Concertina.net Site Security

[Don Taylor]

I have just noticed that the connection used for logins by concertina.net is not encrypted:

 

"Not secure | www.concertina.net/forums/"

 

This is from the Chrome browser, Firefox is more explicit - it warns me not to go to the site.

 

Is the forum software being used fully up to date with all security patches?

 

The takeaway for everyone right now is to be sure to use a unique password for this site alone so that if it is compromised then it will only be your concertina.net account and not your bank or PayPal account.

 

Don.

[Nighthawk]

It's not the forum software itself. The web server that the forum software is running on has to be configured to use SSL. This requires a certificate from a certificate authority, which costs money every year.

The result is that data being transmitted from your computer to this website is not end-to-end encrypted. So someone snooping the line or the wi-fi might be able to see everything you type, including your password. It's also easy for someone to spoof the site and pretend to be concertina.net.

As Don said, use a unique password for this site.

[John Wild]

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"

[Don Taylor]

I started getting this message after the latest firefox upgrade. the way I read it, it treats the site as not secure when the site address does NOT include "https"

That's right. Not using an HTTPS link means that passwords are transmitted in plain text and can easily be hoovered up when using a wifi connection.

[alex_holden]

It's not the forum software itself. The web server that the forum software is running on has to be configured to use SSL. This requires a certificate from a certificate authority, which costs money every year.

It's no longer the case that you need to pay money to get an SSL cert for your site:

https://letsencrypt.org/

[maccannic]

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

[alex_holden]

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

No, everybody who uses the site is potentially at risk, because the server doesn't support encryption. This isn't a new risk by any means; it's just that awareness of it is increasing, and many websites are now switching over to using encryption by default.

[Don Taylor]

I'm on Firefox, but I don't get a warning. Does that mean I'm OK, or just thick as usual.

Have you updated Firefox recently? If not then you may be running an old version that does not display a warning but, as Alex says, the risk is still there.

 

Mozilla (Firefox) and Google (Chrome) are trying to raise awareness of this issue in the hope that site owners will start using encrypted connections if site users complain enough...

[lachenal74693]

Have you updated Firefox recently? If not then you may be running an old version that does

not display a warning but, as Alex says, the risk is still there.

 

Don, thank you for alerting the community to this problem.

 

I use the version of Firefox supplied by portableapps.com. This is updated fairly

frequently, and I always download the updated version pretty promptly, but I too

have not seen warnings of the type described in this thread. Is there some other

wrinkle I/we should know about to make these warnings visible? Clearly this has

relevance in respect of many other sites...

 

Thank you.

 

Roger

 

PS: FWIW, melodeon.net does have a https 'handle' to its URL.

[Don Taylor]

Are you being logged in automatically?

 

If so, try logging out and logging back in again manually.

 

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

Edited March 17, 2017 by Don Taylor

[David Barnert]

:-/ Hmmm...

 

I generally use Safari here (currently v10.0.3 for Mac), which shows no warning of any kind. But I’ve got Firefox v52 on my Mac as well, so I just tried it and while it shows a padlock icon with an orange slash through it in the address bar, I see no other warning.

 

[Edited, after seeing Roger’s post, to add:]

 

Aha! Found it. I hadn’t tried to log in, but there’s the warning as soon as I clicked the “Sign In” link.

 

[Edited, again]

 

So now I logged out and back in again on Safari. No warning.

 

For years, I’ve been using a password management app that maintains a different password for each site.

Edited March 18, 2017 by David Barnert

[lachenal74693]

Are you being logged in automatically?

 

If so, try logging out and logging back in again manually.

 

(I also use the Portable apps version of Firefox and I see the warning. I think it started showing up in version 51).

 

I usually leave myself logged in - however, I logged out and then logged in - I see a padlock icon with a red

bar through, but no text message. That is sufficient warning for me. My Portableapps version of Firefox is 51.

The absence of a message is a little puzzling but it's not really a problem as I have changed my password as

Don suggested.

 

Thanks.

 

Roger

 

[Edited after DB's edit if you see what I mean...] To be quite specific, I only get the padlock-with-red-bar icon

when I connect. Once I login, that icon goes away, so folks who stay logged in (like me) may not have seen the

warning icon. Still no text message though. Ho hum...]

Edited March 18, 2017 by lachenal74693

[JimR]

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

[Don Taylor]

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

[lachenal74693]

 

This is correct for a normal install, but if you are using the PortableApps version

of Firefox then you should update using the PortableApps launcher.

 

 

Exactement, mon general! This is how I update all PortableApps programs,

so an incorrectly updated version is not (or shouldn't be) the problem...

 

No matter, it's only a minor puzzle, I might try an un-install followed by a

complete re-install when I get time...

 

Roger.

Edited March 19, 2017 by lachenal74693

[JimR]

 

Roger, I think don't your version of Firefox being updated. You can get auto updates in the Advanced section of Options. Use the three-bar button in the upper right corner of the browser window, then chose Options, and Advanced. You can either select "Automatically install updates" or "Check for updates, but let me choose". That should get your copy upgraded pretty quickly.

This is correct for a normal install, but if you are using the PortableApps version of Firefox then you should update using the PortableApps launcher.

 

I do use the PortableApps version of Firefox. On multiple PCs. With the Update Option set as above I always receive notice of new versions.