Jump to content

WNC-10026400 Nonsecure collection of passwords


EricT

Recommended Posts

Hi,

I received a email from google about "Nonsecure collection of passwords"
The email identifier : WNC-10026400

Here a topic about it on google forum : https://productforums.google.com/forum/#!topic/webmasters/kxql8Qkb-og

There are two solutions : 

- Migrate to https

or

- Remove from templates login/password code area

What do you think about it ?
Anyone receive this email too ?

Link to comment
Share on other sites

It’s nothing new. Google’s road map for this is known for a long time. Eventually all sites should be served over SSL someday. 

IPS could offer an option to remove the login dropdown, but that would only help those (few?) who have login over SSL enabled, but serve the rest of the site over https. 

I’m still waiting for IPS to offer a functionality to convert external post content to SSL after the switch to SSL and for my host to support free external certificates. 

Link to comment
Share on other sites

Google is pushing SSL a lot now and I've started receiving messages about my sites being insecure and Chrome users from them, Firefox is marking non-http sites as insecure, so I've just got one of my sites (on a VPS) working on Lets Encrypt's free SSL facility using the AutoSSL feature in WHM.

https://documentation.cpanel.net/display/ALD/Manage+AutoSSL#ManageAutoSSL-SelectanAutoSSLprovider

https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

I asked my web-host to run the installer from SSH as I don't currently want root access and they bizarrely still don't have the Lets Encrpyt plug-in installed (because many say it means a drop in webhost revenue for installation fees and they're not getting the whole privacy movement new paradigm thing yet), but I have to say AutoSSL worked great. It installed fine and I could then choose Lets Encrypt as the certificate supplier in the AutoSSL settings. 

A poorly written line in my htaccess.file prevented it from running properly first time but once I figured out the cause, the AutoSSL feature discovered my main domain and my 4 add-on domains, then installed the SSL certificate for each very quickly. 

I then edited the boardurl in the global config file, used the option to locally host images in AdminCP, then recached the community using the Support Tool. 

One thing I noticed, no longer having the Forums but Gallery only on this first site was that although AdminCP and some of my other pages like Activity Streams were showing as fully secure, the index page showed the padlock for only a few seconds before it disappeared as the page loaded. I used the handy tool at https://www.whynopadlock.com to list insecure mixed content and it was mostly Gallery images and some Profile images of the poster who uploaded them that were hard coded with http URLs. I fixed them by running some search and replace style queries on about 6 fields on 2 tables using phpmyadmin.

I also corrected some non-https links for Twitter embed blocks and every page seems to be loading fine showing the padlock now.

Looking at the source code for the board index, with a quick Find search for http:// I can see some non-https links relating to third party breadcrumbs and microformats that, if available in https format URLs, IPS could possibly update and fix in their templates for robustness sake.

When I do one of my sites with Forums installed, I imagine there will be more old posts to fix. It would be good to have a built in tool in the Support section that could run as a background task to fix non-SSL links in older content. 

On 22 January 2017 at 5:49 PM, Dll said:

Google isn't expecting you to secure every single item on the page.

I think the wider issue is more that the SSL connection will break (and browsers will say your site is insecure to visitors, you will miss out on some new and forthcoming technologies and apparently according to Google risk more chance for ad and website manipulation such as ISPs, Wifi hotspots, hotels etc injecting ad content into your webpages) which isn't ideal if every item that needs to be served via SSL isn't.

A bit slow but found this video interesting...

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...