Web page "not secure"

[Clariman]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem. That said, it doesn't look great. So how do I get an SSL cert, how much does it costs and who do I get it from ... from my domain name registrar or from the hosting service? And if I have multiple domains which are effectively aliases (or route to the same pages) do I need multiple SSL certs or just one?

Many thanks
Clariman

[Breelander]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think.

These days any site using http: is deemed 'not secure'. Of course, to go to https: you'll need an SSL certificate. Usually this can be provided by your hosting service (for a price). This is some general guidance...

http://www.howto-expert.com/how-to-get- ... r-website/

[mc2fool]

The very first thing to check is if you already have one. Some hosting providers set them up automatically and for free. Simply go to https://www.yoursite.whatever and see if it works.

If not then the next step is to ask your hosting provider.

[UncleEbenezer]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem.

In that case, I would urge you to keep it as it is and ignore Chrome being evil.

Switching from http to https is not free: it imposes high costs on the net infrastructure by buggering up cacheing. For a pretty close analogy, consider the pressure on roads and parking if all those commuter trains were deprecated and each commuter travelled by car instead. Stick to http unless there's a real reason to use https!

[Clariman]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem.

In that case, I would urge you to keep it as it is and ignore Chrome being evil.

Switching from http to https is not free: it imposes high costs on the net infrastructure by buggering up cacheing. For a pretty close analogy, consider the pressure on roads and parking if all those commuter trains were deprecated and each commuter travelled by car instead. Stick to http unless there's a real reason to use https!

Can I get Chrome not to mark it as insecure any other way?

[Breelander]

Can I get Chrome not to mark it as insecure any other way?

I'm afraid not. This is a deliberate design policy on Google's part and has been signposted for a long time.

Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”...

...Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages

https://www.blog.google/products/chrome ... ot-secure/

[Lanark]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem.

In that case, I would urge you to keep it as it is and ignore Chrome being evil.

Switching from http to https is not free: it imposes high costs on the net infrastructure by buggering up cacheing. For a pretty close analogy, consider the pressure on roads and parking if all those commuter trains were deprecated and each commuter travelled by car instead. Stick to http unless there's a real reason to use https!

This is completely wrong, sites loaded over https run much faster, because it is a more modern transport with fewer trips back and forth across the internet.

Sites still using http will be downgraded by Google, and if you arent rated in google results the website may as well not exist for most purposes.

Your hosting provider can be a good place to start, but you may find you can buy the same certificate cheaper by going direct either installing the certificate yourself or more likely getting your host to do it - this is when you will find out if your hosts support is really any good!

[mc2fool]

This is completely wrong, sites loaded over https run much faster, because it is a more modern transport with fewer trips back and forth across the internet.

Nope. It's HTTP/2 that is the more modern transport and is faster than HTTP/1.1, and all major browsers only support the use of HTTP/2 with HTTPS.

But that doesn't mean that HTTPS is only used with HTTP/2. Sites that use HTTPS over HTTP/1.1 -- like this site -- will be slower than those that use HTTP.

https://www.f5.com/company/blog/stop-just-stop-https-is-not-faster-than-http
https://samrueby.com/2015/01/26/why-is-https-faster-than-http/
https://en.wikipedia.org/wiki/HTTP/2#Criticisms

[Slarti]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem.

In that case, I would urge you to keep it as it is and ignore Chrome being evil.

Switching from http to https is not free: it imposes high costs on the net infrastructure by buggering up cacheing. For a pretty close analogy, consider the pressure on roads and parking if all those commuter trains were deprecated and each commuter travelled by car instead. Stick to http unless there's a real reason to use https!

Mozilla is, apparently, also going to be identifying sites as not secure and I've had at least one popup from Defender about an insecure site.

In time, all sites will have to be HTTPS to actually function. Or so I've read.

Slarti

[bungeejumper]

I'm getting dozens (nay, hundreds) of these damned pop-up warnings about certificates from Kaspersky internet Security, which has now declared the BBC News, the Financial Times and my own website to be dodgy certificate holders, and which it sometimes declines to show me even if I say that I'll take the risk.

The stupid thing then is that all I have to do after a refusal is to re-type the URL, and then it goes in first time and shows the page. If this carries on, I might very well need to think about whether Kaspersky is still the right antivirus for me to be using? But if it's a wider issue that's going to happen with other providers, then I'd like to know that as well.

BJ

(Yes, I know I can bypass the checks by declaring certain sites to be safe zones, but I'm damned if I can figure out how. My Kaspersky is the 2018 version, if it helps?)

[Itsallaguess]

I'm getting dozens (nay, hundreds) of these damned pop-up warnings about certificates from Kaspersky internet Security, which has now declared the BBC News, the Financial Times and my own website to be dodgy certificate holders, and which it sometimes declines to show me even if I say that I'll take the risk.

Check your date, time, and time-zone settings.

That many certificate errors can be a sign that something is set incorrectly in one of those areas. Is your PC keeping time correctly when it's off - does the BIOS battery need replacing?

Cheers,

Itsallaguess

[bungeejumper]

Check your date, time, and time-zone settings.

That many certificate errors can be a sign that something is set incorrectly in one of those areas. Is your PC keeping time correctly when it's off - does the BIOS battery need replacing?

