website not secure

[nickyr]

Just logged into Mac forums and the message "website not secure" appeared in the url bar?

Are there any problems with the site? Never seen this before.

 

[pigoo3]

Nope no problems. New browser versions are simply calling that sort of thing out more. As far as site security...no issues.

- Nick

 

[nickyr]

thanks Nick, phew!

 

[pigoo3]

I think the intention of that message is good. Problem is that message pops up pretty much on any site without an https certificate.

Mac-Forums is not an ecommerce site (buying and selling of goods and services, or the transmitting of funds or data, over an electronic network)...thus no one is entering a lot of personal information that could be at risk (phone numbers, home address's, credit card numbers, etc.). Thus no issue.

- Nick

 

[pm-r]

Just logged into Mac forums and the message "website not secure" appeared in the url bar?

Are there any problems with the site? Never seen this before.

Just out of curiosity, what macOS version and browser and its version were you using?

Some of this security stuff is getting to be a bit too much in the overkill department.




- Patrick
======

 

[ferrarr]

I think the intention of that message is good. Problem is that message pops up pretty much on any site without an https certificate.

Mac-Forums is not an ecommerce site (buying and selling of goods and services, or the transmitting of funds or data, over an electronic network)...thus no one is entering a lot of personal information that could be at risk (phone numbers, home address's, credit card numbers, etc.). Thus no issue.

- Nick

It doesn't pop up on any sites that I frequent. This is the only one I have it pop up with. Where have you seen it come up? Maybe every site I visit is https?

 

[pigoo3]

Where have you seen it come up? Maybe every site I visit is https?

I believe I've seen it pop up in some of these conditions:

1. Sites that are not https.
2. When I've done a fresh install of the macOS on a computer (that hasn't yet established cookies or preference file settings by the user).
3. Maybe after an OS update.
4. Maybe after a Safari browser update.

This is probably more likely to happen on a newer browser versions. Older browser versions (like maybe what I have installed on a 13" 2011 MBP with El Capitan I have)...may not do this.

- Nick

 

[nickyr]

Just out of curiosity, what macOS version and browser and its version were you using?

Some of this security stuff is getting to be a bit too much in the overkill department.



- Patrick
======

bang up to date with 10.13.6 and Safari 11.1.2

I've never seen this message while logging onto this site before so was a little surprised.

 

[pm-r]

bang up to date with 10.13.6 and Safari 11.1.2

I've never seen this message while logging onto this site before so was a little surprised.

Thanks,
We Mavericks users escape most of that stuff.

I'd guess that one of these may have started your notices. These were just recently released 09 Jul 2018:

Apple security updates
Name and information link
Available for Release date
iTunes 12.8 for Windows Windows 7 and later 09 Jul 2018
iCloud for Windows 7.6 Windows 7 and later 09 Jul 2018
Safari 11.1.2 OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.6 09 Jul 2018
macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.5 09 Jul 2018

https://support.apple.com/en-ca/HT201222

I guess I should check my sometimes used MBPro and its El Capitan.






- Patrick
======

 

[Cr00zng]

I think the intention of that message is good. Problem is that message pops up pretty much on any site without an https certificate.

Just browsing sites with HTTP will not activate this warning. The popup is displayed, if and when you try to login to site site via HTTP instead of HTTPS link. In my view, it is a useful warning, especially for sites that normally do have HTTPs based login pages, but hackers redirected the site to an HTTP site for harvesting authentication credentials...

Safari 10.1.2 on my mac does not display this warning, but does offer saving the login credentials.

Opera displays the security warning for this site:



And so does Firefox:

Mac-Forums is not an ecommerce site (buying and selling of goods and services, or the transmitting of funds or data, over an electronic network)...thus no one is entering a lot of personal information that could be at risk (phone numbers, home address's, credit card numbers, etc.). Thus no issue.

- Nick

You are correct, the Mac-Forum is not an ecommerce site, but...

The login credentials are easy to intercept, when they are in plain text in transit, and steal whatever information is available within the profile. It's sort of interesting that this forum requires complex password; however, it does not secure it in transit. Sort of defeats the purpose it seems...

While I don't doubt that the Mac-Forum is reasonably secure, maybe more so than other forums, it would not hurt implementing HTTPS for all the connections to the forum, including authentication. The chances are that the forum's hosting company supports Let'sEncrypt, in which case it's relatively easy to add HTTPS. And it's also free...

 

[IWT]

I've no doubt that our Admins and Moderators are in control of the situation; but for those who might be interested in the advantages of HTTPS and how easy it is (apparently) to convert a website to HTTPS, have a look at this site:

https://httpsiseasy.com

Ian

 

[pigoo3]

The login credentials are easy to intercept, when they are in plain text in transit, and steal whatever information is available within the profile. It's sort of interesting that this forum requires complex password; however, it does not secure it in transit. Sort of defeats the purpose it seems...

