Site Not Secure?

[derleydoo]

Something happened? The site is listed, in red type as Not Secure, alongside a triangular red exclamation mark! Not happened before. Had a warning come up: Don't enter sensitive material - bank details etc.

[Peter Kropotkin]

a couple of questions...

what device were you on? were you on your phone?
on the computer? I have found if I go on this site on my phone
and near a house/business/phone trying to hack my phone, my
phone will have that same warning on it.... so what exactly happened?

Kropotkin

[derleydoo]

I was on a laptop. Now on iPad and getting a similar warning... triangular exclamation mark. Odd.

[Peter Kropotkin]

I was on a laptop. Now on iPad and getting a similar warning... triangular exclamation mark. Odd.

K: it sounds like, being the expert I am

that someone is trying to or has hacked your devices....

hopefully you don't put your bank cards or anything valuable into these
devices...the best I can offer..... being computer illiterate that I am...

I hope this has help and if not, sorry....

Kropotkin

[Ecmandu]

Carleas basically had a post about a month ago explaining that the non secure status of the site was a matter of programming politics, not that the site was actually not secure.

I’m sure he’ll come here and explain it again.

[Karpel Tunnel]

The site is not secure. I have always gotten a similar warning from my computer about this forum.

Don't use an important password on this site, iow one that you use on anything improtant like banks or email accounts.

Otherwise all they can do is log in and post for you, but that's nothing.

[Ecmandu]

Karpel,

I get the same message as well. Your advice about passwords in general is always good advice (even for secure sites). I’m not a programmer so I didn’t understand much of what Carleas explained other than that he asserted that the “not secure” flag was misleading.

[Carleas]

Hi, sorry, just seeing this.

I think this is the earlier comment Ecmandu is talking about.

TLDR: We don't use encryption, traffic to the site passes through a third party, and we don't have certificates that establish that we are who we say we are. I don't think any of that is a problem, but Google does.

Encryption: there's no encryption (connection to ILP uses HTTP and not HTTPS), packets passed back and forth between your computer and ILP's server could in theory be intercepted.

Traffic passes through a third party: we use Cloudflare to protect against DDOS attacks. They are reputable, but this may be flagged as sketchy without a certificate or something else to show it's intended.

We don't have certificates: I don't fully understand how this works or what it does, but it's something to do with proving who we are. For example, if you are giving your bank details to a website, you want to be sure it's your bank, and there are third party services that make that happen. It's much less crucial here, it costs money, and I don't know how to set it up.

Google is probably right to make that kind of warning prominent, but it does favor larger, more sophisticated operations over hobbyist sites like ILP. You aren't being hacked, you aren't going to get viruses (if ILP served viruses, Google would flag that differently and yet more prominently), but you shouldn't share very sensitive info through ILP.

[Meno_]

What is considered ' very sensitive' info ?

[derleydoo]

Thanks Carleas. Strange, I use an ipad and there is a padlock displayed for ordinary browsing. The moment I sign in I receive a warning - site not secure.

Laptop states, not secure when browsing. The moment I sign in I get the not secure sign in red, alongside a triangular red exclamation.

This is a recent phenomenon - past couple of weeks. Never mind - it is what it is! Thanks for feedback.

[Carleas]

I wonder if Chrome can tell that you're logged in, and tries to make it clear that being logged in doesn't mean being secure. That would be a good feature.

What is considered ' very sensitive' info ?

Any info that it would or could possibly be costly to you for a malicious third party to have.

[fuse]

Carleas,

If you're already using Cloudflare you should be able to rather easily set up an auto-renewing ssl certificate for this site by letting Cloudflare do the work. It's free for most sites. I use it for my personal website. Here's a pretty good guide: https://www.freecodecamp.org/news/free- ... 1ca570324/

Although I'm not a networking expert, I've set this up on my site and I'm happy to try to help if you get stuck or something. I think it's worth doing.

[Mowk]

Must be a recent change but I'm logging in through https. Good show. "Duck-duck-go" upgraded it's rating for this site in regards to security from a C- to a B+.

[Carleas]

Thanks Fuse, I did not know about that. I might take you up on your offer to advise if I can't do it on my own.

Must be a recent change but I'm logging in through https. Good show. "Duck-duck-go" upgraded it's rating for this site in regards to security from a C- to a B+.

How strange, I have changed nothing. Maybe the average site has gotten worse, and we're looking better by comparison. Moving up by dumbing down!

[Mowk]

Capture.PNG

Well perhaps it was Cloudfare that helped you out. I no longer find the little security alert when hovering over the URL. It is https and verified by Cloudfare.

[fuse]

Nice, Mowk.

I can confirm that https://www.ilovephilosophy.com is working. Likely why the security rating has improved. It appears Cloudflare is already managing the ssl certificate for the site, as shown in Mowk's screenshot where it says "Verified by: Cloudflare." However, the site does not redirect to the 'https' address by default. This should be easily changed via Cloudflare configuration by enabling the below setting.

On this page:

cloudflare_config.png (29.12 KiB) Viewed 1120 times

Scroll down and enable:

cloudflare_alwayshttps.png (15.76 KiB) Viewed 1120 times

This ensures that anybody who navigates to the site will end up at the more secure https url.

[Carleas]

Well, that was stupid easy. My sincere thanks to you both, that is a small but important improvement, and I appreciate the hand-holding.

[fuse]

Anytime. I appreciate that you're willing to make these improvements from time to time.

[Mowk]

the credit goes to fuse. i didn't do anything but point, a trained dog can do that.

and thank you.

Yum, Bacon.... my fav.