Unsecure Website Notice appearing over my Login Box to my Forum

  • Just within the last hour I have had the most unpleasant experience of getting a "Insecure Website - This Connection is not secure" message -

    which appears over my Log In Box for my Forum when logging in. Please see 4 Screen Snapshots of which I have attached with this posting.


    I have been using Firefox Mozilla as my Browser.

    I tried switching to Microsoft Edge Browser for logging into my Forum (http:ttttforum.com) but when I put in my Admin User Name and Password

    a message shows saying that my "session has expired, try again" (not sure of the EXACT words, but that is close to what it says).


    My concern of this development - ("Insecure Website"message over my Log In Box to my Forum) - is not so much for myself as it is for potential Visitors -

    Visitors who would hopefully become Registered Members of my Forum!

    It is difficult enough to get people to join under the BEST of circumstances - now with this latest issue it only makes attracting potential Memberships

    much more difficult, as many people when logging onto a website/forum might easily be "turned off" when seeing such a message!


    Can anyone suggest what I should do?

    ADDED NOTE: I was unable to take a Screen Shot of the Insecure Website Notice that appears OVER my Login In Box - so Screen Snap Shot #1 I have uploaded here shows the message I have referred to above.


    DJ

  • Can anyone suggest what I should do?


    Secure your website(s) with SSL. This has nothing to do with the software. It's a problem with your environment and the fact, that Mozilla has just enabled this "feature" in Firefox.

    Signatur:

    CSS
    img:not([alt]) {
    border: 5px solid red;
    filter: blur(5px);
    }
  • Secure your website(s) with SSL. This has nothing to do with the software. It's a problem with your environment and the fact, that Mozilla has just enabled this "feature" in Firefox.

    Yes, I understand that it has nothing to do with the Woltlab Forum Software - I am sorry if you thought I was inferring that it had.

    But I have a question for you:

    So I go to my Hosting Server and get an SSL Certificate. Is there anything I need to do in the ACP of my Woltlab Forum

    to make sure it is installed and working properly?


    The reason why I ask this is mainly because my Hosting Provider will not do any work for me on my Forum Software

    Installation regarding the current installation of the Forum Software on their server equipment - including the SSL Certificate I assume.

    So if there is anything that needs to be modified OR adjustments OR changes needed in my ACP - other than purchasing the SSL Certificate?

    Unless I am wrong in assuming this, I would imagine it falls on my responsibility to do so - (and paying extra for the installation "work" if necessary). Correct?


    Please advise, thank you.

  • Is there anything I need to do in the ACP of my Woltlab Forum


    to make sure it is installed and working properly?


    No. As i said: It has nothing to do with the forum software. Set-up SSL for your domain, enforce connections via HTTPs and that's it.

    Signatur:

    CSS
    img:not([alt]) {
    border: 5px solid red;
    filter: blur(5px);
    }
  • I see that there are a few on Woltlab Forum who have viewed this posting - and perhaps there will be others.

    Because of this, I decided to share some additional information with everyone who may be interested in how all this works out.


    UPDATE:

    I put in a Support Ticket with my Hosting Provider regarding the Purchase of an SSL Certificate - and now waiting for the Billing

    Dept. to respond (which will be during regular business hours tomorrow).


    As for not being able to sign in (earlier tonight) as Administrator to my Forum using Microsoft Edge Browser, I solved that problem

    by re-setting ALL the settings having to do with Cookies (from restricted to allow ALL).


    I can't speak for anyone but myself, however the policy that Firefox Mozilla has now engaged in - to wit: forcing everyone who uses

    their Browser to either connect with every Website and Forum using HTTPS rather than HTTP - and if not using HTTPS, then faced with

    having the extremely annoying Insecure Connection message plastered all over their Sign In OR Log In Boxes on any website

    OR Forum that uses a Sign In Form, is not only frustrating and annoying but is also a real turn-off for anyone considering becoming

    a Member of one's Forum !


    Sure, not everyone uses Firefox Mozilla Browser, but what about those people who do use Firefox Browser; does any serious person

    who has invested in Woltlab Forum Software and who has in addition spent many hours creating and designing their Forum

    really want to loose potential Visitors and Members to their Forum because of Firefox's policy?

    I certainly do not!


    Yes, I will invest in an SSL Certificate for my Forum because I want those who discover my Forum to feel secure in Registering as a Member!

    But as for using Firefox Mozilla Browser, NO, I will be using either Microsoft Edge or some other Browser.


    DJ

  • For clarification: This is a restriction raised by the browser itself and simply triggers whenever a form requests an username and password. This has nothing to do with our software and any we are unable to influence this behavior in any possible way. By the way, it does also trigger on Chrome, all though in a more subtle way of adding a notice in the address bar.


    You should check if your hosting company offers an integration for Let's Encrypt certificates, these are for free and trusted by all browsers.

