Author

Topic: Bitcointalk https is not staying secure (Read 2004 times)

legendary
Activity: 2058
Merit: 1434
March 21, 2012, 11:54:22 AM
#13
I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock.
insecure links are ok, insecure content (scripts, images, style sheets) are not.
member
Activity: 221
Merit: 10
March 20, 2012, 11:21:10 PM
#12
I think if any page links to anything other than http:// then it isn't considered secure. All links must be https:// for the green lock.
legendary
Activity: 2058
Merit: 1434
March 20, 2012, 08:28:47 PM
#11
even only sending the html via https is still better than everything via http Tongue
Quote from: YOUR BROWSER
However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
was it that hard to find?
newbie
Activity: 4
Merit: 0
March 20, 2012, 04:29:12 PM
#10
The most important thing that you want SSL to protect is your password and cookie. An attacker who MITMs you (for example, at a public wifi AP) could take control of your account otherwise. The way SSL currently works on the site, those should be secure. I have avatars turned off and only lose the padlock when external images are included in a post, so this is most likely the cause.

To an extent, that's a privacy issue, since an attacker could get some idea of the content you are reading from the images. On the other hand, they can read the forum for themselves. They could also look at who posts every time you are connecting to the site. With enough data points, they could narrow it down to your username. The only effective defense against someone in that position would be to publish posts at random time intervals after submitting them.
administrator
Activity: 5222
Merit: 13032
March 20, 2012, 12:04:07 AM
#9
Yeah, it's avatars and stuff. Nothing to be worried about.
full member
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
March 19, 2012, 11:30:55 PM
#8
Avatars sounds like one good reason.
In Opera, if I open a new site, banking.bs, the degraded security persists. Chrome is not quite the same, https returns, maybe because of process seperation.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
March 19, 2012, 11:25:44 PM
#7
I, too, have been getting that red line through the https:// part of the URL.

~Bruno~
full member
Activity: 196
Merit: 100
March 19, 2012, 11:21:02 PM
#6
When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?


This is what chrome tells me when I check the certificate and I see the same lock it has yellow triangle for a warning on it no matter the page.

Quote
Your connection to bitcointalk.org is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

The connection uses TLS 1.0.

The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

The connection is compressed with DEFLATE.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
March 19, 2012, 11:19:54 PM
#5
Could it be avatars? It appears the forum software does not host them locally, but simply redirects to the original site hosting the image.
That would be it it. There is an option for local storage, but no one seems to use it.
donator
Activity: 1218
Merit: 1015
March 19, 2012, 11:18:55 PM
#4
Could it be avatars? It appears the forum software does not host them locally (unless it was uploaded from PC, not URL), but simply redirects to the original site hosting the image.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
March 19, 2012, 11:17:35 PM
#3
When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?

I am assuming that you mean you lose the padlock icon, or the blue bar? That could be caused by loading external images from non-secure sites. Or do you mean it actually switches between https:// and http:// ? I haven't seen that happening.
donator
Activity: 1218
Merit: 1015
March 19, 2012, 11:14:48 PM
#2
Experiencing something similar. "Some resources" are not secure when in a topic. I'm guessing it's an irrelevant alert, but would be nice to know.
full member
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
March 19, 2012, 11:12:53 PM
#1
When first landing at the website https is good, secure. As I drill down to post into a topic it becomes normal or insecure. With the latest chrome 18 it is fine until in a topic, then https is lost, backing out and refreshing 'secure' returned, enter topic, https is lost. Chrome 17 and Opera 11.61, once you drill down into a topic, the https is lost; up one directory, refreshing does not return https, it remains insecure.

Is this a site issue, a certificate issue, or a browser issue?
Jump to: