Just checking in to ensure that the blog and comments are still working for everybody after some fixes this morning.
I got an email from Freedom Feen MWD, warning me that, on the Chrome browser at least, all HTTP sites will soon be labeled “insecure” — which, he notes, is a good development. But which will also discourage people from visiting those sites.
I thought both the blog and ClairesCabal.com were set up for HTTPS. But while the Cabal was properly showing that “s” in its address line, not so with the blog.
Turned out we had a twofold problem. Bear Bussjaeger checked and discovered that the SSL certificate for the blog site was present but had somehow ended up uninstalled. And MWD found a WordPress issue and guided me through a fix for that.
So, thanks to Bear and MWD … when you come to this blog, you should now see HTTPS in the address line AND you should not get any “insecure” messages if you attempt to log in.
It’s working that way for me. But we’ve had certificate issues before. Now, is all well and good for you guys?
Looks good from here.
It’s working for me, Claire, and I’m using Chrome.
My web forum uses a self-signed certificate and that makes Chrome throw the “Unsecured site” error, even though it is https, but all of my regulars know of this and all you have to do is click the “Advanced” link and click that it’s OK to go there and login.
The -s has been missing for some time, but as you had said the blog and cabal were handled differently (the blog being open to all), I assumed the -s didn’t exist on the blog. It is now present.
Thanks for the input, guys. I’m glad to know the new fixes didn’t break anything.
Pat’s right that for blog reading alone, the “s” isn’t vital. However, it should have been there for logging in and for general site security (e.g. making sure that nobody could hack the site and change my donation address to theirs!).
I’m still puzzling over how the SSL certificate — which I know we had — came uninstalled. That’s not a happy thing and will require watchfulness in the future. But for now it’s good to know we’re good.
I suppose I’m among the rare contrarians who isn’t joyful about Google’s heavy-handed flogging of “insecure” sites. Neither of the two sites I manage has any personal info, certainly no CC or other sensitive data. On top of that, the admin interfaces run over HTTPS through the hosting companies’ domains. So I’m hoping I don’t get any squawking about it.
Firefox shows the ‘s’ ,also says parts of this page are not secure(such as images).I have no idea what that means,but HP,Linux and fred are here. 🙂
It seems good in Google
I never was aware of any problem using Firefox on Apple products.
Contrarian jed — Is anybody joyful about it? It’s being done by Google, after all. It’s a heavy-handed way to deal with a problem. Although they’re correct to flag http sites as “insecure,” most people surfing the web probably have no idea what that implies and will just think it means “run like hell.”
It will thus give Google even more control than it already has over what sites people see. MWD, who sent me the original link, foresees this as a way to push freedomista sites farther from view than they already are. The move obviously benefits larger sites with more tech-savvy ownership over small, independent sites.
Then there’s the fact that while http does imply “insecure,” https doesn’t absolutely guarantee “secure,” but may give a false sense of confidence.
Joyful? I don’t think so.
Checked both here and the Cabal. Everything looks good. Glad you said something. I was worried when I couldn’t load the site this morning.
Chromium says that while the page itself is being served up via HTTPS, it’s still pulling in two images via HTTP that are keeping it from showing up as secure:
They’re probably pulled in by a template somewhere…change those references to HTTPS and you should be good to go.
No problems here with firefox. 🙂
Same here, works fine.
I guess that means I’ll have to get into certificates and such for my site, even though it’s straight HTML.
Scott — Thank you for spotting that. Sounds like a fairly easy fix for me — but also as if it could get tricky for a lot of small sites to fix their (truly insignificant or nonexistent) security issues.
And thank you all for the continuing feedback.
The general vibe I get reading various places around the web is that many are quite enthusiastic about it. As you note, MWD calls it “a good development”. But I disagree. A blanket labeling of all sites not using https as “insecure” is overkill and even misleading. Perhaps there’s something I’m missing. Particularly for sites which are only pushing information out, I have to ask what attack vectors are available via http which would be closed via https. I’m all in favor of https for Amazon, my bank, etc., particularly now with people using their phones and connecting over whatever WiFi happens to be available. But as you note, this benefits larger sites over smaller ones, and enhances Google’s position as a gatekeeper. (However, I’m sure that Firefox will follow suit.)
I suppose there’s an element here of my just being a little cranky at the thought of possibly being forced into spending time implementing a site certificate, etc., for the sites I manage, with zero real risk mitigation. I haven’t even looked around at wordpress.com for whether they make it easy.
The images served over http are a red herring, but I guess worth fixing since it’ll stop browswers from throwing up irrelevant warnings.
“a good development”
I should clarify that that was my paraphrase, not his exact words. In fact, he’s concerned about some of the same things you and I are and it was he who raised the idea that this move by Google might push small freedom sites farther out of sight.
I think he meant something more like, “it’s accurate to label http sites as insecure.” “Good” was probably a leap.