Website security certificates. When I get to my two sites (CHSAA or Crestwoodstock sites), if you look up in the URL area, it says “not secure” before the URL location. If people see that “not secure” is part of the URL, that may wave them away from the site.

I have read, that a security certificate is When you go to a site that uses HTTPS (connection security), the website's server uses a certificate to prove the website's identity to browsers, like Chrome.

------------------------------------------------------
How do I make my class creator sites secure for transactions and is there a cost to install a security certificate?

Google has updated their browser (and subsequently, major browsers have followed), to alert users whenever they are on any page of any site that is not secured by a security certificate. Your site is currently secured on all pages that were previously necessary such as cart check out pages of the Event Planner as well as your Login pages. Rest assured that your site is safe and secure. However, we are still looking into a solution for admins to acquire a security certificate for their sites so that all pages reflect a secure status. We are working with our team to solve the logistics of this task. We will inform all of our administrators as soon as we have a solution that will work for our unique site scenario.

I too have the same concern about security. Two Items
1. When I go to our main page AND AM LOGGED IN, it shows "Not Secure" on Chrome unlike what your prior answer indicated. Am I reading this wrong, or doing something incorrectly.
2. Should I be using FF instead of Chrome? Tried FF and it also says not secure while I am logged in.
3. Also, this may be affecting it. I'm trying to use password saver software...it's driving me crazy as I often use the same PW on different sites (I know it's not a good idea). I've tried DashLane and just deleted it..driving me crazy, now trying Sticky Password.

4. Not your problem most likely, but while I use Malwarebytes 24/7 I just got two ransomeware letters - ( i know these are emails, not direct/locking attacks and they are badly written gross, untrue, and several weeks old, found in my junk mail...and have NOT responded...but security is getting a bit higher priority in my life now. Please advise. Thanks

Thanks, Scott...

Everybody is becoming more aware of security holes these days and that 'Not Secure' heading on the URL is spooking more than a few of our classmates.

Telling them to 'ignore it' because our site is actually very safe sounds a lot like 'whistling in the dark'

Be looking forward to a solution.

Forgot to mention, when I told (per your comment) one of our classmates that the pages where any secure information is required...such as the Log In page, "you will see that there is a secure icon (padlock, etc.)." He went away, grumbling...

So then he called me back 10 minutes later and said the 'Edit Profiles' page (where he loads pictures) was not secure. He's evidently right as I see no security icon.

The 'Edit Contact Info' page is secure, but because we're uploading pictures into the server (I presume) on the 'Edit Profile' page, does that then become a possible entry point for bad guys?

I'm not a security expert, but these are my thoughts:

There is a level of security built in to the Edit Profile page, in that a classmate must be logged in before he/she can view or edit that page. So, the Edit Profile page can only "become a possible entry point for bad guys," if the bad guys are logged in.

All the pages in the Member Functions section (Notify Me, Edit Contact Info, Edit Profile, Change Password, Log out) are viewable for editing only after one is logged in.

I may be incorrect here, but pretty sure this will work to solve the "not secure" concern. In some ways it is similar to how the login, payment link name changes to https.

So here's my concept that is an easy way to do this (get sites secure with https), but it requires some changes by CC and a new Option for users (admins of a site, not classmates) since they "might" have to make a few changes. [I do here and there, but it's not too hard.]

Our sites with a domain name get directed to the actual name used by CC.

For example
http://www.bothellhigh61.com
is actually
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/

So if you click either link, you end up at exactly the same place. The Difference is that the first is "not secure" and the second one IS secure.

Now if you click any of the left hand links CC has generated bothellhigh61.com links but that doesn't have to be that way at all.

To illustrate see this example of links Bothell Weather [Note: I just modified this page to show how it works if CC did this by making the page itself convert to the Secure version of the page. It's not an important page in case there's something I forgot - that a browser setting might complain about]

Clicking from either page link generates
http://www.bothellhigh61.com/Bothell-Weather.htm .. modified so it automatically goes to the next link
but actually this next link is exactly the same thing
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/Bothell-Weather.htm

Now there is one problem and the home pages shows that. The https change affects the way default links are done by your browser and catches where you mixed secure and not secure references.

