ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Subscription Options  

Chrome "Not Secure" Warnings

Forums: Questions and Answers About Building Your Site
Created on: 02/01/17 11:29 PM Views: 1452 Replies: 18
Wednesday, February 1, 2017 at 11:29 PM

Today I received an email from Google stating, in part, the following concerning my ClassCreator domain:


Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

I have read the January 2014 thread at http://forums.classcreator.com/messages.cfm?threadid=4E098F41-90B1-1C17-D1BE52015AB3BAD4.

Is there anything I can or should do at this point concerning HTTPS?

Can and should I notify classmates that if they use Chrome, they will see security messages, but there is nothing to worry about?

Reply
Wednesday, February 1, 2017 at 11:37 PM - Response #1

Interesting. I'm using the latest version of Chrome on my desktop, 55.0.2883.87, so it looks like version 56 is not out yet. Have not received an email like you got.

Reply
Wednesday, February 1, 2017 at 11:46 PM - Response #2

Okay, an internet search reveals Chrome version 56 is beginning to roll out. There are some articles on the net that possibly reference what Dana is saying. Someone with more computer savvy then me will have to weigh in on what this means --- Jack Vermeulen/John Ralph?

Reply
Edited 02/01/17 11:57 PM
Thursday, February 2, 2017 at 12:02 AM - Response #3

I'm running Chrome Version 56.0.2924.87 (64-bit) and it works just like it always did. No message.

To check version: Go to Chrome, click top right hand vertical dot thingy, go to help, click About Google Chrome. It will tell you the version and if there's an update..

As that link you gave explained, the actual login is https (although there's a slight compromise the way it is done).

Dana Shultz wrote:

Can and should I notify classmates that if they use Chrome, they will see security messages, but there is nothing to worry about?

Reply
Thursday, February 2, 2017 at 12:05 AM - Response #4

P.S. PayPal is also https and so it the CC payment section.

Reply
Thursday, February 2, 2017 at 2:02 AM - Response #5

For normal page browsing, our site is unsecure (http), versus a secure (https) site. Just finished updating Chrome to same version Jack has: 56.0.2924.87 (64-bit). I then logged out of our site and logged back in. During log-in process, the words, "Not secure" appear to the left of the URL. As soon as I log in, the words disappear. Everything is normal, as before. I don't see a need to notify classmates about this change. It's just an extra step Chrome has taken during the log in process to let us know our site is not secure.

Reply
Edited 02/02/17 2:10 AM
Thursday, February 2, 2017 at 11:25 AM - Response #6

There will probably be someone who sees that and asked us about it. My response will be that our site is still 'secure'. Restricted pages and profiles are still restricted to logged in members only, and nobody can join our site without being verified.

But accessing our site at the local coffee shop using a non-secure connection could let someone who has the equipment to monitor network traffic see what we send and receive over the network connection.

Reply
Thursday, February 2, 2017 at 3:02 PM - Response #7

LOL - I thought it meant there was some obvious 'message' that came up. Yes, the URL location says that. I was expecting something more noticeable. Didn't even notice.

What John said is an issue -IF- our sites had data worth intercepting. Shocked

Reply
Thursday, February 2, 2017 at 3:57 PM - Response #8

After thinking about this, and knowing that there's liable to be someone out there who sees the "Insecure" warning and asks about it, it seems to me that the only thing with a significant potential risk is someone logging in (entering their login id & password) when they're using a nonsecure http connection in some environment like a coffee shop or motel where someone is more likely to be monitoring network traffic.

But there's an easy way around that, no matter where you're logging in from! Since Class Creator DOES have a secure certificate, you can use a secure https connection to log in - by using the internal CC address. In my case, my normal site URL is http://www.Westside-59.com. But if I click on the Subscriptions tab, I can see that the secure 'long name' is https://www.classcreator.com/Omaha-NE-Westside-1959/. Using that when I go to my site to log in encrypts my login entries and eliminates any potential login monitoring, although it does then revert to the normal URL using http and my domain name from then on.

And Class Creator could plug this potential security hole by instantly refreshing any screen that includes a login box using the https ClassCreator.com long name URL for your site and that page - as they do with the Subscriptions page.

Reply
Thursday, February 2, 2017 at 4:32 PM - Response #9

Only issue is that using the CC https full name disables any scripts/widgets that people have that are not https. It's why editor preview does not work with http scripts.

You can get 'cheap' SSL certificates for $9-$100/year with a low warranty of $10,000-$50,000 INFO HERE

If anyone is really concerned.

Reply
Thursday, February 2, 2017 at 5:52 PM - Response #10

We are discussing possible solutions internally.


Reply
Thursday, February 2, 2017 at 7:27 PM - Response #11

John's is workable if you make/tell people to use https scripts and widgets Question

Or you could make it an OPTION with the explanation of the prior sentence constraints. Let users decide. Idea

Reply
Saturday, February 4, 2017 at 12:38 AM - Response #12

CC has modified it so if Chrome is detected it generates a DIFFERENT login screen. One that uses John's basic concept. +1 for John.

However, this is also very confusing to users and was done WITHOUT any warning to users. Not the way to do this.

So let's make this new login the SAME for all browsers since finally the login is actually protected Idea

Reply
Saturday, February 4, 2017 at 8:43 PM - Response #13

The login was always protected, as the post page was always to the secure domain. It wasn't readily apparent since the page containing the form isn't.


Reply
Monday, February 6, 2017 at 3:31 AM - Response #14

You might not be aware that FF 51.0.1 is ALSO now displaying a padlock with a RED slash indicating an insecure site.

Here's an explanation and the method CC is using describes by that is not a secure solution - serving form over https.


Quote:

Serving the login form over HTTP:

Even if the form action is an HTTPS URL, the user's login form is not protected because an attacker can modify the page received by the user (for example, attackers can change the form destination to post the sensitive data to a server that they control, or they can insert a keylogging script that swipes their password as they type it). The security tab of the Web Console will warn developers and users about the security issue:

https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords

Reply
Edited 02/06/17 3:33 AM
Friday, March 17, 2017 at 6:11 PM - Response #15

I received the exact message referenced in the Firefox link provided by Jack. How can I make our login secure for all browsers? I know too many of our class members will not use the site for reunion registration if they receive a notice that says the site is not secure.

Reply
Friday, March 17, 2017 at 7:52 PM - Response #16

CC fixed the login, so there is no longer a padlock with a slash. Are you seeing the slash when you click Login?

(I'm using the same version (52) of Firefox and don't see a slash.)

Reply
Friday, April 21, 2017 at 1:00 PM - Response #17

Thanks Jack. No longer seeing the slash.

Reply
Wednesday, March 27, 2019 at 3:09 PM - Response #18

Scott Moore wrote:

For normal page browsing, our site is unsecure (http), versus a secure (https) site. During log-in process, the words, "Not secure" appear to the left of the URL.

Just curious, I had a classmate yesterday challenge me, after I told him our site is secure when he logs in or makes any kind of payment. He's still not happy.

I'm just wondering if a site like Let's Encrypt That describes itself as: "Let’s Encrypt is a free, automated, and open Certificate Authority," might be workable.

Their certificates are free, but are only good for a limited amount of time. They renew automatically, but it takes some work to automate it on some sites. Don't know if they could easily be incorporated into ClassCreator or not, but I thought I'd mention it.

Reply
Edited 04/06/19 9:51 AM
New Topic  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.