Bitcointalk https is not staying secure

[check_status]

When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?

[Kluge]

Experiencing something similar. "Some resources" are not secure when in a topic. I'm guessing it's an irrelevant alert, but would be nice to know.

[rjk]

When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?

I am assuming that you mean you lose the padlock icon, or the blue bar? That could be caused by loading external images from non-secure sites. Or do you mean it actually switches between https:// and http:// ? I haven't seen that happening.

[Kluge]

Could it be avatars? It appears the forum software does not host them locally (unless it was uploaded from PC, not URL), but simply redirects to the original site hosting the image.

[rjk]

Could it be avatars? It appears the forum software does not host them locally, but simply redirects to the original site hosting the image.

That would be it it. There is an option for local storage, but no one seems to use it.

[DILLIGAF]

When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?

This is what chrome tells me when I check the certificate and I see the same lock it has yellow triangle for a warning on it no matter the page.

Your connection to bitcointalk.org is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

The connection uses TLS 1.0.

The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

The connection is compressed with DEFLATE.

[Phinnaeus Gage]

I, too, have been getting that red line through the https:// part of the URL.

~Bruno~

[check_status]

Avatars sounds like one good reason.
In Opera, if I open a new site, banking.bs, the degraded security persists. Chrome is not quite the same, https returns, maybe because of process seperation.

[theymos]

Yeah, it's avatars and stuff. Nothing to be worried about.

[mowat]

The most important thing that you want SSL to protect is your password and cookie. An attacker who MITMs you (for example, at a public wifi AP) could take control of your account otherwise. The way SSL currently works on the site, those should be secure. I have avatars turned off and only lose the padlock when external images are included in a post, so this is most likely the cause.

To an extent, that's a privacy issue, since an attacker could get some idea of the content you are reading from the images. On the other hand, they can read the forum for themselves. They could also look at who posts every time you are connecting to the site. With enough data points, they could narrow it down to your username. The only effective defense against someone in that position would be to publish posts at random time intervals after submitting them.

[grue]

even only sending the html via https is still better than everything via http

However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

was it that hard to find?

[jjjrmy]

I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock.

[grue]

I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock.

insecure links are ok, insecure content (scripts, images, style sheets) are not.