Classicamiga Forum Retro Edition
Thread: Site Not Secure
Kin Hell 13:44 2nd September 2018
What gives Harrison?

Not Secure.jpg
Stephen Coates 18:50 2nd September 2018
I assume its because the site uses HTTP, and some browsers highlight this by displaying 'Not Secure'.

I notice in the screenshot that your browser omits the actual protocol from the URL. I have the privilege of seeing the whole thing:

I have wondered if we might get changed to HTTPS at some point, but its not something I'd be in a hurry to do.
Harrison 20:36 2nd September 2018
What browser are you using Kin?

Google have recently locked down their systems, so using Chrome and it with complain if you are not using shttp now, sometimes even throwing up a warning page and blocking access and making you agree to continue. Firefox and some others are also locking things down a bit more now too.

Same is also happening with Gmail and domain authentication when it receives an email. It now checks for a domain's SPF record settings. If it's not set at all it will block the email and instead show a neutral security warning, or if not set to hard settings (ie only emails sent directly from the domain) Gmail automatically rejects the email or sends it straight to spam. I really don't agree with this level of email handling and domain authentification as so many domains don't need shttp security token settings or even have an SPF record setuo for emails, and many domain owners will never have even heard of it.
Tiago 10:51 3rd September 2018
As far as i know, the HTTPS should be the new "standard". Google engine puts a website https in better search position then http.
And http will be a non secure website.
But you have to pay for https an extra. If it is a new standard why we have to pay?
Stephen Coates 14:53 3rd September 2018
This subject has been a massive debate on a few forums that I visit.

I agree with the principle of encrypting everything, but it isn't always necessary. For example, my private telephone calls aren't encrypted, and I sometimes discuss matters of a personal nature in places where they can be overheard.

On one forum, the admin is quite modern (despite it being a forum about vintage computers) and insisted that the site will be HTTPS only, with no option to fall back to HTTP. This annoyed quite a few users who wanted to access the site from browsers which had poor support for HTTPS.

Another forum I am on is HTTP by default, but HTTPS can be used optionally. Some people really didn't give a toss, as they are using the site to make public posts, so there is no issue if it is intercepted. Others were concerned about ISP snooping, advert injection etc.

I'm not too fussed personally, but I'd suggest using HTTPS by default if possible, and offering a fall back to HTTP. Of course if HTTPS isn't practical, I've no objection to HTTP on its own.
Kin Hell 12:14 4th September 2018
Aye, using Chrome on Win 10 Pro....

Didn't mean to open a Pandora-like box either Harrison, but I also thought "HTTPS" was the new Standard!
J T 23:21 5th September 2018
I remember when I used to use a sandboxed browser for dodgy/questionable things.

Now I just use someone else's device
Harrison 09:29 6th September 2018
@JT. Lol.

From a web development point of view you only need encrypted webpages and/or secure shttp if handling sensitive data such as sales, transactions or business dealings. On forum software which is social media it really hasn't ever been a standard consideration other than maybe protecting membership profile information.

If I get time over the coming month I will look into how easy it might be to implement on here. Amibay would be another good candidate for using shttp, as it is a sales platform after all.