I hardcoded an iframe reference (in a script) using bothellhigh61.com and that violates "mixed content rule" for https - a security violation. Hence the scrolling classmate script does not run and is just a gray rectangle. On the bothellhigh61.com link it shows. This is very easy for me to fix. I just left it to show what happens. Similar issues occur for scripts.

So that's why it has to be an "option" to use the https name vs your domain name.

However, it solves the "not secure" issue described.

If you click some of the inner links, like Reunion Committee you can see that it stays "secure".

Should be very easy to CC to implement since if you stop paying for a site, that's actually what happens anyway

[I forgot to post this some time ago and this post reminded me.]

Both Scott and Jack's posts are very helpful.

Scott you're right, and the 'black hats' have to get past the Log In to theoretically do very much. Perhaps not much of a hurdle, but it's there.

The crux of the problem is that (often RED) 'Not secure' notice that Google now puts in front of the URL. Heck it even makes me a little uneasy. My classmates with very little understanding of security tend to freak out.

I'm afraid explaining the nuance of your analysis, Scott, will not be enough...

Jack's points are impressive, your skills are way above mine Jack, in even figuring all this out.

But that's a problem as well, most of my classmates at 73 years of age are way past a somewhat technical solution that they would have to implement. They'd just stop coming to the site.

There must be a better way to keep our sites user friendly and secure; and without Google's non helpful 'Not secure' (in RED) notice.

But Class Creator is going to have to figure that out before we begin losing large amounts of classmates from all of our sites.

This change will be completely transparent to Classmates - just the secure lock will appear vs not secure. I'm assuming that Classmates means the members of a class. They just click on exactly the same link they did before. No action required by them. CC does all the changes in the "background" so to speak. [Just like CC does now for Login, Payment, Editing, Manage Classmates etc. In fact, that is so transparent I bet many admins never noticed - those are the "users" I referred to not classmates]

The only thing CC does is 1) switch the "landing" page to the https version AND 2) change all the link names to the https version. They could do the second step and probably leave the first page alone. However, then the first page would still show not secure.

Most sites will be surprisingly adaptable. The reason is that when you use the Editor and Preview a Page, that is already what happens - it switches to your actual CC website address. Have not seen any complaints that a preview did not show correctly. Not a guarantee, but also tends to make me think it won't be a big problem.

To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.

Mine has some very custom code. Most sites just use the default tools. The main thing that some sites need to "fix" is that they might have hardcoded links to their pages inside of other pages. They need to fix those links since they would still "work" but revert to the not secure version.

However, that is why it would be an Option in preferences. If somehow there was an issue, revert back if one did not understand how to fix. They could always ask here how to fix though. Almost all can be fixed if the referenced resource has an https version.

I forgot to mention that Step 2 code is already there in CC. It's what you get when you get a "free" site (or revert back to one). So the only change is actually Step 1.

Sites that Pay code would have the Option code added in Preferences (or?) and code to check option of course

Made a script so anyone can easily make any page "secured" but image links might need to be modified depending on how you did them. If CC changes, it will still work since it checks site http status.

EDIT: removed content because cookie gets removed so it did not work as intended. I was logged into https in one tab and testing in another tab using our actual Domain name. So I had two cookies active that made it all work.

Funny thing is that if you do NOT have a domain name it all works great. See THIS PAGE for how that works. That is a 100% secure ClassCreator site using https.

Scott
any update on a solution for security certificates?

Thanks - Patrick

Also to Scott: Here's "second" to the question about "any update on a solution for security certificates?"

Cheers, Allen.

“To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.”

Jack, in Preview, everything on our website is Secure in Preview, Does this mean our site is Secure? Or does this mean CC should have an easy fix?
Thank you, Jack, for taking time to educate us!

Thanks. I also got educated in reviewing the details. Especially with the script that worked perfectly, except that I did not realize I had two cookies (one for the Domain and one for classcreator https) active. With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.

CC should have a relatively "easy fix". Right now when you use your Domain name to login, CC changes to the secure CC URL and then after you finish, it changes back to your Domain name. Which of course is not secure.

Sites that do NOT have a domain name get the default raw CC URL which is easily made https, even without CC doing anything, by the little script I wrote. If I started today, I would never get a Domain name There are other ways but involved shelling out a few $$$ with another ISP.

