Tiltforums.com comes up as not secure

YeOldPinPlayer · August 6, 2018, 12:48am

Tiltforums doesn’t use https so that message is normal.

joe · August 6, 2018, 12:49am

Chrome is (intentionally) becoming more aggressive about calling out sites that don’t use HTTPS. I believe Google also plans to demote non-HTTPS sites in search rankings, if they’re not already doing so.

cornycrunch · August 6, 2018, 5:10am

michi · August 6, 2018, 6:22am

From iOS, it is no longer possible to sign into the forum because Safari (rightly) refuses to send a password over an insecure connection.

It would be really nice to get https enabled for the site.

phishrace · August 6, 2018, 9:11am

I sign in just fine via Safari on my ipad. Don’t even get a warning. Might want to check your settings.

michi · August 8, 2018, 4:35am

Weird. I just tried again from my iPhone, and it works now. There is a big fat red warning at the top though “Insecure site”.

jrb · August 8, 2018, 4:41am

I vaguely remember seeing a similar issue caused by my password manager refusing to fill a non-https site.

SunsetShimmer · August 10, 2018, 1:59am

Just want to point out I’m seeing it on Firefox too. I get a warning each time I log in.

zvrabes · August 10, 2018, 2:30am

On Chrome, but browser needs updating.

YeOldPinPlayer · August 10, 2018, 2:55am

The site uses HTTP for now. Whether you’re getting a warning or not makes no difference. Nothing has changed here. Your browser is now telling you.

If you’re practicing good browsing habits the use of HTTP here should be of little concern.
The IFPA site slightly more risky if you’re a TD. But they have a different issue, I think Firefox doesn’t like something about the certificate they’re using.

jrb · August 10, 2018, 4:38am

Arguably a lot has changed in recent years. Plaintext http MITM attacks have never been easier for anyone from the curious kid down the hall to your ISP or even organized crime. It isn’t difficult to find ready to go images for cheap devices like an RPi that will do most of the heavy lifting, and enable delivery of things like relatively benign advertisements, slightly less benign crypto-currency mining javascript, or other outright malicious code.

Pervasive use of HTTPS (and additionally of the HSTS header to prevent browsers from ever using plain old HTTP to begin with) goes a long way to stopping these attacks.

As for the IFPA site, they’ve only obtained a cert for www.ifpapinball.com and haven’t requested ifpapinball.com as an alternate domain in whatever they’re using as a Let’s Encrypt client. If you always use www when browsing, it should work fine.

michi · August 10, 2018, 3:06pm

ifpapinball.com has been serving random ad pages intermittently for the past few days. I’ve seen it twice, and several mates of mine also report getting ad pages every now and then.

GravitaR · August 10, 2018, 6:26pm

My junk email folder was blank for a few months now I’m getting 5-12 junk emails a day. Wonder if this is related.

haugstrup · August 10, 2018, 6:45pm

It is not

neilmcrae · June 14, 2021, 6:17pm

Of course TLS makes it all the more secure!

gdd · June 21, 2021, 2:56pm

I freely admin I have been super lazy about getting this setup. Its going to take a bit of work on my part but I’ll try and get to it soon.

cornycrunch · June 25, 2021, 4:58pm

Unsure if it’s related but I’ve been noticing lately that I occasionally will need to login twice.

GravitaR · August 23, 2021, 4:46pm

Now I get this multiple times before the site loads.

umbilico · August 4, 2022, 9:45pm

Just bumping this. Can’t hurt to do that once a year.

jrb · August 5, 2022, 7:23pm

Earlier today I noticed a brief “loading…” splash while using a cafe’s wifi and immediately thought they (or someone else on the network) were doing man-in-the-middle shenanigans like hotels used to do. Saw the splash again when I got home, so I assume it’s a legit update to the site instead.

It sure would be nice if that concern were mitigated by tls though…