Reply
 
Thread Tools Display Modes
  #51  
Old 02-28-2019, 01:11 AM
DrDeth is offline
Charter Member
 
Join Date: Mar 2001
Location: San Jose
Posts: 40,160
I talked to my expert and here is what he said "The connection isn't secure because it's using HTTP, not HTTPS—the S means secure (and a few other words)—and people could watch what you're doing on it. The why is because the site's owner hasn't gone through the effort (it's relatively easy, usually) to enable encryption on all of the interactions its users have with it. The bottom line is: don't do anything on it you wouldn't want the "bad guys" to know (e.g, give it any personal data)."
  #52  
Old 02-28-2019, 01:13 AM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
Quote:
Originally Posted by DrDeth View Post
It could be a ad, but it's not one particular ad.

The site not being secure means that no one should pay for anything here.

The solution is simple, just let jerry or whoever is the iT person know and they can check it out. Dont you see "Not secure" also, when you use Chrome?
Dangerous Not secure or Dangerous
We suggest you don't enter any private or personal information on this page. If possible, don't use the site.

Not secure: Proceed with caution. Something is severely wrong with the privacy of this site’s connection. Someone might be able to see the information you send or get through this site.

You might see a "Login not secure" or "Payment not secure" message.
...
How are you accessing the SDMB? Like, you launch Chrome. Then What?

Basically -- there are two web addresses that lead here. One is over a secured line, the other is over an unsecured line. A while ago the secured line didn't work but that's fixed now. But somehow you're ending up at the unsecured line. Let's figure out why.
  #53  
Old 02-28-2019, 01:15 AM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
Quote:
Originally Posted by DrDeth View Post
I talked to my expert and here is what he said "The connection isn't secure because it's using HTTP, not HTTPS—the S means secure (and a few other words)—and people could watch what you're doing on it. The why is because the site's owner hasn't gone through the effort (it's relatively easy, usually) to enable encryption on all of the interactions its users have with it. The bottom line is: don't do anything on it you wouldn't want the "bad guys" to know (e.g, give it any personal data)."
Did your expert mention that you can add an S to the end of HTTP and access the secured site, which the admin DID go through the effort to solve?

Not much of an "expert"
  #54  
Old 02-28-2019, 01:39 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
What kind of server is the board running on? Can't it be configured to rewrite any http requests to https? That would take care of any old http links.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885

Last edited by davidm; 02-28-2019 at 01:40 AM.
  #55  
Old 02-28-2019, 01:50 AM
DrDeth is offline
Charter Member
 
Join Date: Mar 2001
Location: San Jose
Posts: 40,160
Quote:
Originally Posted by Babale View Post
Did your expert mention that you can add an S to the end of HTTP and access the secured site, which the admin DID go through the effort to solve?

Not much of an "expert"
Yes. But the default seems to be the HTTP.

And there shouldn't be a non S way in.
  #56  
Old 02-28-2019, 02:06 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
Quote:
Originally Posted by DrDeth View Post
Yes. But the default seems to be the HTTP.



And there shouldn't be a non S way in.
There are probably old http links all over the web. This has to be fixed at the server level.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #57  
Old 02-28-2019, 05:38 AM
engineer_comp_geek's Avatar
engineer_comp_geek is offline
Robot Mod in Beta Testing
Moderator
 
Join Date: Mar 2001
Location: Pennsylvania
Posts: 23,833
Quote:
Originally Posted by DrDeth View Post
Yes. But the default seems to be the HTTP.

And there shouldn't be a non S way in.
The default is https.

If you come here from an external link, we have no control over that link. If it's an http link, then you'll get here with http instead of https.

Any page served up from here should be https. Sometimes we miss things, though.

This is why we keep asking exactly how you got that warning, because you shouldn't be getting it at all. It would help us greatly if you explained exactly what you are doing.

If you are using bookmarked links, you need to update your bookmarks.
  #58  
Old 02-28-2019, 07:48 AM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
Quote:
Originally Posted by DrDeth View Post
Yes. But the default seems to be the HTTP.

And there shouldn't be a non S way in.
You probably have the old http site bookmarked or something. Note how nobody else is experiencing this issue. That's why I was asking how you access the site. We can help you figure out the issue on your end.
  #59  
Old 02-28-2019, 08:21 AM
bordelond's Avatar
bordelond is online now
Member
 
Join Date: Dec 1999
Location: La Rive Ouest
Posts: 10,133
Quote:
Originally Posted by TubaDiva View Post
Yeah, it could be an ad. (Any problem could always be an ad, because different ads are served up all the time and any of them could be not as they could or should be.)

We would ask if you can identify such ads when you encounter them, that would help us troubleshoot these issues.
Thanks for the feedback, TubaDiva.

I can tell you that the resource/memory overuse issue (often called a "memory leak") has been caused by every single above-the-banner ad. I believe it's because these ads constantly load new images, kind of like an automated slide show. The bottom-of-the-page ads do not do this -- they load once and that's it.

