Jump to content


Photo

Concertina.net Site Security


  • Please log in to reply
15 replies to this topic

#1 Don Taylor

Don Taylor

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1051 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 15 March 2017 - 07:35 PM

I have just noticed that the connection used for logins by concertina.net is not encrypted:

 

"Not secure | www.concertina.net/forums/"

 

This is from the Chrome browser, Firefox is more explicit - it warns me not to go to the site.

 

Is the forum software being used fully up to date with all security patches?

 

The takeaway for everyone right now is to be sure to use a unique password for this site alone so that if it is compromised then it will only be your concertina.net account and not your bank or PayPal account.

 

Don.



#2 Nighthawk

Nighthawk

    Member

  • Members
  • PipPip
  • 29 posts
  • Gender:Male
  • Location:Northern California

Posted 16 March 2017 - 02:46 AM

It's not the forum software itself.  The web server that the forum software is running on has to be configured to use SSL.  This requires a certificate from a certificate authority, which costs money every year.

The result is that data being transmitted from your computer to this website is not end-to-end encrypted.  So someone snooping the line or the wi-fi might be able to see everything you type, including your password.  It's also easy for someone to spoof the site and pretend to be concertina.net.   

As Don said, use a unique password for this site.  



#3 John Wild

John Wild

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1127 posts
  • Gender:Male
  • Location:Gillingham, Kent. U.K.

Posted 16 March 2017 - 09:52 AM

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"



#4 Don Taylor

Don Taylor

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1051 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 16 March 2017 - 10:42 AM

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"


That's right. Not using an HTTPS link means that passwords are transmitted in plain text and can easily be hoovered up when using a wifi connection.

#5 alex_holden

alex_holden

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 555 posts
  • Gender:Male
  • Location:Lancashire

Posted 16 March 2017 - 12:30 PM

It's not the forum software itself.  The web server that the forum software is running on has to be configured to use SSL.  This requires a certificate from a certificate authority, which costs money every year.


It's no longer the case that you need to pay money to get an SSL cert for your site:
https://letsencrypt.org/

#6 maccannic

maccannic

    Chatty concertinist

  • Members
  • PipPipPipPip
  • 143 posts
  • Gender:Male
  • Location:S. E. England

Posted 17 March 2017 - 06:05 AM

I'm on Firefox, but I don't get a warning.  Does that mean I'm OK, or just thick as usual.



#7 alex_holden

alex_holden

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 555 posts
  • Gender:Male
  • Location:Lancashire

Posted 17 March 2017 - 06:51 AM

I'm on Firefox, but I don't get a warning.  Does that mean I'm OK, or just thick as usual.


No, everybody who uses the site is potentially at risk, because the server doesn't support encryption. This isn't a new risk by any means; it's just that awareness of it is increasing, and many websites are now switching over to using encryption by default.

#8 Don Taylor

Don Taylor

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1051 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 17 March 2017 - 09:13 AM

I'm on Firefox, but I don't get a warning.  Does that mean I'm OK, or just thick as usual.


Have you updated Firefox recently? If not then you may be running an old version that does not display a warning but, as Alex says, the risk is still there.

Mozilla (Firefox) and Google (Chrome) are trying to raise awareness of this issue in the hope that site owners will start using encrypted connections if site users complain enough...

#9 lachenal74693

lachenal74693

    Chatty concertinist

  • Members
  • PipPipPipPip
  • 365 posts
  • Gender:Male
  • Location:Urmston, S-W Manchester, U.K.

Posted 17 March 2017 - 01:35 PM

Have you updated Firefox recently? If not then you may be running an old version that does

not display a warning but, as Alex says, the risk is still there.

 

Don, thank you for alerting the community to this problem.

 

I use the version of Firefox supplied by portableapps.com. This is updated fairly

frequently, and I always download the updated version pretty promptly, but I too

have not seen warnings of the type described in this thread. Is there some other

wrinkle I/we should know about to make these warnings visible? Clearly this has

relevance in respect of many other sites...

