Author Topic: UKC Chrome Warning  (Read 1317 times)

Offline aricooperdavis

  • obsessive maniac
  • ***
  • Posts: 479
  • Cornwall to Cumbria
    • Cooper-Davis.net
UKC Chrome Warning
« on: August 27, 2020, 06:27:50 pm »
Recently my Chrome browser has started giving me a warning symbol in the URL bar when I visit UK Caving. Apparently this is because it loads resources from unsecured sites (image attached).

Personally I don't consider this a significant risk, but it might be "one of those things" that is worth addressing solely because it improves the user experience.

Offline langcliffe

  • forum hero
  • *****
  • Posts: 2545
    • Caving Routes in the Northern Dales
Re: UKC Chrome Warning
« Reply #1 on: August 27, 2020, 07:42:52 pm »
I suspect that the only way to prevent this is by not allowing users to embed resources (e.g. videos and photographs) which are hosted on third party sites.

Offline Badlad

  • Administrator
  • forum hero
  • *****
  • Posts: 1916
Re: UKC Chrome Warning
« Reply #2 on: August 27, 2020, 09:20:39 pm »
Correct.  We've looked into this several times recently.  The site itself is secure but it gets flagged up because some photos and videos are hosted on third party sites.  We are advised that it is not a problem and we should carry on allowing this.  If it does become a problem for users we will have to reconsider. 

What do users think?

Offline aricooperdavis

  • obsessive maniac
  • ***
  • Posts: 479
  • Cornwall to Cumbria
    • Cooper-Davis.net
Re: UKC Chrome Warning
« Reply #3 on: August 27, 2020, 09:21:12 pm »
I think you're right langcliffe. Chome's dev-tools expands:

Quote
Mixed content: load all resources via HTTPS to improve the security of your site
Even though the initial HTML page is loaded over a secure HTTPS connection, some resources like images, stylesheets or scripts are being accessed over an insecure HTTP connection. Usage of insecure resources is restricted to strengthen the security of your entire site.

To resolve this issue load all resources over a secure HTTPS connection.

And links to this page on how to deal with mixed content.

Interestingly, when I use the dev tools to dig a bit further, I notice that the issue on all of the page's that I've looked at so far seems to be Mrs Trellis's "Click here to see me naked!" profile picture! :lol:

In fact, this specific case could be fixed using the upgrade-insecure-requests CSP directive as that particular gif can be served over https if requested.
« Last Edit: August 27, 2020, 09:30:21 pm by aricooperdavis »

Online pwhole

  • forum hero
  • *****
  • Posts: 2083
  • TSG, DCA, PDMHS
    • Phil Wolstenholme website
Re: UKC Chrome Warning
« Reply #4 on: August 27, 2020, 09:59:03 pm »
I'm using Chrome but don't get any of these warnings?

Offline SamT

  • Global Moderator
  • forum hero
  • *****
  • Posts: 6301
    • The Eldon Pothole Club
Re: UKC Chrome Warning
« Reply #5 on: August 28, 2020, 08:26:34 am »
I'm using Chrome but don't get any of these warnings?

ditto

Offline royfellows

  • forum hero
  • *****
  • Posts: 1278
    • mineexplorer.com
Re: UKC Chrome Warning
« Reply #6 on: August 28, 2020, 08:42:13 am »
Same here. Could the Win version make some difference, I use Win 7.
My avatar is a poor likeness.

Offline wellyjen

  • regular
  • *
  • Posts: 42
Re: UKC Chrome Warning
« Reply #7 on: August 28, 2020, 09:29:34 am »
Same here. Could the Win version make some difference, I use Win 7.
I get occasional similar warnings on Firefox and Win10, so different browser and operating system.
Can't sleep. Clowns will eat me.
CCPC

Offline aricooperdavis

  • obsessive maniac
  • ***
  • Posts: 479
  • Cornwall to Cumbria
    • Cooper-Davis.net
Re: UKC Chrome Warning
« Reply #8 on: August 28, 2020, 10:29:05 am »
We are advised that it is not a problem and we should carry on allowing this.

