Google warning on this Forum! Deceptive site ahead
-
Not seeing anything like that. My browser just says part of the content is unencrypted.
Are you sure your own computer/browser hasn't gotten malwared up?
-
No such problems here with Chrome 55.
-
Looks like we fixed this, can you verify?
-
A user set their avatar to load from a URL, and that server is now flagged as dangerous by Chrome. We removed the avatar.
-
:) LOL.
What was that old saying about bad association? -
The indices are showing up as secure, but when I open a thread, it shows up as mixed content. While I'm writing this reply, it's also showing up as secure. Maybe some minor glitches in the certificate?
-
It will always show mixed http/https because, for example, the avatar above is sourced directly from here:
http://sami.mattila.eu/images/sam5.jpg
As I understand it, the only alternative is to deny outside sourcing of images/avatars and require they all be served by https://forum.pfsense.org/ or at least all over https.
The reply page doesn't show as mixed content because it doesn't include avatars and attachments.
-
The indices are showing up as secure, but when I open a thread, it shows up as mixed content. While I'm writing this reply, it's also showing up as secure. Maybe some minor glitches in the certificate?
How could the pfsense.org certificate authenticate external content not hosted on forum.pfsense.org? In this case it's plain http so naturally no certificate is used for the connection.
-
I decided to change the http://… URL to my avatar for a https:// ... version.
I used https://forum.pfsense.org/index.php?action=profile;area=forumprofile
https://www.papy-team.fr/forum/e107_files/public/avatars/ap_59_nco_ranks_sergant.gif works when used directly.
But ... changing my profile ends up with a nice Your profile has been updated successfully and the setting is switched to "No avatar" like a https:// URL isn't accepted.
Btw : why not forcing a https URL if one chooses to use an avatar ?
edit : Better yet : retrying to set my URL gives me a "504 Gateway Time-out - nginx"
No avatars are shown on the main forum page ( https://forum.pfsense.org/index.php ) but still some info is send over using http, so navigators show "partially unsecured connection".: Ok, get it. It was my own avatar using http:// … Logic. -
Just choose the option to upload the avatar and go that way. It appears SMF (at least this version) doesn't want to allow HTTPS avatars.
-
Where can I upload an avatar?
-
Hmm, maybe it requires a higher level of permission. It shows for me.
-
I only have the first 3 options.
I just tried to change the URL to my avatar (to https://skylabs.ch/avatar.png) and now the avatar is gone completly.Edit: Yeah changing the link to http://skylabs.ch/avatar.png seems to work, but isn't that what the google warning is about? That you have a https page which includes http content?
-
Edit: Yeah changing the link to http://skylabs.ch/avatar.png seems to work, but isn't that what the google warning is about? That you have a https page which includes http content?
No, that's not a mixed content warning. It's about a site being in the Google Safebrowsing DB. As for mixed content, the only solution here would be adding a header to force everything via HTTPS. At that point, you break not just avatars but thousands and thousands of images linked from other sources here that have no support for HTTPS.
-
Yeah I would much rather host avatar on pfsense vs remote. But don't have the upload option either.
-
… Or just supply a https:// avatar link - which isn't accepted by this SMF forum.
But, as doktornotor already mentioned : all those posts with "http" links (to images) are making Google not happy neither ...But, hey, forum admins, do not change the forum just for that, I can live with it.
A trick : see image
Goto " pfSense Forum » Profile of YOU » Look and Layout" and check "Don't show users' avatars." and most pages (without external images) have the green lock again ;)
-
-
On the avatar note: anyone noticed gravatar is very much broken lately? Very visible in Redmine, takes ages for the page to load, and eventually it doesn't work.