alexD
Well-known member
No such thing as that would affect the SEO (the login form is normally present in all public facing pages - so that solution wouldn't help), please stand by.
This Pressure to go to SSL is intense!
- Thread starter DieselMinded
- Start date
rainmotorsports
Well-known member
The amount paid often reflects what kind of guarantee it comes with. Just getting TLS encryption at this point should be free or near free. If you are required to obtain a certificate that has verification then it will cost more. If you want liability insurance when you are breached then it's going to cost a fortune.
Jake B.
Well-known member
An add-on to "fix" the issue would only hide or mask the issue, at most. Does your host allow you to install SSL certificates yourself through cPanel? If so just grab one for $10/yr from somewhere like ssls.com and install it yourself, only takes a few minutes to do
Chrome is likely to catch things like opening the registration form in a modal, and even if you disable the dropdown login that XenForo has by default and only use the login/register form you'll still get the big ugly "Not Secure" notice when you go to the login/register form pages:
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Even that will still hide the issue instead of fix it, the traffic would be encrypted between the client and CloudFlare, but not CloudFlare and your server. They may have an option to use a self signed cert between CloudFlare and your server, not sure
Chrome is likely to catch things like opening the registration form in a modal, and even if you disable the dropdown login that XenForo has by default and only use the login/register form you'll still get the big ugly "Not Secure" notice when you go to the login/register form pages:
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Even that will still hide the issue instead of fix it, the traffic would be encrypted between the client and CloudFlare, but not CloudFlare and your server. They may have an option to use a self signed cert between CloudFlare and your server, not sure
Last edited:
EQnoble
Well-known member
I use one comodo certificate which I can re-issue for up to 100 domains and their corresponding wildcards but only warrantied/insured for 10K.
They do in fact have an option:
You can use full with a self signed cert on your server and all should work fine. To use full(strict) you need a cert signed by a CA.
They do in fact have an option:
You can use full with a self signed cert on your server and all should work fine. To use full(strict) you need a cert signed by a CA.
Jake B.
Well-known member
Looks like the feature has made its way into Canary (Chrome's dev build with all the new doodads and such). The system seems fairly intelligent. For example, on XenForo's default style it won't show the notice until you actually open the login form (even though the contents of the login form are on the page, just not rendered)
It will also catch a password field in a modal that is loaded from a separate page and rendered, or a password field that is added to the document via javascript
It will also catch a password field in a modal that is loaded from a separate page and rendered, or a password field that is added to the document via javascript
Last edited:
CarpCharacin
Well-known member
Chrome 56 was released today.
eva2000
Well-known member
Robru
Well-known member
Jake B.
Well-known member
Same way Chrome always has, it shows the "i" icon that tells you there is mixed content when you expand it, there isn't a "Not Secure" banner, though
JamesJ
Member
If your host doesn't support you uploading your own certificates, it's time to find a new host - even if they provide certificates for you.
I would personally recommend you go down the route of setting up a VPS, and host it yourself. (If you want some help, I'm happy to assist
)
Then you can slap a Lets Encrypt certificate on it, or go for the one bang and use both Lets Encrypt and Cloudflare and get the performance optimizations too
I would personally recommend you go down the route of setting up a VPS, and host it yourself. (If you want some help, I'm happy to assist
)Then you can slap a Lets Encrypt certificate on it, or go for the one bang and use both Lets Encrypt and Cloudflare and get the performance optimizations too
Wildcat Media
Well-known member
^^ This ^^
Big prices on certificates are about the protection the company offers behind that certificate, not just the certificate itself. Calling them a "ripoff"....um, no. We paid a bit more on a certificate for a client of mine who is running Magento and accepting credit cards. Makes total sense. For a forum collecting only a username and password? The less expensive or free certificates will work well enough.
The cost of an SSL certificate really depends on the type of SSL cert you need / want. In most cases though a ~$10/year certificate should be enough but we're moving towards free basic SSL certificates.
If your provider doesn't allow you to install an SSL acquired from a 3rd party I'd honestly find a new provider. And if you do, find one that supports LetsEncrypt.
Robru
Well-known member
Firefox 52 is out now, and with a new release comes a new warning about HTTP.
There is a pattern here: browsers are incrementally adding warnings for HTTP, raising their expectations each month as the web moves further towards a fully-encrypted future.
This time the warnings are targeting login forms on insecure HTTP pages.
On any HTTP page, a new insecure password warning will appear directly below login fields when they become active (when a user clicks on/tabs to them). The warning makes sure any users will see the dangers of submitting data over HTTP.
There is a pattern here: browsers are incrementally adding warnings for HTTP, raising their expectations each month as the web moves further towards a fully-encrypted future.
This time the warnings are targeting login forms on insecure HTTP pages.
On any HTTP page, a new insecure password warning will appear directly below login fields when they become active (when a user clicks on/tabs to them). The warning makes sure any users will see the dangers of submitting data over HTTP.
Last edited:
rainmotorsports
Well-known member
https://arstechnica.com/security/20...for-labeling-unencrypted-login-page-insecure/
HAHAHAHA First off, NEVER assume you have never been breached. Second their 2001 web design hints to me they might not pay attention to web standard news, that they probably don't even have any real security team.
HAHAHAHA First off, NEVER assume you have never been breached. Second their 2001 web design hints to me they might not pay attention to web standard news, that they probably don't even have any real security team.
TPerry
Well-known member
Some people are natural bozo's... and others are just pure natural ID10T's.