The edit "Preview" is just to show that all your pages show as "secure".

What is interesting is that most pages that are not content related are now https. So that was a step towards security. They did forget a few The login one being the most serious forgotten one.

“With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.”

CC- Because this is urgent, CC plesse advise your solution to make my class website Secure. As an administrator, my clsssmates depend on me to provide them with an easy to access website.
Is anyone from tech support reading these comments?

This has become a big issue for me with classmates. When can we expect it to be resolved. I worked so hard to get classmates to use our site. I don't want to lose them now. I think it would be reasonable to expect a response from CC as to the target date for fix. Thanks.

“The changes will take effect on March 31, 2020, and they won’t impact the way you use Google services.”

Unfortunately. there are two threads discussing the same topic.

I agree with Camille.
The google deadline to be security compliant is March 31. 2020 — that’s in 24 days. Jessica stated “We will be sending out a notice regarding the beta soon.”
My questions are: will CC install and what’s the date?
Thank you.

CC if you are monitoring. Silence is unnerving.

I just signed on to my site and did NOT see the "not secure" designation. Does that mean it is fixed?

Our website still shows insecure

No change. Could be Safari doesn't show that yet?

OK Thanks.

Something appears to have changed. The logon page is now showing as "Not Secure" in Chrome. Haven't tried with any other browser.

Been that way for some time. You must not have updated browser lately..

Are you talking about the "head" login option? That's a BUG by CC and has also been reported starting in Nov 2019 here

Jack Vermeulen wrote:

No, I'm not. And the unusual thing is that other CC sites I access that do not use the Responsive Design still show the logon page as being secure. All in Chrome.

Weird. Yes your site is screwed up (no offense) even with FF. No change for my site (RD). Except for the 'head' bug it's all https for login protected pages. [Edit see next post, think I discovered the reason.]

Checked a few other RD sites and they also are https for login. Like this one http://www.fairborn71.com/

FWIW, sites like yours without a domain can be https with the script I made. That's what this SITE is using that script

Edit: However, you still need to make sure all images used are HTTPS to avoid the not-secure flag.

OK, think I figured it out. The problem is that IMAGES are not HTTPS and Chrome/FF started complaining about pages without secure IMAGES. I kid you not. That is what I noted about a month ago. These ongoing changes are going to cause all sorts of issues.

The only way you can fix that ATM is to make your images fully qualified as

https://www.classcreator.com/Springfield-VT-1958/... rest of link

Forgot to mention: It comprises the BOTTOM images there which I do not think you can touch since CC made it fully qualified - CC needs to FIX that.

This is just one of them
http://www.classcreator.com/000/template_media/4F6B0DB5-ECF4-BBD7-B960C6FC938F04DF.jpg

It's got to be something else. I've taken all content except for some CC stuff off the home page and it's still Not Secure.

I talking about the images on the BOTTOM. Those are still there. Copy and paste the link I gave an you can see what I'm referring to.

This is just ONE of all of those http://www.classcreator.com/000/template_media/4F6B0DB5-ECF4-BBD7-B960C6FC938F04DF.jpg

However, even if that is fixed (I manually played with it), pretty sure there's a link in there that is http that Chrome and FF are complaining about. You can't touch all of the code there.

Since other sites that are working normally, it has to be some http resource that is triggering "not secure". CSS references will also trigger that warning now.

If you go to the Scripts site you can see that it works (except I also have some http images on one page that I still need to fix myself).

Jack Vermeulen wrote:

Nope, got the attached when I clicked on the link.

It's just a screenshot of the BOTTOM of your page showing you the images there that are HTTP. Just copy and past the link I gave so you can see one of them. It was to show you the images I'm referring to.

Your browser probably has to be configured to download PNG. I had to make mine use FF. Wish CC let you just paste an image here - that's never going to happen

I re-read response 32 went to the link and saw the pictures to which you're referring. Have restored home page content and going to sign off for now. Thanks for all your input.

Thank you.
Our website today now appears to be Secure if using Chrome. If using Safari our site still says Insecure. I have not received any of the new updated comments. I logged on to see what’s going on.
Question: is our website Insecure or Secure?

Vicky's site, she started this thread, experiences the same issue as mine, i.e. Not Secure logon page.

Vicky's site has this image that is not secure on the bottom of the page for Sign In, the FB one. It's another one CC has to fix by removing the fully qualified "http".

http://www.classcreator.com/000/template_media/75AFF271-ECF4-BBD7-B960E5A1B1A07EEB.jpg

ANY image that is fully qualified that does not have https will flag a page as not secure.

FYI Vicky's other site is fine with the login. Also an RD site.

http://www.classcreator.com/chsaa/

So to emphasize, if there are ANY images that are not https, the signin will show not secure. Some of them you can fix, like the FB image. Other images that are not set by you, you need to remove for a bit - if it bothers you. IMO, that someone would use an insecure image on one of our sites is pretty remote. Unless you are some sort of James Bond character

Thank you!
Will look into it late tonight. We don’t use FB. How to know if an image is HTTPS?
We have hundreds of photos - if I don’t remove certain photos by March 31, can our website function as usual?

Jack Vermeulen wrote:

So to emphasize, if there are ANY images that are not https, the signin will show not secure. Some of them you can fix, like the FB image. Other images that are not set by you, you need to remove for a bit - if it bothers you. IMO, that someone would use an insecure image on one of our sites is pretty remote. Unless you are some sort of James Bond character

Not concerned at all. Was just pointing out what seemed to me a change in how the logon page was being treated. I'm sure that when CC initially made the change that it showed as secure and now it doesn't. Per your explanation it would appear that the cause is browsers treating images differently now than they did a while ago.

Sites will still work, it's just that the sign-in will show "not secure" if there's an image there that is http.

The idea is that when CC eventually gets around to giving all sites https ability (one is extremely easy to do - the one I proposed), your site will be all ready for that. Most images will automatically be good if one just used the Editor to create the images. One manually entered using http (or the ones that CC did not create properly) need to be fixed.

The simple way to see if you have any images that are not https it to go to Edit Site pages and click Preview. If it shows the "lock" everything is fine. If not, then something on the page needs to be fixed. That is not always an image. Scripts and CSS stuff may also need to be fixed .. pretty rare too, except that History has that problem .

F C Bock wrote:

Yes. Chrome announced that change a few months ago. I suspect though that eventually they will BLOCK mixed resources. That is already being done for CC History pages by Chrome, Firefox and Opera. The videos in History do NOT show. [If you make the page https in Chrome it works but not for FF or Opera ]

IOW, this is being done in steps to give sites the chance to adjust. The same way that Flash got disabled. Some CC Flash based features no longer work.

Can anyone reassure if I do nothing, our website remains as it is today.

Hoping all remain safe & healthy

You won't have to do anything more. We will have options soon for those who want to secure using their own domain as well.

In the meantime the March 31st deadline item related to securing downloads has been addressed. We have secured all document downloads across the entire network of sites using our secure ID. That was the item Jack posted originally and it is done so nothing new will be affected as of that date.

Thank you Jessica. Prefer to keep our domain.
Will await options.

Jessica,
We’re keeping our domain - how do I proceed with Security
Certificates? Or will CC take care of this since we bought our domain name thru CC?
Elena

I am wondering too when the the site will be listed as secure. Even this thread comes up as Non secure. Also, postings to my site still are continually duplicated so I have to go in and delete each time a classmate posts anything.

Class Creator (CC) has mentioned in previous threads that the options for securing our sites, both paid and free, will be available once the post-migration items are resolved. I think we just have to wait until the duplicate/truncated posts issue, and any other issues are resolved, and then CC will present the options.

Secure stuff should have nothing at all to do with the dup posts. Either there was a mistake made in the original code OR there's a mistake in the updated Cold Fusion regards "dup" issue. Or there's a timing issue with a "faster" host that is triggering the problem at odd times (meaning the "bug" was always there). Not the first time I've seen that sort of problem.

CC needs to get pro-active and EXPLAIN what is going on.

Turn on the "secure" option and at least give users something to be happy about out of this move (90 days ago) to a new host that so far is not so great.

[BUMP]
It's now mid-December 2020 and our classmates are still seeing "Not Secure" in their browsers for our reunion website.

Is the certificate problem *still* on hold pending resolution of other post-migration issues???