Wednesday, 01 February 2017 17:41

Possible Solutions: Nonsecure Collection of Passwords will trigger warnings in Chrome and Firefox

Written by

Starting in January 2017, any website with a "login" form visible (e.g. Client Logins, Shopping Carts, etc) will show an "insecure" message in the browser's address bar if the site does not have an SSL certificate properly installed and configured.

Particularly for my clients that are security-minded, it's important to consider how to proceed with this information.  Some of my clients already have SSL certificates running on their sites, even ones that don't process credit cards.  For clients who already process credit cards, their sites already have the necessary SSL encryption certificate (https), so this is a non-issue. 

This "insecure" message will also pop up when you are trying to access your CMS login panel, like:

 c2-insecure

Possible Solutions:

  1. Purchase an SSL Certificate on your entire site.  This is probably ideal, as Google is indicating that they want EVERY website to eventually run under "https" instead of "http" - regardless of whether or not any sensitive information passes through your site. 
  2. Reconfigure your site so that the Login module / block / widget is only published on one page, rather than all pages.  This means that, instead of having your Client Login form at the bottom of every page, or in a sidebar... you'd remove it in favor of a separate, single page (URL) with the Client Login form.  That way, you only have the "insecure" browser message on that one page, not all of them. 

 


Update 2/2/17: 
You can also order a free SSL Certificate from Let's Encrypt
- it's a nonprofit called the Internet Security Research Group (ISRG).  You can obtain the certificate itself for free, although, it is not currently accepted by all hosting companies.  There is also a cPanel plugin available (for hosting companies) so that their users can issue and install the certificates themselves! 

Is Let's Encrypt suitable for eCommerce / Authorize.net connections? 
I am still waiting for a good answer to this.  The fact that Let's Encrypt certificates are “free” could possibly make them inferior to a commercial SSL in terms of a business owners’ liabilityWe'd love to hear feedback on this issue.  For now, our thinking is that anyone doing eCommerce should be buying an SSL certificate so that it's properly paid for, commercially backed.  The thinking is similar to when you use a free email account, you have less rights compared to using a paid email account.  For blogs who just want the https connection, a free SSL certificate should be fine.  It all depends on what's actually going on behind the site - if it's an attractive target, hackers will put out the effort...


Update 2/3/17:
Response from my hosting company, InMotionHosting:
Thank you for contacting Support.  We're happy to help. Unfortunately we do not have an ETA for the possibility of working with Let's Encrypt, however as suggested on VPS and Dedicated servers AutoSSL is available and although it works with Comodo SSL it allows access to these free of charge, just like Let's Encrypt.  In fact the main difference between these two services is who the certificates are validated through.  I've included a link to cPanel's official blog release regarding this.  These certificates should in most cases be suitable for authorize.net accounts, however you would need to contact their support to confirm as we do not have access to their criteria.  I hope this information helps.


Commentary:

  • Part of me thinks this is a good idea, as unencrypted login forms are inherently not safe, the passwords are transmitted in clear text. The other part of me feels like this is a dirty way to sell more SSL certificates.
  • I don't really have anything particularly important behind my website, so for now, I'm probably going to go with option two.  In the screenshot provided above, Google indicates that there is a long-term plan to mark ALL pages served over "http" as "Not Secure."  If and when this day comes, I'll likely cave and buy that SSL certificate after all. 

[Further Reading]

Last modified on Friday, 02 December 2022 19:32

Latest Comments

Got a similar email that seemed suspicious. Ignored it and they even followed up today.
My organization received one of these emails from "Linda," but uses https://www.bestprosintown.com/p...
Angela Snowman posted a comment in Link Building SEO Directory Scam Alert: loc8nearme.com
Hi Nate, I got the same email template from the same email address today and found you through a ...
Just received one today (16 Aug 2022) from "Mailchimp". Thanks for sharing!
Thanks for posting this. I just got one today. I was 99% sure it was a scam, and your post confirmed...


Design & Development

Wordpress, Drupal, Joomla
New custom websites
Bespoke themes and extensions
Redesigns, upgrades, migrations

Web Design & Development


Optimization & SEO

Let us optimize and manage your overall online presence. We offer full service monthly SEO as well as one-time projects.  

Optimization Plans & Pricing


Maintenance, Patching

White glove monthly backups, security updates, maintenance and testing for your Wordpress, Drupal, or Joomla site.

Maintenance Plans & Pricing


Email Newsletter

Bring your web & marketing performance to the next level: monthly blog post roundup via email.  

Stay in Touch!