Cheers, IAAG, I've just done a check and have found that, although my time/date is correct and the time zone was/is correctly set as UTC/London/Dublin, my computer hadn't been set up to adjust the time zone settings automatically. I have changed that, and we'll see what happens now. The computer is only 18 months old, so I'd guess that the bios battery is OK.

Oddly, this problem has only been happening since mid-September. Hmmm, I wonder whether a Windows update might have been responsible? I've had so many negative experiences with Windoze resetting my network adapters to their defaults that nothing would surprise me any more. Mind you, as mentioned elsewhere, I've also had 100% disk usage messages that may suggest that my HD is on the way out. (I have chkdsked the disk with f and r a couple of times now.)

Who knows? Time will tell. So to speak.

BJ

[supremetwo]

I have a website (not this one!) where Chrome identifies it as being "not secure" because I don't have an SSL certificate I think. The site does not have any data input, other than via a contact page so it shouldn't be a real problem.

In that case, I would urge you to keep it as it is and ignore Chrome being evil.

Switching from http to https is not free: it imposes high costs on the net infrastructure by buggering up cacheing. For a pretty close analogy, consider the pressure on roads and parking if all those commuter trains were deprecated and each commuter travelled by car instead. Stick to http unless there's a real reason to use https!

This is completely wrong, sites loaded over https run much faster, because it is a more modern transport with fewer trips back and forth across the internet.

Sites still using http will be downgraded by Google, and if you arent rated in google results the website may as well not exist for most purposes.

Your hosting provider can be a good place to start, but you may find you can buy the same certificate cheaper by going direct either installing the certificate yourself or more likely getting your host to do it - this is when you will find out if your hosts support is really any good!

Both my hosts have provided free certification.
One comes via
https://www.comodo.com/about/comodo-agreements.php
and the other via
https://letsencrypt.org/documents/isrg-cps-v2.4/

[production100]

My understanding is that if you change from http... to https... you lose your current site ranking. For sites that have spent years getting good ranking based on back links, interesting content etc that can be a major problem.

Is there a reason why a site that does not collect any data or handle payments other than through a secure system should use https, and it there is not then what is the logic of saying it is not secure and downrating it on search engines?

[Slarti]

My understanding is that if you change from http... to https... you lose your current site ranking. For sites that have spent years getting good ranking based on back links, interesting content etc that can be a major problem.

Is there a reason why a site that does not collect any data or handle payments other than through a secure system should use https, and it there is not then what is the logic of saying it is not secure and downrating it on search engines?

Don't know about rankings, but how would software know if a site collects data or not?
And most do, even if they don't look as if they do.
Sometimes even if their owners don't know that they do.

Slarti

[supremetwo]

My understanding is that if you change from http... to https... you lose your current site ranking. For sites that have spent years getting good ranking based on back links, interesting content etc that can be a major problem.

Is there a reason why a site that does not collect any data or handle payments other than through a secure system should use https, and it there is not then what is the logic of saying it is not secure and downrating it on search engines?

You can edit the .HTACCESS file and resubmit the https to the search engines:-

# HTTPS redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

[stewamax]

Talk to your web-hosting company.
1-year TLS (nee SSL) certificates are £5 - £50 per domain.
You can also get free ones which last 90 days from Lets Encrypt. If your hosting company offers Lets Encrypt they will also have a process for automatic renewal.

[UncleEbenezer]

Aaargh!

You can edit the .HTACCESS file

Already looks like 1998 advice. There are a lot of assumptions in there: .htaccess is only relevant if all the following apply:
(a) he's using Apache on shared hosting, and
(b) his server administrator has enabled him to use .htaccess, and
(c) he had no better way to configure it.

# HTTPS redirect
<IfModule mod_rewrite.c>

<IfModule> is for packaging, and applications like control panels. For an individual to use it is simply wrong: it accomplishes nothing except potentially to hide errors and make diagnostics and maintenance harder.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

mod_rewrite was fantastic twenty years ago, when configuration options in general were pretty limited. Nowadays it mainly serves to provide complicated legacy solutions to simple problems. What would be his best solution depends on problem details that would be off-topic here, but the clean approach - and one that would also have been the clean approach in 1998 - would be to configure the http and https <virtualhost>s each to the behaviour you desire of them.

[Clariman]

Thanks everyone. To get back to the basics of the question.

I have tried using the https: and domain to see if it is there for free. It is not.

Some people have said that my next step should be to contact my hosting provider. Is that correct? My website is hosted (and created) by Weebly but my domain names are mostly registered with 123-reg. IIRC I created my website in Weebly using their default weebly.myname.com (or whatever it is) and then published that to mydomain1.com I also have mydomain1.co.uk which directs to the same place.

So does Weebly or 123.reg provide an SSL cert and do I need one for each domain name or just for the hosted service?

[Clariman]

I've just called 123-Reg who were very helpful. My understanding now is that I just need 1 x SSL certificate for the domain to which the website is published. The other domains which forward to it will, in effect, inherit the SSL. However, the certificate needs to be implemented by (or at) the hosting provider via a CSR (Certificate Signing Request).

Agreed?