  • I use SSL and LetsEncrypt, with the virtualmin control panel its a 1 click setup, just need to renew every 3 months or so, but its free and works like a charm for basic SSL. Even, though, if your using SSL you must make sure there is no mixed content, any insecure links on your website, even an image or font not hosted on a https site will break the cert and make a browser throw up an error page and can put punters right off.

  • For clarification: This is a restriction raised by the browser itself and simply triggers whenever a form requests an username and password. This has nothing to do with our software and any we are unable to influence this behavior in any possible way. By the way, it does also trigger on Chrome, all though in a more subtle way of adding a notice in the address bar.


    You should check if your hosting company offers an integration for Let's Encrypt certificates, these are for free and trusted by all browsers.

    Thank you for your comments.

    As I mentioned in my reply to SoftCreatR it was not my intention to lay any blame on Woltlab with regard to the issue of "Insecure Connection"

    Firefox Mozilla is so eager to get everyone to use HTTPS instead of HTTP.


    I primarily made my post on this issue because I wanted "input" from Woltlab Staff, and Woltlab Forum Members and Visitors.

    Furthermore, I hold the opinion that this is an issue which anyone who has a Forum/Website - whether using Woltlab Software or not -

    should be concerned about.


    Firefox did not have to use so blazingly in-your-face type behavior with their Insecure Connection Message - as they have designed it, the message

    covers up 90 percent of the Log In Box where one puts in his or her User Name and Password credentials. Very rude and really quite beyond

    professional "courtesy" to say the least.


    As for checking with my Hosting Company, about three hours ago I proceeded with purchasing an SSL Certificate. The particular Hosting Company

    I use provides the purchase and instillation of the SSL Certificate with their 2nd Tier VPS Hosting Package - of which I upgraded to today.


    DJ

  • As for checking with my Hosting Company, about three hours ago I proceeded with purchasing an SSL Certificate. The particular Hosting Company

    I use provides the purchase and instillation of the SSL Certificate with their 2nd Tier VPS Hosting Package - of which I upgraded to today.

    Alexander only pointed out that it would have been possible (if avaialble) to use LetsEncrypt as a free of charge SSL certificate.


    Since you already upgrade and purchased yours, is it working now?

  • I use SSL and LetsEncrypt, with the virtualmin control panel its a 1 click setup, just need to renew every 3 months or so, but its free and works like a charm for basic SSL. Even, though, if your using SSL you must make sure there is no mixed content, any insecure links on your website, even an image or font not hosted on a https site will break the cert and make a browser throw up an error page and can put punters right off.

    Thank you for your input!

    Yes, I am aware of Let'sEncrypt - as Firefox Mozilla is pushing that in one of their "explanation pages" regarding the

    Insecure Connection message issue.


    However, I went with the SSL Certificate with the Hosting provider I use because I want everything I do concerning my 4T Forum/Websites

    to be in one place. Besides, they have been really helpful to me on several issues that have come up - regarding my other websites, sub-domains,

    etc. They even waived charges on technical help with one issue I had. Very professional tech Staff - and the Sales Dept. and Billing Dept. is very

    efficient and polite - something which is fast disappearing from businesses located in the "western world".


    As for your statements about "no mixed content", and "image or font", I never experienced issues like that with another website I had an SSL

    Certificate on. Well, I guess I will just have to "deal with it" if and when it happens.


    DJ

  • Alexander only pointed out that it would have been possible (if avaialble) to use LetsEncrypt as a free of charge SSL certificate.


    Since you already upgrade and purchased yours, is it working now?

    Hello Throwholics,


    My Hosting Provider said in their last communique with me about two - three hours ago that I should expect up to 24 hours to have it working.

    But in the past they have always taken much less time with anything I have requested. So I will probably know by this evening.


    DJ

  • Got my SSL today and I'm no longer getting the warning on login anymore. Every page so far is showing the green lock symbol except the dashboard page where I'm still getting the mixed content icon. If I log out of my account the dashboard shows secure. If I log into the site with a test account the dashboard still shows secure. If I give the test account moderator privileges, the dashboard shows the mixed content icon again. Only getting this on the site's main dashboard page and only if singed on as an administrator or moderator. Any thoughts on this?

  • Got my SSL today and I'm no longer getting the warning on login anymore. Every page so far is showing the green lock symbol except the dashboard page where I'm still getting the mixed content icon. If I log out of my account the dashboard shows secure. If I log into the site with a test account the dashboard still shows secure. If I give the test account moderator privileges, the dashboard shows the mixed content icon again. Only getting this on the site's main dashboard page and only if singed on as an administrator or moderator. Any thoughts on this?

    Thanks for joining the discussion evmiller!

    I am still waiting for my Hosting Provider to let me know they have completed the SSL Installation for me.