I can take and submit screen shots of various above-the-banner ads if you like.

...

BTW, every time my machines load a boards.straightdope page, it's under https://. The ad issue is apparently unrelated to the "https/htttp" thing. However, I thought that perhaps certain browsers or third-party security software might pick up on the ad-caused memory leak and on that basis flag the boards.straightdope site as "unsecure".
  #60  
Old 02-28-2019, 08:34 AM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
Quote:
Originally Posted by bordelond View Post
Thanks for the feedback, TubaDiva.

I can tell you that the resource/memory overuse issue (often called a "memory leak") has been caused by every single above-the-banner ad. I believe it's because these ads constantly load new images, kind of like an automated slide show. The bottom-of-the-page ads do not do this -- they load once and that's it.

I can take and submit screen shots of various above-the-banner ads if you like.

...

BTW, every time my machines load a boards.straightdope page, it's under https://. The ad issue is apparently unrelated to the "https/htttp" thing. However, I thought that perhaps certain browsers or third-party security software might pick up on the ad-caused memory leak and on that basis flag the boards.straightdope site as "unsecure".
That's not what "unsecure" means in this context. Those ads are definitely terrible, and I still say what I have always said -- if the ad provider this site uses can't deliver consistently solid ads, the powers that be need to find a different ad provider, even if they pay a little less, because this site is (well no, SHOULD be) better than clickbait and adware.

But the secure/insecure issue has to do with exactly one thing, and that's whether you have an S in the URL or not.
  #61  
Old 02-28-2019, 08:36 AM
scabpicker's Avatar
scabpicker is offline
Soy un pinche idiota
Charter Member
 
Join Date: Oct 2003
Location: Funkytown (Fort Worth)
Posts: 4,571
Quote:
Originally Posted by engineer_comp_geek View Post
The default is https.

If you come here from an external link, we have no control over that link. If it's an http link, then you'll get here with http instead of https.

Any page served up from here should be https. Sometimes we miss things, though.

This is why we keep asking exactly how you got that warning, because you shouldn't be getting it at all. It would help us greatly if you explained exactly what you are doing.

If you are using bookmarked links, you need to update your bookmarks.
Well, it's possible to redirect every http connection to an https one on every web server I've used. Since I'm not familiar with your setup, I can't advise how, but it's normally pretty simple if you have access to the configuration.
  #62  
Old 02-28-2019, 08:38 AM
BigT's Avatar
BigT is offline
Guest
 
Join Date: Aug 2008
Location: "Hicksville", Ark.
Posts: 36,065
Quote:
Originally Posted by engineer_comp_geek View Post
The default is https.

If you come here from an external link, we have no control over that link. If it's an http link, then you'll get here with http instead of https.
Most sites would then redirect you to the HTTPS version. But the SDMB no longer seems to do that. I do have at least one bookmark to an old HTTP version, and it used to take me to the HTTPS version. Now it doesn't.

This does have the advantage that, if there are any other certificate errors, you could still reach the site by going to the HTTP version. But it also means some people may see the "Not Secure" indicator if they are on the HTTP version. And passwords would be sent in the clear.

Personally, I like the idea of maintaining a distinction between HTTP (insecure) and HTTPS (secure) sites, but that does not seem to be the direction the Internet is going.

Last edited by BigT; 02-28-2019 at 08:39 AM.
  #63  
Old 02-28-2019, 09:07 AM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
For what it's worth -- the SDMB did use to redirect you to the secure site, but I just checked five or six other forums (including the Giraffe boards) and they all either don't have security credentials at all (So going to the https site results in an error/warning) or do have an S site but don't redirect you (Giraffe Boards, for one!). So the SDMB is par for the course on this.
  #64  
Old 02-28-2019, 02:42 PM
Fenris's Avatar
Fenris is offline
Guest
 
Join Date: Jan 2000
Posts: 13,280
Quote:
Originally Posted by Babale View Post
Did your expert mention that you can add an S to the end of HTTP and access the secured site, which the admin DID go through the effort to solve?

Not much of an "expert"
Yeah, that "expert" sounds like a real mouthbreather.

Last edited by Fenris; 02-28-2019 at 02:43 PM.
  #65  
Old 02-28-2019, 03:10 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
As I mentioned in an earlier post, and as others have mentioned, it should be possible to configure the server to redirect all requests, both https and http, to https. Other sites do this. Surely your tech folks can figure it out.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #66  
Old 02-28-2019, 03:24 PM
Helena330's Avatar
Helena330 is offline
Mere Member
 
Join Date: Sep 2012
Location: Near Seattle, WA, USA
Posts: 3,692
Quote:
Originally Posted by Babale View Post
You probably have the old http site bookmarked or something. Note how nobody else is experiencing this issue. That's why I was asking how you access the site. We can help you figure out the issue on your end.
I was until I changed my bookmark to https. Although this problem needs to be fixed at the server level, at the individual level it's pretty simple.
  #67  
Old 02-28-2019, 03:43 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
I just did some experiments.

http://www.straightdope.com automatically redirects to https.

boards.straightdope.com does NOT do this. If you type it in starting with http (or without a prefix) it returns a non-secure http page.

