This Pressure to go to SSL is intense!

What a ridiculous amount! I pay at Comodo € 12.50 for 3 years ;)

View attachment 146700

The amount paid often reflects what kind of guarantee it comes with. Just getting TLS encryption at this point should be free or near free. If you are required to obtain a certificate that has verification then it will cost more. If you want liability insurance when you are breached then it's going to cost a fortune.
 
NameCheap offer domain validation certificates for $1.99 when you register ANY new domain (even their less than $1 domains) - it's not tied to that domain either.
 
An add-on to "fix" the issue would only hide or mask the issue, at most. Does your host allow you to install SSL certificates yourself through cPanel? If so just grab one for $10/yr from somewhere like ssls.com and install it yourself, only takes a few minutes to do

Chrome is likely to catch things like opening the registration form in a modal, and even if you disable the dropdown login that XenForo has by default and only use the login/register form you'll still get the big ugly "Not Secure" notice when you go to the login/register form pages:

blog image 1.webp

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

i believe cloudflares free ssl suffices for this no?

Even that will still hide the issue instead of fix it, the traffic would be encrypted between the client and CloudFlare, but not CloudFlare and your server. They may have an option to use a self signed cert between CloudFlare and your server, not sure
 
Last edited:
I use one comodo certificate which I can re-issue for up to 100 domains and their corresponding wildcards but only warrantied/insured for 10K.

Even that will still hide the issue instead of fix it, the traffic would be encrypted between the client and CloudFlare, but not CloudFlare and your server. They may have an option to use a self signed cert between CloudFlare and your server, not sure

They do in fact have an option:fdsdf.webp
You can use full with a self signed cert on your server and all should work fine. To use full(strict) you need a cert signed by a CA.
 
January 31, 2017 will be when Chrome 56 is released. We plan to move to SSL the day before on our last site.
 
Looks like the feature has made its way into Canary (Chrome's dev build with all the new doodads and such). The system seems fairly intelligent. For example, on XenForo's default style it won't show the notice until you actually open the login form (even though the contents of the login form are on the page, just not rendered)

Screen Shot 2017-01-25 at 3.08.58 PM.webp

Screen Shot 2017-01-25 at 3.09.04 PM.webp

It will also catch a password field in a modal that is loaded from a separate page and rendered, or a password field that is added to the document via javascript
 
Last edited:
I'm not using Chrome 56, how does it show sites that are https but with mixed media content on login pages?
 
I'm not using Chrome 56, how does it show sites that are https but with mixed media content on login pages?

Same way Chrome always has, it shows the "i" icon that tells you there is mixed content when you expand it, there isn't a "Not Secure" banner, though
 
If your host doesn't support you uploading your own certificates, it's time to find a new host - even if they provide certificates for you.

I would personally recommend you go down the route of setting up a VPS, and host it yourself. (If you want some help, I'm happy to assist :))
Then you can slap a Lets Encrypt certificate on it, or go for the one bang and use both Lets Encrypt and Cloudflare and get the performance optimizations too :P
 
The amount paid often reflects what kind of guarantee it comes with. Just getting TLS encryption at this point should be free or near free. If you are required to obtain a certificate that has verification then it will cost more. If you want liability insurance when you are breached then it's going to cost a fortune.
^^ This ^^

Big prices on certificates are about the protection the company offers behind that certificate, not just the certificate itself. Calling them a "ripoff"....um, no. We paid a bit more on a certificate for a client of mine who is running Magento and accepting credit cards. Makes total sense. For a forum collecting only a username and password? The less expensive or free certificates will work well enough.
 
they dont support lets encrypt i asked

The cost of an SSL certificate really depends on the type of SSL cert you need / want. In most cases though a ~$10/year certificate should be enough but we're moving towards free basic SSL certificates.

If your provider doesn't allow you to install an SSL acquired from a 3rd party I'd honestly find a new provider. And if you do, find one that supports LetsEncrypt.
 
Firefox 52 is out now, and with a new release comes a new warning about HTTP.
There is a pattern here: browsers are incrementally adding warnings for HTTP, raising their expectations each month as the web moves further towards a fully-encrypted future.

This time the warnings are targeting login forms on insecure HTTP pages.
On any HTTP page, a new insecure password warning will appear directly below login fields when they become active (when a user clicks on/tabs to them). The warning makes sure any users will see the dangers of submitting data over HTTP.

InsecurePasswordWarning.png
 
Last edited:
https://arstechnica.com/security/20...for-labeling-unencrypted-login-page-insecure/
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here. "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

HAHAHAHA First off, NEVER assume you have never been breached. Second their 2001 web design hints to me they might not pay attention to web standard news, that they probably don't even have any real security team.
 
Top Bottom