Melodeon.net Forums

Forum and website admin => Support => Topic started by: Tone Dumb Greg on May 09, 2019, 02:15:55 PM

Title: Security warning
Post by: Tone Dumb Greg on May 09, 2019, 02:15:55 PM
A couple of days ago I logged into melnet and found the site blocked. I got this message:

"Warning: Potential Security Risk Ahead
Firefox detected an issue and did not continue to forum.melodeon.net. The website is either misconfigured or your computer clock is set to the wrong time.
It’s likely the website’s certificate is expired, which prevents Firefox from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details."

By coincidence, my router went down shortly after. A replacement router turned up this morning. The warning was still there when I logged in, so I did a new search for melodeon.net and logged into the site that led me too, which looks right. However,  I noticed that the connection is just prefixed www. I thought a secure connection needed something like https:// . If I add this prefix I still get the error message. Wondering what's going on. Anyone savvy to this?
Title: Re: Security warning
Post by: Theo on May 09, 2019, 02:31:48 PM
We don’t have a security certificate hence the warning.  We don’t expect anyone to enter sensitive data eh credit card details so no need to worry.  Browsers are just getting more paranoid!

Similar topic here http://forum.melodeon.net/index.php/topic,23813.0.html
Title: Re: Security warning
Post by: Tone Dumb Greg on May 09, 2019, 05:30:51 PM
Thanks Theo
Title: Re: Security warning
Post by: Anahata on May 09, 2019, 11:32:07 PM
We do enter passwords sometimes, though.

And you can get a free security certificate from Letsencrypt (https://letsencrypt.org/), but your web hosting setup needs to be able to support it by fetching a new certificate automatically every two months.
Title: Re: Security warning
Post by: Theo on May 10, 2019, 08:33:41 AM
Thanks for that suggestion.  I think our web host offers a free security certificate.  I’ll talk to Clive about that.
Title: Re: Security warning
Post by: Alan Morley on May 10, 2019, 10:24:57 AM
Some browsers will not display a web page that has not got the prefix https://

If you get to the hosting service, there is usually a free security certificate available called Lets Encrypt.
Here's a very long link to it...

https://getflywheel.com/why-flywheel/simple-ssl/?utm_term=what%20is%20a%20ssl%20certificate&utm_campaign=Simple+SSL&utm_source=adwords&utm_medium=ppc&hsa_tgt=kwd-1514133189&hsa_grp=40763490464&hsa_src=g&hsa_net=adwords&hsa_mt=b&hsa_ver=3&hsa_ad=142256245822&hsa_acc=6858520773&hsa_kw=what%20is%20a%20ssl%20certificate&hsa_cam=668933914&gclid=EAIaIQobChMIyuyLg9KQ4gIV6b_tCh3bWwk7EAAYASAAEgJQvPD_BwE

Once installed, you have to get into the Hostings CPanel area and configure a redirect from the http to https for it to work
Title: Re: Security warning
Post by: Clive Williams on May 11, 2019, 11:46:47 AM
Ah, certificates. Bane of me life. Theo, I think you'll probably need to chat to the hoster's support desk on this.

We've never had a certificate on melodeon.net, mostly because we don't really need it - we don't take payments, and they're a lot of hassle to setup and maintain.

There is regrettably nothing in the cpanel interface to let you autogenerate a certificate; I expect it's done in your hoster account area, then you copy the generated certificate into cpanel.

To do let's encrypt stuff, you either need direct access to the desktop/shell, or to do a really tiresome process every month, forever. Or you use what the hoster provides, which is usually a wrapper around Letsencrypt.

Firefox is working for me by the way; it gives the security warning which I would expect, but other than that lets me login fine.

Theo - by the way; the Cpanel SSL area is muttering about out of date certificates (internal use ones I expect) which expired on 6/5/19; I don't know what they are, but they may be related. It may be we had SSL enabled by default when the host switched, but didn't know about it.

If we do need to/want to implement it, we need to cover 2 domains - www.melodeon.net and forum.melodeon.net. Sorry about that; a knockon effect from when we took over from the old Aimoo site a *long* time ago.
Title: Re: Security warning
Post by: baz parkes on May 11, 2019, 11:59:09 AM
Ah, certificates. Bane of me life. Theo, I think you'll probably need to chat to the hoster's support desk on this.

 they're a lot of hassle to setup and maintain.

