Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to ErroneousBee,GSVsowhat,Shelford,Hypster,Wasron, for Donating to support the site

Not Secure Site

Seek assistance with technology
AJC5001
Lemon Slice
Posts: 275
Joined: November 4th, 2016, 4:55 pm
Has thanked: 86 times
Been thanked: 66 times

Not Secure Site

#375681

Postby AJC5001 » January 11th, 2021, 1:11 am

I have followed a link from this post viewtopic.php?p=375663#p375663 in the Drinks forum to https://rochester-drinks.com/products/rochester-ginger-dickensian/
This site is shown as Not Secure even though it has a https:// url, which I thought meant that it was secure.

What am I missing?

Adrian

PinkDalek
Lemon Half
Posts: 5889
Joined: November 4th, 2016, 1:12 pm
Has thanked: 1534 times
Been thanked: 1680 times

Re: Not Secure Site

#375683

Postby PinkDalek » January 11th, 2021, 1:25 am

AJC5001 wrote:What am I missing?


Did you click on the exclamation mark triangle & read the warning?

My versions says, ... isn't fully secure etc.

Breelander
Lemon Quarter
Posts: 3493
Joined: November 4th, 2016, 9:42 pm
Has thanked: 644 times
Been thanked: 1346 times

Re: Not Secure Site

#375684

Postby Breelander » January 11th, 2021, 1:30 am

AJC5001 wrote:This site is shown as Not Secure even though it has a https:// url, which I thought meant that it was secure.
What am I missing?


Firefox says that parts of the page are not secure, and directs you here for more infomation:

Mozilla Support wrote: if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.
https://support.mozilla.org/en-US/kb/mi ... cale=en-US

AJC5001
Lemon Slice
Posts: 275
Joined: November 4th, 2016, 4:55 pm
Has thanked: 86 times
Been thanked: 66 times

Re: Not Secure Site

#375892

Postby AJC5001 » January 11th, 2021, 3:13 pm

PinkDalek wrote:
AJC5001 wrote:What am I missing?


Did you click on the exclamation mark triangle & read the warning?

My versions says, ... isn't fully secure etc.


Yes, I did click on the exclamation mark triangle & read the warning, and it said :-
"Your connection to this site isn't fully secure
Attackers may be able to see the images you're looking at on this site and trick you by modifying them"
plus some other stuff about popups, certification, cookies, site permissions, tracking prevention etc (Using MS Edge)

There was nothing else to explain what "trick you by modifying them" might mean.

I asked because I don't recall seeing an https page that showed this "Not Secure" message before.

Breelander wrote:Firefox says that parts of the page are not secure, and directs you here for more infomation:

Mozilla Support wrote: if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.
https://support.mozilla.org/en-US/kb/mi ... cale=en-US


So the page contains images that are only HTTP as well as the rest of the content that is encrypted.
As the images don't seem to be clickable, and there doesn't seem to be any forms to collect any data, do I assume that viewing it causes no harm?

Thanks,

Adrian

Infrasonic
Lemon Quarter
Posts: 2460
Joined: November 4th, 2016, 2:25 pm
Has thanked: 406 times
Been thanked: 576 times

Re: Not Secure Site

#375958

Postby Infrasonic » January 11th, 2021, 5:18 pm

Generally if it isn't an e-commerce site collecting data then it not being fully HTTPS is less of an issue, although still not ideal.
Google will penalise SEO though, so it's not a good idea for commercial sites if they want to maintain decent rankings.
I would imagine Google and the other big players will slowly increase the pressure on site owners via penalties to upgrade them fully to HTTPS.

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Not Secure Site

#375984

Postby johnhemming » January 11th, 2021, 5:57 pm

I thought I would have a look at this page in Chrome and Chrome now automatically upgrades http to https. Quite a lot of the page is done properly, but bits of it do insecure image requests, not all of the images though.

didds
Lemon Quarter
Posts: 3120
Joined: November 4th, 2016, 12:04 pm
Has thanked: 1445 times
Been thanked: 497 times

Re: Not Secure Site

#376014

Postby didds » January 11th, 2021, 7:28 pm

A quick look at the site's source code shows it has numerous references to hardcoded http:// links.

