'Not Secure' warning

Permalink
My client just noticed a 'Not Secure' message while logging on. (See attached image.)

Is this new? Something I need to worry about? Can it be fixed?

John

1 Attachment

JohnPDX
 
hutman replied on at Permalink Reply
hutman
That is Chrome indicating to your customer that they are logging into a site without an SSL, this doesn't have anything to do with Concrete5.

The only way to get rid of the message would be to add an SSL to the site.
JohnPDX replied on at Permalink Reply
JohnPDX
Thanks. Thought that was the case.

Am I safe in assuming C5 hashes the PW so there is little danger of the site being hacked?
Gondwana replied on at Permalink Reply
Gondwana
I think the issue is that the password will be transmitted unencrypted from client to server, so it could be intercepted before c5 gets a chance to do anything with it.
gavthompson replied on at Permalink Reply
gavthompson
I think the issue is that the password will be transmitted unencrypted from client to server, so it could be intercepted before c5 gets a chance to do anything with it.


This is one of the reasons why I went to a new host that offers the http://letsencrypt.org/ certs.
gavthompson replied on at Permalink Reply
gavthompson
I think the issue is that the password will be transmitted unencrypted from client to server, so it could be intercepted before c5 gets a chance to do anything with it.


This is one of the reasons why I went to a new host that offers thehttp://letsencrypt.org/ certs.
frz replied on at Permalink Reply
frz
yup.
JohnPDX replied on at Permalink Reply
JohnPDX
Just so I understand, if I add a the free cert recommended above, the login will become 'https' and the PW will be secure. Is that right?

Will this affect the rest of the site? Will all url's become 'https' -- even previously bookmarked links?

Sorry if these are stupid questions, but I am clueless when it comes to certificates.
gavthompson replied on at Permalink Best Answer Reply
gavthompson
Have a look on here for your hosthttps://community.letsencrypt.org/t/web-hosting-who-support-lets-enc...

That isn't a absolute list so if you can't find your host you would have to ask them if they support the Lets Encrypt certs.

I know 1and1 just will not as they want you to buy their certs for instance.

When I did it on my host krystal.co.uk which is a supporter I logged into CPanel click on the Lets Encrypt link and issue a certificate to whatever domain I wanted.

Then to force traffic to the https site I put this at the top of my .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
mlocati replied on at Permalink Reply
mlocati
Just a side note: I developed a concrete5 package that uses the Let's Encrypt services to create https certificates ;)