|
Title: Bitcointalk https is not staying secure Post by: check_status on March 20, 2012, 03:12:53 AM When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.
Is this a site issue, a certificate issue, or a browser issue? Title: Re: Bitcointalk https is not staying secure Post by: Kluge on March 20, 2012, 03:14:48 AM Experiencing something similar. "Some resources" are not secure when in a topic. I'm guessing it's an irrelevant alert, but would be nice to know.
Title: Re: Bitcointalk https is not staying secure Post by: rjk on March 20, 2012, 03:17:35 AM When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure. I am assuming that you mean you lose the padlock icon, or the blue bar? That could be caused by loading external images from non-secure sites. Or do you mean it actually switches between https:// and http:// ? I haven't seen that happening.Is this a site issue, a certificate issue, or a browser issue? Title: Re: Bitcointalk https is not staying secure Post by: Kluge on March 20, 2012, 03:18:55 AM Could it be avatars? It appears the forum software does not host them locally (unless it was uploaded from PC, not URL), but simply redirects to the original site hosting the image.
Title: Re: Bitcointalk https is not staying secure Post by: rjk on March 20, 2012, 03:19:54 AM Could it be avatars? It appears the forum software does not host them locally, but simply redirects to the original site hosting the image. That would be it it. There is an option for local storage, but no one seems to use it.Title: Re: Bitcointalk https is not staying secure Post by: DILLIGAF on March 20, 2012, 03:21:02 AM When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure. Is this a site issue, a certificate issue, or a browser issue? This is what chrome tells me when I check the certificate and I see the same lock it has yellow triangle for a warning on it no matter the page. Quote Your connection to bitcointalk.org is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page. The connection uses TLS 1.0. The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. The connection is compressed with DEFLATE. Title: Re: Bitcointalk https is not staying secure Post by: Phinnaeus Gage on March 20, 2012, 03:25:44 AM I, too, have been getting that red line through the https:// part of the URL.
~Bruno~ Title: Re: Bitcointalk https is not staying secure Post by: check_status on March 20, 2012, 03:30:55 AM Avatars sounds like one good reason.
In Opera, if I open a new site, banking.bs, the degraded security persists. Chrome is not quite the same, https returns, maybe because of process seperation. Title: Re: Bitcointalk https is not staying secure Post by: theymos on March 20, 2012, 04:04:07 AM Yeah, it's avatars and stuff. Nothing to be worried about.
Title: Re: Bitcointalk https is not staying secure Post by: mowat on March 20, 2012, 08:29:12 PM The most important thing that you want SSL to protect is your password and cookie. An attacker who MITMs you (for example, at a public wifi AP) could take control of your account otherwise. The way SSL currently works on the site, those should be secure. I have avatars turned off and only lose the padlock when external images are included in a post, so this is most likely the cause.
To an extent, that's a privacy issue, since an attacker could get some idea of the content you are reading from the images. On the other hand, they can read the forum for themselves. They could also look at who posts every time you are connecting to the site. With enough data points, they could narrow it down to your username. The only effective defense against someone in that position would be to publish posts at random time intervals after submitting them. Title: Re: Bitcointalk https is not staying secure Post by: grue on March 21, 2012, 12:28:47 AM even only sending the html via https is still better than everything via http :P
Quote from: YOUR BROWSER However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page. was it that hard to find?Title: Re: Bitcointalk https is not staying secure Post by: jjjrmy on March 21, 2012, 03:21:10 AM I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock.
Title: Re: Bitcointalk https is not staying secure Post by: grue on March 21, 2012, 03:54:22 PM I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock. insecure links are ok, insecure content (scripts, images, style sheets) are not. |