Tiltforums.com comes up as not secure


#1

Thought this was odd. Never noticed before today.

Using Chrome version:
68.0.3440.84 (Official Build) (64-bit)


#2

Tiltforums doesn’t use https so that message is normal.


#3

Chrome is (intentionally) becoming more aggressive about calling out sites that don’t use HTTPS. I believe Google also plans to demote non-HTTPS sites in search rankings, if they’re not already doing so.


#4

#5

From iOS, it is no longer possible to sign into the forum because Safari (rightly) refuses to send a password over an insecure connection.

It would be really nice to get https enabled for the site.


#6

I sign in just fine via Safari on my ipad. Don’t even get a warning. Might want to check your settings.


#7

Weird. I just tried again from my iPhone, and it works now. There is a big fat red warning at the top though “Insecure site”.


#8

I vaguely remember seeing a similar issue caused by my password manager refusing to fill a non-https site.


#9

Just want to point out I’m seeing it on Firefox too. I get a warning each time I log in.


#10

image

On Chrome, but browser needs updating.


#11

The site uses HTTP for now. Whether you’re getting a warning or not makes no difference. Nothing has changed here. Your browser is now telling you.

If you’re practicing good browsing habits the use of HTTP here should be of little concern.
The IFPA site slightly more risky if you’re a TD. But they have a different issue, I think Firefox doesn’t like something about the certificate they’re using.


#12

Arguably a lot has changed in recent years. Plaintext http MITM attacks have never been easier for anyone from the curious kid down the hall to your ISP or even organized crime. It isn’t difficult to find ready to go images for cheap devices like an RPi that will do most of the heavy lifting, and enable delivery of things like relatively benign advertisements, slightly less benign crypto-currency mining javascript, or other outright malicious code.

Pervasive use of HTTPS (and additionally of the HSTS header to prevent browsers from ever using plain old HTTP to begin with) goes a long way to stopping these attacks.

As for the IFPA site, they’ve only obtained a cert for www.ifpapinball.com and haven’t requested ifpapinball.com as an alternate domain in whatever they’re using as a Let’s Encrypt client. If you always use www when browsing, it should work fine.


#13

ifpapinball.com has been serving random ad pages intermittently for the past few days. I’ve seen it twice, and several mates of mine also report getting ad pages every now and then.


#14

My junk email folder was blank for a few months now I’m getting 5-12 junk emails a day. Wonder if this is related.


#15

It is not