    However, I find your comments and questions interesting and would like to go over them here.

    You mentioned that your Dashboard Page shows you are still getting the mixed content icon.

    QUESTION: Is the Dashboard your landing page? Or some other page?


    You mentioned in "test account" the Dashboard shows secure. By "test account", I am assuming that is a Login which represents a Visitor

    to your Forum who would have become a Registered Member OR User of your Forum - is this correct?

    Do you have a Register or Login Box on your Dashboard Page?

    Or is it on another Page?


    I'm asking these question of you because I want to compare your experiences with what I will experience when my SSL is installed.


    DJ

  • Got my SSL today and I'm no longer getting the warning on login anymore. Every page so far is showing the green lock symbol except the dashboard page where I'm still getting the mixed content icon. If I log out of my account the dashboard shows secure. If I log into the site with a test account the dashboard still shows secure. If I give the test account moderator privileges, the dashboard shows the mixed content icon again. Only getting this on the site's main dashboard page and only if singed on as an administrator or moderator. Any thoughts on this?

    Check with your browser console (F12). It will show you which source couldn't be loaded over ssl. Then you know the source of the problem and can fix it.

  • Yes, my dashboard is my landing page and I have a couple test accounts with normal user privileges that I use to make sure I'm setting my permissions properly. The reason why the mixed media icon was only showing up for admins and moderators was that there was a single article in the "recent activity" list that regular users can't see. I didn't notice it disappearing and reappearing again as I was switching accounts because it was at the bottom of the list. I discovered you can click on that mixed media icon in firefox and there is a drop down box that lists the media items that are on that page and their filenames and urls. from there It was easy to track down the problem. The list showed two versions of one of the thumbnail images, an http:// and an https:// version pointing to the same file. All the other media files on the list showed only the https:// version. Even after deleting the file from the site and clearing my internet cache and history, firefox still reported it was there. Even right-clicking on the page and viewing the html code it appeared to still be there even though I had replaced the file with one with a different filename. I had to completely delete the blog and re-post it to get fixed. Happy to report that all pages are now showing the green padlock symbol. I imagine a lot off SSL certs have been sold in the last day or so because of Mozilla, lol.

  • Yes, my dashboard is my landing page and I have a couple test accounts with normal user privileges that I use to make sure I'm setting my permissions properly. The reason why the mixed media icon was only showing up for admins and moderators was that there was a single article in the "recent activity" list that regular users can't see. I didn't notice it disappearing and reappearing again as I was switching accounts because it was at the bottom of the list. I discovered you can click on that mixed media icon in firefox and there is a drop down box that lists the media items that are on that page and their filenames and urls. from there It was easy to track down the problem. The list showed two versions of one of the thumbnail images, an http:// and an https:// version pointing to the same file. All the other media files on the list showed only the https:// version. Even after deleting the file from the site and clearing my internet cache and history, firefox still reported it was there. Even right-clicking on the page and viewing the html code it appeared to still be there even though I had replaced the file with one with a different filename. I had to completely delete the blog and re-post it to get fixed. Happy to report that all pages are now showing the green padlock symbol. I imagine a lot off SSL certs have been sold in the last day or so because of Mozilla, lol.

    Thanks for your reply! Happy to hear that everything is working OK for you!


    My Hosting provider has completed their install of the SSL Cert.

    I have logged onto my forum and have clicked on nearly every link or posting so far established on my forum.

    I also clicked on "Login or register". I even logged onto the Admin/ACP - everything ok.

    The only thing I have not tried is to establish yet another "test" registration member. Will do that next.

    Happy to report that EVERYTHING shows the Green Lock Symbol.


    Yes, I suspect you are correct that in the last day or so a lot of SSL Certificates have been purchased.

    In retrospect, I am glad all this happened because now my Visitors (and hopefully potential Registered Members) who arrive

    at my Website/Forum will feel a bit more "secure" - even though I have NO intention of ever charging for Registered Memberships.

    But it has been my experience that many individuals who visit websites and forums are reluctant to "join" because they have this

    phobia about their data getting breached. Now that I have the SSL Certificate, I am going to make a point of telling Visitors to my

    site that I have done one more thing to ensure "their" security!


    DJ

  • Alright sounds good ;)

    Just a quick note here to let you know my Hosting provider installed the SSL Cert.

    Everything that I have checked so far shows the Green Lock Symbol Firefox uses to show a secure site.

    Everything is working OK on ALL pages of my forum regarding this lock symbol (e.g., secure site).

    I gave a more detailed reply to all this in post #18 if your are interested in reading it.


    I am still trying to work out/find the place where I can change the lower case "r" to upper case "R" in the text that appears at the TOP Right

    of the uppermost info bar of the forum - "Login or register" - next to the Search Symbol. Will try once again to access the area where this is

    supposed to be.


    DJ