 

Thank you.

 

Roger

 

PS: FWIW, melodeon.net does have a https 'handle' to its URL.



#10 Don Taylor

Don Taylor

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1051 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 17 March 2017 - 03:22 PM

Are you being logged in automatically?

If so, try logging out and logging back in again manually.

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

Edited by Don Taylor, 17 March 2017 - 03:24 PM.


#11 David Barnert

David Barnert

    Ineluctable Opinionmaker

  • Members
  • PipPipPipPipPipPip
  • 3016 posts
  • Gender:Male
  • Location:Albany, NY, USA

Posted 18 March 2017 - 01:18 AM

:-/ Hmmm...

 

I generally use Safari here (currently v10.0.3 for Mac), which shows no warning of any kind. But I’ve got Firefox v52 on my Mac as well, so I just tried it and while it shows a padlock icon with an orange slash through it in the address bar, I see no other warning.

 

[Edited, after seeing Roger’s post, to add:]

 

Aha! Found it. I hadn’t tried to log in, but there’s the warning as soon as I clicked the “Sign In” link.

 

[Edited, again]

 

So now I logged out and back in again on Safari. No warning.

 

For years, I’ve been using a password management app that maintains a different password for each site.


Edited by David Barnert, 18 March 2017 - 01:32 AM.


#12 lachenal74693

lachenal74693

    Chatty concertinist

  • Members
  • PipPipPipPip
  • 365 posts
  • Gender:Male
  • Location:Urmston, S-W Manchester, U.K.

Posted 18 March 2017 - 01:19 AM

Are you being logged in automatically?

If so, try logging out and logging back in again manually.

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

 

I usually leave myself logged in - however, I logged out and then logged in - I see a padlock icon with a red

bar through, but no text message. That is sufficient warning for me. My Portableapps version of Firefox is 51.

The absence of a message is a little puzzling but it's not really a problem as I have changed my password as

Don suggested.

 

Thanks.

 

Roger

 

[Edited after DB's edit if you see what I mean...] To be quite specific,  I only get the padlock-with-red-bar icon

when I connect. Once I login, that icon goes away, so folks who stay logged in (like me) may not have seen the

warning icon. Still no text message though. Ho hum...]


Edited by lachenal74693, 18 March 2017 - 01:39 AM.


#13 JimR

JimR

    Advanced Member

  • Members
  • PipPipPip
  • 55 posts
  • Gender:Male
  • Location:Tempe, AZ

Posted 18 March 2017 - 05:17 PM

Roger, I think don't your version of Firefox being updated.  You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.



#14 Don Taylor

Don Taylor

    Heavyweight Boxer

  • Members
  • PipPipPipPipPip
  • 1051 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 18 March 2017 - 05:42 PM

Roger, I think don't your version of Firefox being updated.  You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.


This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

#15 lachenal74693

lachenal74693

    Chatty concertinist

  • Members
  • PipPipPipPip
  • 365 posts
  • Gender:Male
  • Location:Urmston, S-W Manchester, U.K.

Posted 19 March 2017 - 01:59 AM

 

This is correct for a normal install, but if you are using the PortableApps version

of Firefox then you should update using the PortableApps launcher.

 

 

Exactement, mon general! This is how I update all PortableApps programs,

so an incorrectly updated version is not (or shouldn't be) the problem...

 

No matter, it's only a minor puzzle, I might try an un-install followed by a

complete re-install when I get time...

 

Roger.


Edited by lachenal74693, 19 March 2017 - 02:21 AM.


#16 JimR

JimR

    Advanced Member

  • Members
  • PipPipPip
  • 55 posts
  • Gender:Male
  • Location:Tempe, AZ

Posted 19 March 2017 - 02:48 AM

 

Roger, I think don't your version of Firefox being updated.  You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.


This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

 

I do use the PortableApps version of Firefox. On multiple PCs. With the Update Option set as above I always receive notice of new versions.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users