Bad update yesterday? - Page 2

Larry-NC · 06-24-2019, 07:15 PM

Quote:

Originally Posted by NMWildcat

If you are a little too thin skinned for a little gratuitous advice, you are going to have a lot of fun on forums

I wouldn't have 1466 posts if I were thin-skinned.

I am a bit considerate of those who subscribed out of interest in the posting problem, like lschwartz. They didn't need to be subjected to off-topic "advice" they didn't want/need.

Larry

NMWildcat · 06-24-2019, 07:31 PM

Alrighty then

Larry-NC · 06-30-2019, 01:53 PM

Making progress!

I have reproduced this problem on a second computer, configured the same as the first, except for hardware. Different processor and video adapter, so it's not a driver issue. And LSwartz has reproduced it.

But here's the biggie: I've also reproduced it on other websites--and what they have in common with FRF is that they also use insecure HTTP instead of HTTPS with TLS.

It doesn't surprise me that Chrome is treating the HTTP sites differently. Their rationale might be that since the sites are "dangerous" they are making it hard to enter what might be personal information. I've written them to ask and will report back.

Meanwhile, this question comes to mind: "Why in this day and age would a website not use HTTPS?" There's no excuse for it. The formerly expensive ($200 for two years) certificates may now be had for free from Let's Encrypt. It's a simple matter of requesting and receiving a certificate and configuring the web server to use it.

I am webmaster for four or five rinky-dink websites (URLs available on request); high school class reunion, family reunion, two non-profits doing disaster recovery. Every single one of these has HTTPS. Before I got HTTPS onto the high-school reunion website, I actually had classmates emailing me that they were afraid to visit the website until it was updated. FRF could be losing contributors for the same reason.

Larry

**wmtire** · 06-30-2019, 04:34 PM

Quote:

Originally Posted by Larry-NC

Meanwhile, this question comes to mind: "Why in this day and age would a website not use HTTPS?" There's no excuse for it. The formerly expensive ($200 for two years) certificates may now be had for free from Let's Encrypt. It's a simple matter of requesting and receiving a certificate and configuring the web server to use it.

Larry

This question was brought up last year, and this was the answer:

The reason is a little convoluted but here goes:

Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

The forum software is built on an http platform and so this is difficult. We hand coded an update to make the LOGIN page https. This is the page where user credentials are passed and the only sensitive data we store. Once a member has logged in the site reverts to http (and the alert begins to display in browsers). Using https on all pages actually breaks the forum. Offsite links and hosted images no longer work, ads don't display, photos, etc.

So... as you login the page is secure (https) but once you have logged in the regular site is http. Since no login/pass info is being sent on these pages we believe this is safe and reasonable. There's little we can do to change this until we move to a new forum software platform which eventually we will have to do.

You can read more about the google alerts here: https://www.wired.com/story/google-c...-secure-label/

Larry-NC · 06-30-2019, 04:55 PM

Quote:

Originally Posted by wmtire

Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

Exactly. Google was/is trying to force the whole world onto Transport Layer Security (TLS, shows as HTTPS in the browser). That's why I was/am suspicious that messing with popups is now part of Google's campaign. I became especially skeptical when the other site started doing so, because the disabled popups were autocomplete choices. I inferred that Google might be trying to "protect" me by not allowing my Personally Identifiable Information (PII) to be easily or automatically disclosed.

Quote:

Originally Posted by wmtire

The forum software is built on an http platform and so this [conversion of the site to https] is difficult.

I am dubious. I prefer to design my web pages directly in HTML, using Notepad as my HTML editor. One site is completely developed that way. The other three are run by Content Management Systems (CMS, = Drupal or WordPress), but 100% of the content I provide is still done in raw HTML. If you study your pages for a bit and do a search for all uses of HTTP in the code, it becomes feasible to write scripts to change all the files and code which creates content.

It's already been done. FRF is using vBulletin 3.8.8 Beta 1. Here are the instructions to convert a forum to HTTPS. https://forum.vbulletin.com/articles...forum-to-https. Sorry that I cannot insert this as a nice link for you, but that's one of the things that's broken.

Quote:

Originally Posted by wmtire

You can read more about the google alerts here: https://www.wired.com/story/google-c...-secure-label/

Dead link.

Larry

**wmtire** · 06-30-2019, 05:05 PM

Quote:

Originally Posted by Larry-NC

It's already been done. FRF is using vBulletin 3.8.8 Beta 1. Here are the instructions to convert a forum to HTTPS. https://forum.vbulletin.com/articles...forum-to-https. Sorry that I cannot insert this as a nice link for you, but that's one of the things that's broken.

Larry

As per your link above, and affirms what was stated in my previous response, the links to off-site images will be broken, and as many as we have, this is just not viable right now.

