WNC-10026400 Nonsecure collection of passwords

[EricT]

Hi,

I received a email from google about "Nonsecure collection of passwords"
The email identifier : WNC-10026400

Here a topic about it on google forum : https://productforums.google.com/forum/#!topic/webmasters/kxql8Qkb-og

There are two solutions : 

- Migrate to https

or

- Remove from templates login/password code area

What do you think about it ?
Anyone receive this email too ?

[opentype]

It’s nothing new. Google’s road map for this is known for a long time. Eventually all sites should be served over SSL someday. 

IPS could offer an option to remove the login dropdown, but that would only help those (few?) who have login over SSL enabled, but serve the rest of the site over https. 

I’m still waiting for IPS to offer a functionality to convert external post content to SSL after the switch to SSL and for my host to support free external certificates. 

[EricT]

3 minutes ago, opentype said:

IPS to offer a functionality to convert external post content to SSL

What are you calling external post content ? Images that are stored on a external host with no https for example ?

[opentype]

yes. If you switch over to SSL, the existing post content stays untouched, so you will likely have thousands of unsecure pages which browsers will block. 

[EricT]

But which solutions could be possible ? Download all external contents to store them locally ?
What IPS could do for that ?

[opentype]

The functionality to cache the external images locally is already there. It just needs a background task that goes through all old posts as well. 

[Simon Woods]

3 hours ago, opentype said:

The functionality to cache the external images locally is already there. It just needs a background task that goes through all old posts as well. 

I hope IPS consider this a priority. It's not exactly good for their reputation otherwise.

[EricT]

I hope there will be improvements about this and SEO on IPS 4.2

[Dll]

Insecure images on a page don't make a difference to a login. As long as the form is served through https then that's enough. Google isn't expecting you to secure every single item on the page.

[The Old Man]

Google is pushing SSL a lot now and I've started receiving messages about my sites being insecure and Chrome users from them, Firefox is marking non-http sites as insecure, so I've just got one of my sites (on a VPS) working on Lets Encrypt's free SSL facility using the AutoSSL feature in WHM.

https://documentation.cpanel.net/display/ALD/Manage+AutoSSL#ManageAutoSSL-SelectanAutoSSLprovider

https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

I asked my web-host to run the installer from SSH as I don't currently want root access and they bizarrely still don't have the Lets Encrpyt plug-in installed (because many say it means a drop in webhost revenue for installation fees and they're not getting the whole privacy movement new paradigm thing yet), but I have to say AutoSSL worked great. It installed fine and I could then choose Lets Encrypt as the certificate supplier in the AutoSSL settings. 

A poorly written line in my htaccess.file prevented it from running properly first time but once I figured out the cause, the AutoSSL feature discovered my main domain and my 4 add-on domains, then installed the SSL certificate for each very quickly. 

I then edited the boardurl in the global config file, used the option to locally host images in AdminCP, then recached the community using the Support Tool. 

One thing I noticed, no longer having the Forums but Gallery only on this first site was that although AdminCP and some of my other pages like Activity Streams were showing as fully secure, the index page showed the padlock for only a few seconds before it disappeared as the page loaded. I used the handy tool at https://www.whynopadlock.com to list insecure mixed content and it was mostly Gallery images and some Profile images of the poster who uploaded them that were hard coded with http URLs. I fixed them by running some search and replace style queries on about 6 fields on 2 tables using phpmyadmin.

I also corrected some non-https links for Twitter embed blocks and every page seems to be loading fine showing the padlock now.

Looking at the source code for the board index, with a quick Find search for http:// I can see some non-https links relating to third party breadcrumbs and microformats that, if available in https format URLs, IPS could possibly update and fix in their templates for robustness sake.

When I do one of my sites with Forums installed, I imagine there will be more old posts to fix. It would be good to have a built in tool in the Support section that could run as a background task to fix non-SSL links in older content. 

On 22 January 2017 at 5:49 PM, Dll said:

Google isn't expecting you to secure every single item on the page.

I think the wider issue is more that the SSL connection will break (and browsers will say your site is insecure to visitors, you will miss out on some new and forthcoming technologies and apparently according to Google risk more chance for ad and website manipulation such as ISPs, Wifi hotspots, hotels etc injecting ad content into your webpages) which isn't ideal if every item that needs to be served via SSL isn't.

A bit slow but found this video interesting...