At least all of that is true for me.

So it looks like the "www" subdomain works as it should and always returns a secure page, but the "boards" subdomain only returns a secure page if you specifically request one by specifying https.

The server is apparently misconfigured so that only the www subdomain redirects to https. Or maybe the two subdomains are on different servers and only the one is configured properly.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885

Last edited by davidm; 02-28-2019 at 03:44 PM.
  #68  
Old 02-28-2019, 03:59 PM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
Quote:
Originally Posted by davidm View Post
As I mentioned in an earlier post, and as others have mentioned, it should be possible to configure the server to redirect all requests, both https and http, to https. Other sites do this. Surely your tech folks can figure it out.
It's definitely possible, and something that TPTB should absolutely do. And as a few people said, the Dope used to redirect us just fine. OTOH, it does seem that many other sites have the same issue.
  #69  
Old 02-28-2019, 04:20 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
Configuring the server properly can be tricky but not too difficult if you know what you're doing, but It can be easy to miss the fact that it's not working on all subdomains.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #70  
Old 02-28-2019, 04:55 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
I did some more research. The two subdomains, "www" and "boards", resolve to two different IP addresses, so they're probably on different servers.

"boards" looks like it's being served from a virtual machine using Google's cloud service. So the virtual machine is probably not configured properly.

At least I hope that misconfiguration on our end is the problem. I'd hate to think that Google's cloud service would have such an egregious bug, but anything's possible.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #71  
Old 02-28-2019, 05:34 PM
Babale is offline
Guest
 
Join Date: Dec 2008
Posts: 1,751
I wouldn't call allowing access to the http site a "bug". There are valid reasons to access a site through an http connection.
  #72  
Old 02-28-2019, 05:44 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,321
Quote:
Originally Posted by Babale View Post
I wouldn't call allowing access to the http site a "bug". There are valid reasons to access a site through an http connection.
Sure, but why would they configure the SDMB to be accessible via http?

When I called it a bug I was talking about the possible case where the SDMB's tech people have it configured to always redirect to https (which is how it should be) but a bug is preventing that from happening.

Of course I don't know that that's the case. I'm speculating. The more likely case is that the SDMB techs have it misconfigured.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #73  
Old 02-28-2019, 06:05 PM
BigT's Avatar
BigT is offline
Guest
 
Join Date: Aug 2008
Location: "Hicksville", Ark.
Posts: 36,065
Quote:
Originally Posted by Babale View Post
For what it's worth -- the SDMB did use to redirect you to the secure site, but I just checked five or six other forums (including the Giraffe boards) and they all either don't have security credentials at all (So going to the https site results in an error/warning) or do have an S site but don't redirect you (Giraffe Boards, for one!). So the SDMB is par for the course on this.
It's possible these old style forums are the exception, but most sites in general do redirect you if you go to the HTTP site. Try going to http://en.wikipedia.org or http://www.google.com or http://reddit.com or http://twitter.com and so on.

And here's a link to GoDaddy flat out saying you NEED to redirect it: https://www.godaddy.com/help/redirec...matically-8828

Last edited by BigT; 02-28-2019 at 06:08 PM.
  #74  
Old 02-28-2019, 06:24 PM
Cleophus is offline
Guest
 
Join Date: Jul 2000
Location: Philadelphia, PA
Posts: 1,354
Quote:
Originally Posted by davidm View Post
I did some more research. The two subdomains, "www" and "boards", resolve to two different IP addresses, so they're probably on different servers.

"boards" looks like it's being served from a virtual machine using Google's cloud service. So the virtual machine is probably not configured properly.

At least I hope that misconfiguration on our end is the problem. I'd hate to think that Google's cloud service would have such an egregious bug, but anything's possible.
It doesn't have anything to do with Google cloud services. Google isn't managing the SDMB's server(s), it's just running on their virtual machine platform.

The reason the "Not Secure" message appears in Chrome is that Google programmed the message to appear for all pages served over HTTP, with the enhanced red warning appearing if you start to type data into to the page. In the past, Chrome and other browsers would not do this. The change was rolled out for Chrome version 68, in July 2018. In other words, the very same website and configuration would not be flagged with the warning prior to v68, and be flagged in v68 and newer.

For some reason, perhaps related to the SSL certificate change that occurred earlier, the redirect to-HTTPS configuration was lost. It appears to have been restored.

Last edited by Cleophus; 02-28-2019 at 06:28 PM.
  #75  
Old 02-28-2019, 11:32 PM
Kolak of Twilo's Avatar
Kolak of Twilo is offline
Member
 
Join Date: Jan 2005
Location: Edgewater/Chicago
Posts: 3,806
Yep, I just typed http://boards.straightdope.com and it loaded the https version of the site so it looks to have been fixed. And I was using Chrome.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:47 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright © 2018 STM Reader, LLC.

 
Copyright © 2017