Secure site?

Mack_JB · 08-02-2018, 08:59 AM

I noticed yesterday that all of the Forum's pages, other SJG pages, and W23 now flag as "not secure" when I am reading them. Is this somehow on my end, or is it an SJG issue?

(Google Chrome, bog standard set-up)

Parody · 08-02-2018, 11:00 AM

That's Google's change to how Chrome shows addresses. All sites using http (vs. https) will say Not Secure.

rosignol · 08-02-2018, 07:52 PM

Quote:

Originally Posted by Mack_JB

I noticed yesterday that all of the Forum's pages, other SJG pages, and W23 now flag as "not secure" when I am reading them. Is this somehow on my end, or is it an SJG issue?

(Google Chrome, bog standard set-up)

This is because SJGames has not enabled SSL/TLS on the forum website. It is not on your end.

I would like to add my voice to those saying SSL/TLS is desirable, and point out that there are certificate providers who provide certs for free. For example,

https://letsencrypt.org/

szuru · 08-20-2018, 08:49 AM

You can also use cloudflare dns servers to have a free ssl certificate. Configuration is very simple.

Server <- NO SSL -> Cloudflare DNS <- SSL -> User

So everybody can see safe version without payment or refreshing SSL

Celti · 08-22-2018, 05:31 AM

I would also like to add in my vote regarding the desirability of SSL/TLS for any and every site for simple reliable operation on the modern internet, and especially for those with login forms: Firefox for quite some time now has complained vociferously about the lack of security on these forums when logging in; Chrome now marks the entirety of non-TLS connections as insecure; Firefox will be following suit in the near future, and both are likely to follow up with increasing hoops to jump through to enter passwords into non-TLS sites.

I will also add that the server at pyramid.sjgames.com (which appears to host most of SJG's web presence) is already properly configured for TLS, but only for the domain secure.sjgames.com — it is quite simple to set up Apache with a client such as Certbot or ACME.sh (or for recent Apache versions, mod_md) to make TLS for all (sub)domains on the server free and easy.

As for validation concerns: The current certificate for secure.sjgames.com is an Organization Validation certificate. Let's Encrypt, Cloudflare, and similar sources of free TLS certs these days only provide Domain Validation certificates. This is arguably a downside — but it is arguable because there is currently no mainstream web browser that clearly differentiates between OV and DV certificates, only between Extended Validation certificates (the kind that give you the authenticated organizational name in the address bar) and all non-EV certificates.

Anyway this post has gotten overly long and rambling because it's 4AM, and I am certain the technical staff is already well aware of all this so I'm cutting it short — but hopefully this is helpful to someone.

08-02-2018, 08:59 AM	#1
Mack_JB Join Date: Oct 2014 Location: St. Louis, Missouri	Secure site? I noticed yesterday that all of the Forum's pages, other SJG pages, and W23 now flag as "not secure" when I am reading them. Is this somehow on my end, or is it an SJG issue? (Google Chrome, bog standard set-up) Last edited by Mack_JB; 08-02-2018 at 09:02 AM. Reason: clarifications

08-02-2018, 11:00 AM	#2
Parody Join Date: Aug 2004 Location: Twin Cities, MN	Re: Secure site? That's Google's change to how Chrome shows addresses. All sites using http (vs. https) will say Not Secure. __________________ Michael Miller St. Paul Area Road Knights ESG Labs - Convention Events

08-20-2018, 08:49 AM	#4
szuru Join Date: Aug 2018	Re: Secure site? You can also use cloudflare dns servers to have a free ssl certificate. Configuration is very simple. Server <- NO SSL -> Cloudflare DNS <- SSL -> User So everybody can see safe version without payment or refreshing SSL

08-22-2018, 05:31 AM	#5
Celti Join Date: Jun 2007 Location: USA, Arizona, Mesa	Re: Secure site? I would also like to add in my vote regarding the desirability of SSL/TLS for any and every site for simple reliable operation on the modern internet, and especially for those with login forms: Firefox for quite some time now has complained vociferously about the lack of security on these forums when logging in; Chrome now marks the entirety of non-TLS connections as insecure; Firefox will be following suit in the near future, and both are likely to follow up with increasing hoops to jump through to enter passwords into non-TLS sites. I will also add that the server at pyramid.sjgames.com (which appears to host most of SJG's web presence) is already properly configured for TLS, but only for the domain secure.sjgames.com — it is quite simple to set up Apache with a client such as Certbot or ACME.sh (or for recent Apache versions, mod_md) to make TLS for all (sub)domains on the server free and easy. As for validation concerns: The current certificate for secure.sjgames.com is an Organization Validation certificate. Let's Encrypt, Cloudflare, and similar sources of free TLS certs these days only provide Domain Validation certificates. This is arguably a downside — but it is arguable because there is currently no mainstream web browser that clearly differentiates between OV and DV certificates, only between Extended Validation certificates (the kind that give you the authenticated organizational name in the address bar) and all non-EV certificates. Anyway this post has gotten overly long and rambling because it's 4AM, and I am certain the technical staff is already well aware of all this so I'm cutting it short — but hopefully this is helpful to someone.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode