Wednesday, 01 February 2017 12:41

Possible Solutions: Nonsecure Collection of Passwords will trigger warnings in Chrome and Firefox

Written by 
Possible Solutions: Nonsecure Collection of Passwords will trigger warnings in Chrome and Firefox

Starting in January 2017, any website with a "login" form visible (e.g. Client Logins, Shopping Carts, etc) will show an "insecure" message in the browser's address bar if the site does not have an SSL certificate properly installed and configured.

Particularly for my clients that are security-minded, it's important to consider how to proceed with this information.  Some of my clients already have SSL certificates running on their sites, even ones that don't process credit cards.  For clients who already process credit cards, their sites already have the necessary SSL encryption certificate (https), so this is a non-issue. 

This "insecure" message will also pop up when you are trying to access your CMS login panel, like:

  • /wp-login.php for your Wordpress,
  • /administrator for Joomla, and
  • /user for Drupal sites.

 c2-insecure

Possible Solutions:

  1. Purchase an SSL Certificate on your entire site.  This is probably ideal, as Google is indicating that they want EVERY website to eventually run under "https" instead of "http" - regardless of whether or not any sensitive information passes through your site. 
  2. Reconfigure your site so that the Login module / block / widget is only published on one page, rather than all pages.  This means that, instead of having your Client Login form at the bottom of every page, or in a sidebar... you'd remove it in favor of a separate, single page (URL) with the Client Login form.  That way, you only have the "insecure" browser message on that one page, not all of them. 

 


Update 2/2/17: 
You can also order a free SSL Certificate from Let's Encrypt
- it's a nonprofit called the Internet Security Research Group (ISRG).  You can obtain the certificate itself for free, although, it is not currently accepted by all hosting companies.  There is also a cPanel plugin available (for hosting companies) so that their users can issue and install the certificates themselves! 

Is Let's Encrypt suitable for eCommerce / Authorize.net connections? 
I am still waiting for a good answer to this.  The fact that Let's Encrypt certificates are “free” could possibly make them inferior to a commercial SSL in terms of a business owners’ liabilityWe'd love to hear feedback on this issue.  For now, our thinking is that anyone doing eCommerce should be buying an SSL certificate so that it's properly paid for, commercially backed.  The thinking is similar to when you use a free email account, you have less rights compared to using a paid email account.  For blogs who just want the https connection, a free SSL certificate should be fine.  It all depends on what's actually going on behind the site - if it's an attractive target, hackers will put out the effort...


Update 2/3/17:
Response from my hosting company, InMotionHosting:
Thank you for contacting Support.  We're happy to help. Unfortunately we do not have an ETA for the possibility of working with Let's Encrypt, however as suggested on VPS and Dedicated servers AutoSSL is available and although it works with Comodo SSL it allows access to these free of charge, just like Let's Encrypt.  In fact the main difference between these two services is who the certificates are validated through.  I've included a link to cPanel's official blog release regarding this.  These certificates should in most cases be suitable for authorize.net accounts, however you would need to contact their support to confirm as we do not have access to their criteria.  I hope this information helps.


Commentary:

  • Part of me thinks this is a good idea, as unencrypted login forms are inherently not safe, the passwords are transmitted in clear text. The other part of me feels like this is a dirty way to sell more SSL certificates.
  • I don't really have anything particularly important behind my website, so for now, I'm probably going to go with option two.  In the screenshot provided above, Google indicates that there is a long-term plan to mark ALL pages served over "http" as "Not Secure."  If and when this day comes, I'll likely cave and buy that SSL certificate after all. 

[Further Reading]

Read 996 times Last modified on Friday, 03 February 2017 09:41

Leave a comment

Make sure you enter the (*) required information where indicated.
Basic HTML code is allowed.

Copyright © 2005-2016 Covington Creations, LLC | Hosting by InMotion | Legal