Google warning on this Forum! Deceptive site ahead

kpa

@bimmerdriver:

The indices are showing up as secure, but when I open a thread, it shows up as mixed content. While I'm writing this reply, it's also showing up as secure. Maybe some minor glitches in the certificate?

How could the pfsense.org certificate authenticate external content not hosted on forum.pfsense.org? In this case it's plain http so naturally no certificate is used for the connection.

Gertjan

I decided to change the http://… URL to my avatar for a https:// ... version.

I used https://forum.pfsense.org/index.php?action=profile;area=forumprofile

https://www.papy-team.fr/forum/e107_files/public/avatars/ap_59_nco_ranks_sergant.gif works when used directly.

But ... changing my profile ends up with a nice Your profile has been updated successfully and the setting is switched to "No avatar" like a https:// URL isn't accepted.

Btw : why not forcing a https URL if one chooses to use an avatar ?

edit : Better yet : retrying to set my URL gives me a "504 Gateway Time-out - nginx"
No avatars are shown on the main forum page ( https://forum.pfsense.org/index.php ) but still some info is send over using http, so navigators show "partially unsecured connection". : Ok, get it. It was my own avatar using http:// … Logic.

jimp

Just choose the option to upload the avatar and go that way. It appears SMF (at least this version) doesn't want to allow HTTPS avatars.

jahonix

Where can I upload an avatar?

jimp

Hmm, maybe it requires a higher level of permission. It shows for me.

GruensFroeschli

I only have the first 3 options.
I just tried to change the URL to my avatar (to https://skylabs.ch/avatar.png) and now the avatar is gone completly.

Edit: Yeah changing the link to http://skylabs.ch/avatar.png seems to work, but isn't that what the google warning is about? That you have a https page which includes http content?

doktornotor

@GruensFroeschli:

Edit: Yeah changing the link to http://skylabs.ch/avatar.png seems to work, but isn't that what the google warning is about? That you have a https page which includes http content?

No, that's not a mixed content warning. It's about a site being in the Google Safebrowsing DB. As for mixed content, the only solution here would be adding a header to force everything via HTTPS. At that point, you break not just avatars but thousands and thousands of images linked from other sources here that have no support for HTTPS.

johnpoz

Yeah I would much rather host avatar on pfsense vs remote. But don't have the upload option either.

Gertjan

… Or just supply a https:// avatar link - which isn't accepted by this SMF forum.
But, as doktornotor already mentioned : all those posts with "http" links (to images) are making Google not happy neither ...

But, hey, forum admins, do not change the forum just for that, I can live with it.

A trick : see image
Goto " pfSense Forum » Profile of YOU » Look and Layout" and check "Don't show users' avatars." and most pages (without external images) have the green lock again ;)

jahonix

@Gertjan:

"Don't show users' avatars."

That's not an option - I wanna see if hell freezes over.  :P

doktornotor

On the avatar note: anyone noticed gravatar is very much broken lately? Very visible in Redmine, takes ages for the page to load, and eventually it doesn't work.