No sensitive personal information is stored in anyone's Mac-Forums profile. We always encourage members to use unique userids & passwords for their Mac-Forums account information. I wouldn't use the same exact login credentials for Mac-forums as I use for my online banking or online investment accounts.

While I don't doubt that the Mac-Forum is reasonably secure, maybe more so than other forums, it would not hurt implementing HTTPS for all the connections to the forum, including authentication. The chances are that the forum's hosting company supports Let'sEncrypt, in which case it's relatively easy to add HTTPS. And it's also free...

Incorporating an SSL certificate (https) into the website is planned. Some migration issues need to be worked out before the SSL cert. will function (thus not as easy to add as someone may think)...otherwise it would already be in place.

But again...there's no personal information at risk in each members profile:

- no phone number's
- no home address's
- no credit card info
- no real names
- no personal ID numbers
- no SSN info
- etc.

Mac-Forums just isn't that sort of site that needs or stores this sort of info. As soon as possible...we will get an SSL cert. in place (https). Not necessarily because we need one...but because that's the way many websites are moving towards.

Thanks for the feedback.

 

[pm-r]

But again…there's no personal information at risk in each members profile:

Exactly!! And I also fail to see or understand how any normal user's data could be intercepted, at least if they were operating from home, and add the protection advantage of using an Ethernet connection rather than wi-fi.

And even if they did intercept and harvest my password to login here and actually post something, I could just post myself and let harry know it wasn't even me that was posting. ;D




- Patrick
======

 

[Cr00zng]

No sensitive personal information is stored in anyone's Mac-Forums profile. We always encourage members to use unique userids & passwords for their Mac-Forums account information. I wouldn't use the same exact login credentials for Mac-forums as I use for my online banking or online investment accounts.



Incorporating an SSL certificate (https) into the website is planned. Some migration issues need to be worked out before the SSL cert. will function (thus not as easy to add as someone may think)...otherwise it would already be in place.

But again...there's no personal information at risk in each members profile:

- no phone number's
- no home address's
- no credit card info
- no real names
- no personal ID numbers
- no SSN info
- etc.

Mac-Forums just isn't that sort of site that needs or stores this sort of info. As soon as possible...we will get an SSL cert. in place (https). Not necessarily because we need one...but because that's the way many websites are moving towards.

Thanks for the feedback.

Getting and installing the SSL cert certainly is not as easy, especially, if the hosting provider does not support it and the site is on a shared server. The free ones always require more legwork, than the purchased one, no question about that.

Certainly, the minimal information stored in the profile at this forum, at least in my case, isn't worth worrying about it. Even, if the "required information" asked for more...

I wish I could help you, but have not worked with SSL certs for 8-10 years...

 

[Cr00zng]

Exactly!! And I also fail to see or understand how any normal user's data could be intercepted, at least if they were operating from home, and add the protection advantage of using an Ethernet connection rather than wi-fi.

I'll be just the Devil's advocate...

Both your ISP and/or VPN provider and the hosting company can harvest your UID/PWD for this site. WiFi possibly adds an additional venue for doing the same. While the chances are that not many people would be interested in members' UID/PWD here, the chances are that there are some, who'd like to try your password somewhere more important, than a forum access. It would not be first time that UID/PWD in plain text floating around has been harvested....

And even if they did intercept and harvest my password to login here and actually post something, I could just post myself and let harry know it wasn't even me that was posting. ;D

- Patrick
======

Do you think Harry would believe me as well in that case? Probably not, even if the posting in question does not display my usual grammar errors...

 

[Maria Kate]

I think the reason for this matter, is because Google is having an update against pop-ups and blocking system. Most websites with HTTP address is prone to Not Secure" pop-ups, but this also appears on pages that contains sensitive input fields . That’s why they have made it a priority to mark non-secure sites containing password and credit card input fields as "Not Secure" in the URL bar.

 

[macgig]

mine says "logins entered on this page could be compromised"... which is true for any website that is not using SSL (https). only thing a bad hacker could get here is your email and password. make sure that the password you use here is not being used on any other site.

 

[ferrarr]

I just want to add, I don't remember the last time I was forced to change my forum password? I know I haven't changed it, since I found out the site is till operating, after we thought we would be moving to the new site. I'm just saying, that I have not been forced/asked to change my password, like the forum is supposed to make us? Maybe this is a reason I am unable to add an avatar or profile image?

 

[dtravis7]

I do not know about how things are working since the Migration, but I have been asked every few months to change my password which I have done.

 

[pigoo3]

I was asked to change my password rather recently as well...think it was a couple weeks ago. Currently the setting is every 3 months.

- Nick