With the current set-up a man-in-the-middle could replace any such images with an image that they choose, such as advertising or pr0nography, and simultaneously track users movements on the site. Because of this Google will start to block such images in a future release, thereby breaking those images. The fix isn't too tricky, the server should include a directive in its response that tells the users browser that it should try to automatically upgrade insecure resources.

I'm using Chrome but don't get any of these warnings?

Try visiting the very silly pics thread and click on the icon in the top bar. If it still doesn't show an issue open the developer console with shift-ctrl-j and you should see the mixed content warnings at the top.

P.s. I'm not trying to nit-pick or complain, as I mentioned in my original post I personally don't consider it to be much of an issue, this was supposed to be more of a heads up in case it hadn't been noticed :)
« Last Edit: August 28, 2020, 10:38:52 am by aricooperdavis »

Online pwhole

  • forum hero
  • *****
  • Posts: 2083
  • TSG, DCA, PDMHS
    • Phil Wolstenholme website
Re: UKC Chrome Warning
« Reply #9 on: August 28, 2020, 03:27:58 pm »
Ah - I get the warning on that page. The cert is legit, but it does point out that third-party content can be hacked.

Offline ogofmole

  • menacing presence
  • **
  • Posts: 222
Re: UKC Chrome Warning
« Reply #10 on: August 28, 2020, 08:27:33 pm »
No problem here using win10 and Chomebook.

Offline Tseralo

  • addict
  • **
  • Posts: 139
  • TSG
    • louisemcmahon.co.uk
Re: UKC Chrome Warning
« Reply #11 on: August 31, 2020, 01:59:28 am »
Its the banner adverts the images are loaded via HTTP rather than HTTPS. Chrome on the desktop now just blocks them outright so Chrome users will not see them anymore. Im sure your advertisers will have an opinion on this.

This explains why its bad https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https but take it from a senior software engineer you should fix it. Its also likley that at some point chrome and other browsers will give "block" pages containing unsecure content as they do for self signed certs at present.


Offline GarDouth

  • Gary Douthwaite
  • Administrator
  • menacing presence
  • *****
  • Posts: 186
  • YCC & NPC
    • York Caving Club
Re: UKC Chrome Warning
« Reply #12 on: September 04, 2020, 03:36:47 pm »
The main issue seems to be people posting external images from unsecure sites. The solution may have to be to prevent this.

The lack of SSL only appears for me on pages that have such posts (silly pics for example).

Its the banner adverts the images are loaded via HTTP rather than HTTPS. Chrome on the desktop now just blocks them outright so Chrome users will not see them anymore. Im sure your advertisers will have an opinion on this.

This explains why its bad https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https but take it from a senior software engineer you should fix it. Its also likley that at some point chrome and other browsers will give "block" pages containing unsecure content as they do for self signed certs at present.

This doesn't seem to be the case, all the advert images are either from https URLS or locally stored images. Could you give me an example you have seen?
CNCC webmaster
Hidden Earth lecture secretary & webmaster
York Caving Club secretary

Offline langcliffe

  • forum hero
  • *****
  • Posts: 2545
    • Caving Routes in the Northern Dales
Re: UKC Chrome Warning
« Reply #13 on: September 04, 2020, 04:39:16 pm »
This doesn't seem to be the case, all the advert images are either from https URLS or locally stored images. Could you give me an example you have seen?

I suspect that the links have since been updated.

Offline aricooperdavis

  • obsessive maniac
  • ***
  • Posts: 479
  • Cornwall to Cumbria
    • Cooper-Davis.net
Re: UKC Chrome Warning
« Reply #14 on: September 04, 2020, 04:56:30 pm »
The main issue seems to be people posting external images from unsecure sites. The solution may have to be to prevent this.

Could you implement a filter on posts that upgrades http to https in embedded content, like the existing filter that turns pоrnоgraphy into pr0nography?

This would break some embeds, but many browsers will too soon. It won't fix the profile picture images problem.

Offline Tangent_tracker

  • DCC
  • addict
  • **
  • Posts: 120
Re: UKC Chrome Warning
« Reply #15 on: September 06, 2020, 02:19:45 pm »
Big fan of scriptblock Et al. Find it is the first and best defense against dodgy sources.... Until you try to pay for something  :wall:
Olly.

 

Main Menu

Forum Home Help Search