THAT'S IT!You shouldn't encounter any difficulties and your site should be showing a green padlock in most browsers.
You may run into issues with 'embedded images', where people have embedded external images or videos from third party sites into your posts, where those sites are or were not using https. These will trigger what is called a 'Mixed Content Warning' in the padlock area of the browser. In practice, what this means is that such embedded images or videos will not show and users may just see a blank space. You should aim to convert these images to attachments, subject to copyright, though this will be a manual task and can be fairly arduous if there are lots of them. Alternatively you can manually edit the embedded URL to change it to https. This will work for major sites like YouTube, but on some sites it may not work if https is not available. There are some third party add-ons that can help with this problem such as THIS ONE, however vBulletin cannot provide official support for third party code.

It is what it is, whether you are dubious or not (your words). We have other forums that may interest you, and are located at the bottom of every page when using the full site. There are a couple of the IT and computer types.

Larry-NC · 06-30-2019, 05:23 PM

Quote:

Originally Posted by wmtire

As per your link above, and was stated in my previous response, the links to off-site images will be broken, and as many as we have, this is just not viable right now.

THAT'S IT!You shouldn't encounter any difficulties and your site should be showing a green padlock in most browsers.
You may run into issues with 'embedded images', where people have embedded external images or videos from third party sites into your posts, where those sites are or were not using https. These will trigger what is called a 'Mixed Content Warning' in the padlock area of the browser. In practice, what this means is that such embedded images or videos will not show and users may just see a blank space. You should aim to convert these images to attachments, subject to copyright, though this will be a manual task and can be fairly arduous if there are lots of them. Alternatively you can manually edit the embedded URL to change it to https. This will work for major sites like YouTube, but on some sites it may not work if https is not available. There are some third party add-ons that can help with this problem such as THIS ONE, however vBulletin cannot provide official support for third party code.

It is what it is, whether you are dubious or not (your words). We have other forums that may interest you, and are located at the bottom of every page when using the full site. There are a couple of the IT and computer types.

Ahh, so user-provided embedded links are the issue. The site I completely do myself has no user-posted content. I looked at one of the other sites, and (as you stated), they convert http requests to https requests.

I definitely understand the issue now. That said, so many links are to Amazon, eBay, Flixxy, Flickr, etc. that it would be interesting to scan the entire forum database, sort target domains by count, and see how far you get down the list before you hit ones that don't support TLS.

Use the standard tools to
--Find all the URLs in user-posted content
--Discard all the ones that already start with https
--For each URL, look for the first "/" beyond position 8. Discard it and everything beyond it. This gives you a list of all the domains.
--Count the number of occurrences of each domain and sort the list by counts descending.

Larry

lswartz · 06-30-2019, 07:38 PM

Interesting thread, thank you very much.

I think this also explains why I get ‘Not Secure - forestriverforums.com’ in Safari on my iPad. I can add a link https://www.google.com so I might not fully understand.

Larry-NC · 09-04-2019, 07:25 PM

Just to follow up on this one, about four days ago I received an update to the Chrome browser and all the problems have gone away. It wasn't my imagination.

**Mr. Dan** · 09-10-2019, 08:06 AM

Quote:

Originally Posted by Larry-NC

Just to follow up on this one, about four days ago I received an update to the Chrome browser and all the problems have gone away. It wasn't my imagination.

... nor was it this site, right?

Larry-NC · 09-10-2019, 08:31 AM

Quote:

Originally Posted by Mr. Dan

... nor was it this site, right?

Hard to say, Dan. There are still a couple of things that aren't quite right. And no other site I visit performs the same functions in the same way.

I visit a couple of sites that have embedded rich text editors similar to this one but not exactly the same. I used to be able to enter a list in either of two ways:

1) Create the list items in flat text, separated by newlines. Then highlight the entire list and click the list icon, which inserts the markup.
2) Click the list icon with nothing highlighted. A dialog box pops up with instructions something like "Enter list items separated by newlines. Enter a newline on blank item to complete.

Method 2 still fails, but slightly differently. No other embedded editor I use works exactly this way so I cannot tell whether it's Chrome or the site editor.

**Mr. Dan** · 09-10-2019, 08:37 AM

Quote:

Originally Posted by Larry-NC

Hard to say, Dan. There are still a couple of things that aren't quite right. And no other site I visit performs the same functions in the same way.

I visit a couple of sites that have embedded rich text editors similar to this one but not exactly the same. I used to be able to enter a list in either of two ways:

1) Create the list items in flat text, separated by newlines. Then highlight the entire list and click the list icon, which inserts the markup.
2) Click the list icon with nothing highlighted. A dialog box pops up with instructions something like "Enter list items separated by newlines. Enter a newline on blank item to complete.

Method 2 still fails, but slightly differently. No other embedded editor I use works exactly this way so I cannot tell whether it's Chrome or the site editor.

I don’t know about all this. I was just going by your comment that “I received an update to the Chrome browser and all the problems have gone away.” I’m moving on. Thx.

You may also like: