Website not secure

[jhockin]

Just got a “ website not secure “ warning, about this website, from my browser.
Any thing to be concerned about?

[Steve Ashton]

No, nothing to be concerned about. This is a new thing that is popping up.

It has to do with a certificate that e-commerce sites are converting to.

As X Marks is not an e-commerce site we have not felt a need to convert over to this type of site.

For now, just ignore the message. We may convert at some later date and we will make an announcement before we do.

[Baeau]

Steve............A few minutes ago, while trying to post a comment, I hit the the Preview Post button. For a split second (literally), I saw a white screen, with WARNING followed by other words. Is this part of the same "Nothing to be concerned about"? .

Cheers,
Steve

[Steve Ashton]

As I said before this is a fairly recent addition to browsers like Chrome and Firefox. It is your browser, not X Marks, that is displaying the "not secure" message.

This message does not mean that there is anything wrong with X Marks.

The new addition on browsers looks for the difference between sites that use the http protocol v.s. those that use the https protocol. Any page with a website address starting with "http:// v.s. "https:// will cause the browser to display the “Not Secure” warning.

The additional 's' in https stands for 'secure' and denotes that the site has purchased an SSL certificate. An SSL (Secure Sockets Layer) certificate then installs a code on the website which activates an encryption 'padlock' between the site and a customer. This padlock adds an additional level of security for those sites which transmit sensitive data such as credit card numbers, payments and payment information between a site and a customer. Sort of like a secure or encrypted telephone, like those used in the Pentagon, v.s. a regular phone in your home.

Amazon is an https site.

I have spoken to kiltedcodewarrior about this and he advises, that while we could purchase an SSL certificate, it does not really give us any added features or security for an on-line forum where no credit card information or payments are transmitted between X Marks and our members.

But yes, I will probably be forced to purchase an SSL certificate, in the near future, just to end the "not secure" being displayed and our members becoming concerned.

[Steve Ashton]

Steve............A few minutes ago, while trying to post a comment, I hit the the Preview Post button. For a split second (literally), I saw a white screen, with WARNING followed by other words. Is this part of the same "Nothing to be concerned about"? .

Cheers,
Steve

No, I do not believe your white screen is part of the same thing. I am not sure what you saw.

[Baeau]

That's two of us, that aren't sure what I saw. This moment, I hit Preview Post. No white screen. All is normal. The sky isn't falling. Thanks for the SSL Certificate explaination.

[TheGratefulNed]

I have spoken to kiltedcodewarrior about this and he advises, that while we could purchase an SSL certificate, it does not really give us any added features or security for an on-line forum where no credit card information or payments are transmitted between X Marks and our members.

But yes, I will probably be forced to purchase an SSL certificate, in the near future, just to end the "not secure" being displayed and our members becoming concerned.

Beyond the minor annoyance of newer browsers displaying warnings, the other reason you might consider installing a security certificate is to fully encrypt our login credentials. A lot of people will use the same password or two across many different platforms and non-encrypted traffic is fairly trivial to sniff and parse, which means cracking a password on one site can lead to a malicious actor being able to access many, if not all, other sites/services that person uses.

Looking at the website's code, it is apparently doing an MD5 hash (encryption) of the password when you click the "Log in" button, which means the passwords at least aren't being sent as plain-text. However, while MD5 is not a directly reversible algorithm, its long history and known limitations/problems make it relatively easy to crack MD5-encrypted strings, especially on modern hardware which can calculate 10s-100s of millions of MD5 hashes per second.

[EdinSteve]

I seem to remember this coming up a while ago and it is a salutary lesson for everyone not to use the same password across websites.

[Steve Ashton]

I'm sorry EdinSteve but this has nothing to do with passwords.

[EdinSteve]

I'm sorry EdinSteve but this has nothing to do with passwords.

I see that I get the "Not Secure" message. I take it then that there is no possibility of the site being hacked and passwords stolen so that is reassuring. Thanks Steve.