Theo - by the way; the Cpanel SSL area is muttering about out of date certificates (internal use ones I expect) which expired on 6/5/19; I don't know what they are, but they may be related. It may be we had SSL enabled by default when the host switched, but didn't know about it.

If we do need to/want to implement it, we need to cover 2 domains - www.melodeon.net and forum.melodeon.net. Sorry about that; a knockon effect from when we took over from the old Aimoo site a *long* time ago.

And all of that serves as a handy reminder of the work the pair of you do to allow us to indulge ourselves in nice speculations of melodeon based philosophy fratefuor which we should be ever grateful...chapeau... :|glug
Title: Re: Security warning
Post by: Theo on May 11, 2019, 12:38:11 PM
Thanks for the details Clive.

Our previous host provided a free Letsencrypt certificate which I implemented  on my website which is separate part of the same reseller hosting package.  With the new host it’s a paid add on.  I’ll ask if it can be applied to the forum domains.
Title: Re: Security warning
Post by: Anahata on May 11, 2019, 04:55:45 PM
You can ask letsencrypt for a certificate that covers specific subdomains, so that's not a problem. Whether your hosting has support for automatic renewal is another matter. And manual renewal every 2 months - forget it!

(I'm currently moving all mine to new provider and running it with Virtualmin, which lets you give a list of subdomains you want for a letsencrypt certificate, for each domain.)
Title: Re: Security warning
Post by: Chris Ryall on May 12, 2019, 11:56:53 AM
You can ask letsencrypt for a certificate that covers specific subdomains, so that's not a problem. Whether your hosting has support for automatic renewal is another matter. And manual renewal every 2 months - forget it!

(I'm currently moving all mine to new provider and running it with Virtualmin, which lets you give a list of subdomains you want for a letsencrypt certificate, for each domain.)

As a client (Anahata's a reliable and gracious host) (:) I await instructions …  :|glug
Title: Re: Security warning
Post by: Peter Savage on May 22, 2019, 05:50:47 PM
Is there any way to turn off this security warning in my Chrome browser (mac)?  For a few weeks now I have found melnet unusable since I have to click 3 times each time I change page.  Any ideas?
Title: Re: Security warning
Post by: Theo on May 22, 2019, 05:56:44 PM
I don’t use Chrome but this might help

https://support.google.com/chrome/answer/99020?co=GENIE.Platform%3DDesktop&hl=en
Title: Re: Security warning
Post by: Tone Dumb Greg on May 22, 2019, 05:57:26 PM
Is there any way to turn off this security warning in my Chrome browser (mac)?  For a few weeks now I have found melnet unusable since I have to click 3 times each time I change page.  Any ideas?

I removed the https://
Worked fine then
Title: Re: Security warning
Post by: Broadland Boy on May 22, 2019, 08:01:31 PM
Brilliant Greg - I edited the shortcut / bookmark I use to melnet removing the 's' from https and saved it, which got me straight in, it then seems to navigate between pages as previously, presumably not expecting sub pages to be secure either.

The non melodeon related brain power among forum members is impressive  ;D
Title: Re: Security warning
Post by: Tone Dumb Greg on May 22, 2019, 11:20:35 PM
Brilliant Greg - I edited the shortcut / bookmark I use to melnet removing the 's' from https and saved it, which got me straight in, it then seems to navigate between pages as previously, presumably not expecting sub pages to be secure either.

The non melodeon related brain power among forum members is impressive  ;D

 :D
For me, the slightly odd thing is that I only starting using the secured https// address because my browser objected if I didn't. Suppose that's progress.
Title: Re: Security warning
Post by: Anahata on May 22, 2019, 11:44:46 PM
For me, the slightly odd thing is that I only starting using the secured https// address because my browser objected if I didn't.

You should use https: if the site supports it, but if (like melnet currently) it doesn't, you HAVE to use http: or you'll get severe warnings.

If the site support https: it's also quite easy to configure the server to redirect from http: to https:, which enforces the first part of the above rule.