That's why its showing a warning etc.

Its a very poorly coded page basically.

didds

88V8
Lemon Quarter
Posts: 1504
Joined: November 4th, 2016, 11:22 am
Has thanked: 248 times
Been thanked: 473 times

Re: Not Secure Site

#376176

Postby 88V8 » January 12th, 2021, 10:30 am

If I put the url into Securi https://sitecheck.sucuri.net/results/ht ... ickensian/ it comes up Medium Security risk, but could not be fully scanned, returns error 403.

Malwarebytes has no problem with it.

But yes, I always assumed https was 'safe'.

V8

UncleEbenezer
Lemon Half
Posts: 5884
Joined: November 4th, 2016, 8:17 pm
Has thanked: 787 times
Been thanked: 1289 times

Re: Not Secure Site

#376274

Postby UncleEbenezer » January 12th, 2021, 3:27 pm

88V8 wrote:But yes, I always assumed https was 'safe'.
V8

There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link, but not against a malicious or compromised site, including in some cirumstances the possibility of one that isn't what you think it is (issues like plausible misspellings, I for l or 1, etc - and nowadays that includes lots of non-ascii characters).

Neither does it protect against risks coming from third-party sites that embed contents such as images or scripts - which is what the browser is warning you of.

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Not Secure Site

#376285

Postby johnhemming » January 12th, 2021, 3:46 pm

UncleEbenezer wrote:There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link,

Interestingly there were some ISPs in I think the Far East which were requiring email that was supposed to use SSL/TLS to go through their own servers enabling them to monitor the email. If you are worried about this you need to check that your email clients (and all relays) properly check the certificates being used for SMTP.

UncleEbenezer
Lemon Half
Posts: 5884
Joined: November 4th, 2016, 8:17 pm
Has thanked: 787 times
Been thanked: 1289 times

Re: Not Secure Site

#376291

Postby UncleEbenezer » January 12th, 2021, 3:50 pm

johnhemming wrote:
UncleEbenezer wrote:There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link,

Interestingly there were some ISPs in I think the Far East which were requiring email that was supposed to use SSL/TLS to go through their own servers enabling them to monitor the email. If you are worried about this you need to check that your email clients (and all relays) properly check the certificates being used for SMTP.

If you want secure email, use PGP. That's a long-solved problem.

ReformedCharacter
Lemon Quarter
Posts: 1580
Joined: November 4th, 2016, 11:12 am
Has thanked: 988 times
Been thanked: 500 times

Re: Not Secure Site

#376294

Postby ReformedCharacter » January 12th, 2021, 3:58 pm

UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress :)

RC

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Not Secure Site

#376301

Postby johnhemming » January 12th, 2021, 4:19 pm

ReformedCharacter wrote:
UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress :)

The issue AIUI is that it has not reached critical mass.

Some systems check whether the relay servers are using TLS beit STARTTLS or port 465 and won't send emails unless that is the case. Gmail handles this reasonably well so you can find out if that is the issue by using a Gmail account.

Infrasonic
Lemon Quarter
Posts: 2460
Joined: November 4th, 2016, 2:25 pm
Has thanked: 406 times
Been thanked: 576 times

Re: Not Secure Site

#376469

Postby Infrasonic » January 13th, 2021, 9:37 am

ReformedCharacter wrote:
UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress :)

RC


PGP never went mainstream because it's a PITA to set up for a non technical user.

Email services like ProtonMail use it, it still depends on the other end having a PM account though for painless use.
https://protonmail.com/support/knowledg ... %20address.

Thunderbird mail client has streamlined the PGP process somewhat in recent years from what I have read. I'm not a regular enough user of TB to comment from experience.


Return to “Computers, TVs & Phones”

Who is online

Users browsing this forum: No registered users and 4 guests