent a few days cleaning up links and problem solved. My forum has a large number of links to other threads within the forum. Would those all need to be modified to use "https", or would creating the the .htaccess code redirect take care of that?
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Existing links within your posts, pm's, and user avatars will all retain their HTTP; unless you're super comfortable with crafting and executing queries directly to your database I would advise hiring the task out.
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
Guys,
I appreciate the responses I've gotten to my posts in this thread. Maybe I'm being dense, but it seems like you've been missing my questions and giving me answers to things I didn't ask.
I give up...
|
|
|
|
Joined: Apr 2004
Posts: 1,973 Likes: 154
|
Joined: Apr 2004
Posts: 1,973 Likes: 154 |
I appreciate the responses I've gotten to my posts in this thread. Maybe I'm being dense, but it seems like you've been missing my questions and giving me answers to things I didn't ask.
I give up... https://www.google.com/
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
|
|
|
0 members (),
742
guests, and
79
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|