UKC Chrome Warning

aricooperdavis · Aug 27, 2020

Recently my Chrome browser has started giving me a warning symbol in the URL bar when I visit UK Caving. Apparently this is because it loads resources from unsecured sites (image attached).

Personally I don't consider this a significant risk, but it might be "one of those things" that is worth addressing solely because it improves the user experience.

langcliffe · Aug 27, 2020

I suspect that the only way to prevent this is by not allowing users to embed resources (e.g. videos and photographs) which are hosted on third party sites.

Badlad · Aug 27, 2020

Correct. We've looked into this several times recently. The site itself is secure but it gets flagged up because some photos and videos are hosted on third party sites. We are advised that it is not a problem and we should carry on allowing this. If it does become a problem for users we will have to reconsider.

What do users think?

aricooperdavis · Aug 27, 2020

I think you're right langcliffe. Chome's dev-tools expands:

Mixed content: load all resources via HTTPS to improve the security of your site
Even though the initial HTML page is loaded over a secure HTTPS connection, some resources like images, stylesheets or scripts are being accessed over an insecure HTTP connection. Usage of insecure resources is restricted to strengthen the security of your entire site.

To resolve this issue load all resources over a secure HTTPS connection.

And links to this page on how to deal with mixed content.

Interestingly, when I use the dev tools to dig a bit further, I notice that the issue on all of the page's that I've looked at so far seems to be Mrs Trellis's "Click here to see me naked!" profile picture!

In fact, this specific case could be fixed using the upgrade-insecure-requests CSP directive as that particular gif can be served over https if requested.

pwhole · Aug 27, 2020

I'm using Chrome but don't get any of these warnings?

SamT · Aug 28, 2020

pwhole said:
I'm using Chrome but don't get any of these warnings?

ditto

royfellows · Aug 28, 2020

Same here. Could the Win version make some difference, I use Win 7.

wellyjen · Aug 28, 2020

royfellows said:
Same here. Could the Win version make some difference, I use Win 7.

I get occasional similar warnings on Firefox and Win10, so different browser and operating system.

aricooperdavis · Aug 28, 2020

Badlad said:
We are advised that it is not a problem and we should carry on allowing this.

With the current set-up a man-in-the-middle could replace any such images with an image that they choose, such as advertising or pr0nography, and simultaneously track users movements on the site. Because of this Google will start to block such images in a future release, thereby breaking those images. The fix isn't too tricky, the server should include a directive in its response that tells the users browser that it should try to automatically upgrade insecure resources.

pwhole said:
I'm using Chrome but don't get any of these warnings?

Try visiting the very silly pics thread and click on the icon in the top bar. If it still doesn't show an issue open the developer console with shift-ctrl-j and you should see the mixed content warnings at the top.

P.s. I'm not trying to nit-pick or complain, as I mentioned in my original post I personally don't consider it to be much of an issue, this was supposed to be more of a heads up in case it hadn't been noticed

pwhole · Aug 28, 2020

Ah - I get the warning on that page. The cert is legit, but it does point out that third-party content can be hacked.

ogofmole · Aug 28, 2020

No problem here using win10 and Chomebook.

Tseralo · Aug 31, 2020

Its the banner adverts the images are loaded via HTTP rather than HTTPS. Chrome on the desktop now just blocks them outright so Chrome users will not see them anymore. Im sure your advertisers will have an opinion on this.

This explains why its bad https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https but take it from a senior software engineer you should fix it. Its also likley that at some point chrome and other browsers will give "block" pages containing unsecure content as they do for self signed certs at present.

GarDouth · Sep 4, 2020

The main issue seems to be people posting external images from unsecure sites. The solution may have to be to prevent this.

The lack of SSL only appears for me on pages that have such posts (silly pics for example).

Tseralo said:
Its the banner adverts the images are loaded via HTTP rather than HTTPS. Chrome on the desktop now just blocks them outright so Chrome users will not see them anymore. Im sure your advertisers will have an opinion on this.

This explains why its bad https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https but take it from a senior software engineer you should fix it. Its also likley that at some point chrome and other browsers will give "block" pages containing unsecure content as they do for self signed certs at present.

This doesn't seem to be the case, all the advert images are either from https URLS or locally stored images. Could you give me an example you have seen?

langcliffe · Sep 4, 2020

GarDouth said:
This doesn't seem to be the case, all the advert images are either from https URLS or locally stored images. Could you give me an example you have seen?

I suspect that the links have since been updated.

aricooperdavis · Sep 4, 2020

GarDouth said:
The main issue seems to be people posting external images from unsecure sites. The solution may have to be to prevent this.

Could you implement a filter on posts that upgrades http to https in embedded content, like the existing filter that turns p?rn?graphy into pornography?

This would break some embeds, but many browsers will too soon. It won't fix the profile picture images problem.

Tangent_tracker · Sep 6, 2020

Big fan of scriptblock Et al. Find it is the first and best defense against dodgy sources.... Until you try to pay for something

Photographers - BCA needs your help!

Please click the link and see if you have a photo that would fit the brief....thank you!

UKC Chrome Warning

aricooperdavis

Moderator

Attachments

langcliffe

Well-known member

Badlad

Administrator

aricooperdavis

Moderator

pwhole

Well-known member

SamT

Moderator

royfellows

Well-known member

wellyjen

Well-known member

aricooperdavis

Moderator

pwhole

Well-known member

ogofmole

Member

Tseralo

Active member

GarDouth

Administrator

langcliffe

Well-known member

aricooperdavis

Moderator

Tangent_tracker

Active member