Jump to content
Sign in to follow this  
Don Taylor

Concertina.net Site Security

Recommended Posts

I have just noticed that the connection used for logins by concertina.net is not encrypted:

 

"Not secure | www.concertina.net/forums/"

 

This is from the Chrome browser, Firefox is more explicit - it warns me not to go to the site.

 

Is the forum software being used fully up to date with all security patches?

 

The takeaway for everyone right now is to be sure to use a unique password for this site alone so that if it is compromised then it will only be your concertina.net account and not your bank or PayPal account.

 

Don.

Share this post


Link to post
Share on other sites

It's not the forum software itself. The web server that the forum software is running on has to be configured to use SSL. This requires a certificate from a certificate authority, which costs money every year.

The result is that data being transmitted from your computer to this website is not end-to-end encrypted. So someone snooping the line or the wi-fi might be able to see everything you type, including your password. It's also easy for someone to spoof the site and pretend to be concertina.net.

As Don said, use a unique password for this site.

Share this post


Link to post
Share on other sites

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"

Share this post


Link to post
Share on other sites

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"

That's right. Not using an HTTPS link means that passwords are transmitted in plain text and can easily be hoovered up when using a wifi connection.

Share this post


Link to post
Share on other sites

It's not the forum software itself. The web server that the forum software is running on has to be configured to use SSL. This requires a certificate from a certificate authority, which costs money every year.

It's no longer the case that you need to pay money to get an SSL cert for your site:

https://letsencrypt.org/

Share this post


Link to post
Share on other sites

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

Share this post


Link to post
Share on other sites

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

No, everybody who uses the site is potentially at risk, because the server doesn't support encryption. This isn't a new risk by any means; it's just that awareness of it is increasing, and many websites are now switching over to using encryption by default.

Share this post


Link to post
Share on other sites

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

Have you updated Firefox recently? If not then you may be running an old version that does not display a warning but, as Alex says, the risk is still there.

 

Mozilla (Firefox) and Google (Chrome) are trying to raise awareness of this issue in the hope that site owners will start using encrypted connections if site users complain enough...

Share this post


Link to post
Share on other sites

Have you updated Firefox recently? If not then you may be running an old version that does

not display a warning but, as Alex says, the risk is still there.

 

Don, thank you for alerting the community to this problem.

 

I use the version of Firefox supplied by portableapps.com. This is updated fairly

frequently, and I always download the updated version pretty promptly, but I too

have not seen warnings of the type described in this thread. Is there some other

wrinkle I/we should know about to make these warnings visible? Clearly this has

relevance in respect of many other sites...

 

Thank you.

 

Roger

 

PS: FWIW, melodeon.net does have a https 'handle' to its URL.

Share this post


Link to post
Share on other sites

Are you being logged in automatically?

 

If so, try logging out and logging back in again manually.

 

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

Edited by Don Taylor

Share this post


Link to post
Share on other sites

:-/ Hmmm...

 

I generally use Safari here (currently v10.0.3 for Mac), which shows no warning of any kind. But I’ve got Firefox v52 on my Mac as well, so I just tried it and while it shows a padlock icon with an orange slash through it in the address bar, I see no other warning.

 

[Edited, after seeing Roger’s post, to add:]

 

Aha! Found it. I hadn’t tried to log in, but there’s the warning as soon as I clicked the “Sign In” link.

 

[Edited, again]

 

So now I logged out and back in again on Safari. No warning.

 

For years, I’ve been using a password management app that maintains a different password for each site.

Edited by David Barnert

Share this post


Link to post
Share on other sites

Are you being logged in automatically?

 

If so, try logging out and logging back in again manually.

 

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

 

I usually leave myself logged in - however, I logged out and then logged in - I see a padlock icon with a red

bar through, but no text message. That is sufficient warning for me. My Portableapps version of Firefox is 51.

The absence of a message is a little puzzling but it's not really a problem as I have changed my password as

Don suggested.

 

Thanks.

 

Roger

 

[Edited after DB's edit if you see what I mean...] To be quite specific, I only get the padlock-with-red-bar icon

when I connect. Once I login, that icon goes away, so folks who stay logged in (like me) may not have seen the

warning icon. Still no text message though. Ho hum...]

Edited by lachenal74693

Share this post


Link to post
Share on other sites

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

Share this post


Link to post
Share on other sites

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

Share this post


Link to post
Share on other sites

 

This is correct for a normal install, but if you are using the PortableApps version

of Firefox then you should update using the PortableApps launcher.

 

 

Exactement, mon general! This is how I update all PortableApps programs,

so an incorrectly updated version is not (or shouldn't be) the problem...

 

No matter, it's only a minor puzzle, I might try an un-install followed by a

complete re-install when I get time...

 

Roger.

Edited by lachenal74693

Share this post


Link to post
Share on other sites

 

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

 

I do use the PortableApps version of Firefox. On multiple PCs. With the Update Option set as above I always receive notice of new versions.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×