Highlighted
Mayor

Pro Plan - Password Protect Browser Security Alert

[ Edited ]

Until Weebly makes SSL available in the Pro Plans it appears that both Chrome and Firefox will generate a "Security Alert" when using the Weebly "Password Protect" option!!

 

Users selecting a protected page will see the following when the log-in page loads...

 

Google Chrome

unsafe1.JPG

 

Firefox

unsafe2.JPG

 

Does any Mod have any update regarding the provision of SSL for Pro Plans?

8 REPLIES
Community Manager Community Manager

Re: Pro Plan - Password Protect Browser Security Alert

I don't have any update yet, unfortunately. I wasn't aware that our password protection was defaulting to SSL on non-business sites, though. Let me see what I can find out about this, @NJRFTF

- Adam
Community Manager
Mayor

Re: Pro Plan - Password Protect Browser Security Alert

@Adam

 

Adam - it's not defaulting to SSL - Google Chrome and now Firefox as well are moving to a mores secure web...

"Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature. 

 
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."
 
This is the main reason why Wix and others have moved to SSL by default for all of their websites regardless of plan level - coming soon in Chrome and Firefox EVERY HTTP page will be labelled as non-secure and carry the red triangle that Chrome currently uses to indicate broken HTTPS.
Community Manager Community Manager

Re: Pro Plan - Password Protect Browser Security Alert

Oh, so you changed it to https manually? We're definitely working on changes as a result of Google and other browsers, so I don't expect things to stay as they are now.

- Adam
Community Manager
Mayor

Re: Pro Plan - Password Protect Browser Security Alert

[ Edited ]

@Adam

 

No - I didn't change anything!!

 

Here's alink to a blank page that I have put a weebly password on - it is on Pro plan and is a regular HTTP page with of course no SSL.

http://www.njrunforthefallen.org/401/login.php?redirect=/browser-check.html

 

Try opening that page with the latest Firefox and Chrome browsers and you will see the "not secure" warnings - Chrome in the browser bar and Firefox in the log-in box!!

 

EVERY weebly password protected page on every weebly website (except Business plans that have implimented SSL) will show the "Not Secure" warnings on the latest Chrome and Firefox versions when served as HTTP.   The browser is detecting the presence of any form field that is either a password field or Credit Card field and will then display the warning...

 

Here's the Chrome Console warning

unsafe3.JPG

Community Manager Community Manager

Re: Pro Plan - Password Protect Browser Security Alert

Ahh! Check the settings you have in Chrome/FireFox and see if it has something that tells it to always use HTTPS.

- Adam
Community Manager
Mayor

Re: Pro Plan - Password Protect Browser Security Alert

@Adam

 

Adam - this has nothing to do with a "user" option - this is down to the "host" - please read this extract from Google Developers: https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Resolve warnings

To ensure that the Not Secure warning is not displayed for your pages, you must ensure that all forms containing <input type=password> elements and any inputs detected as credit card fields are present only on secure origins. This means that the top-level page must be HTTPS and, if the input is in an iframe, that iframe must also be served over HTTPS.

Warning: It is NOT sufficient to place an HTTPS iframe inside a HTTP page; the top-level page itself must be HTTPS as well.

If your site overlays an HTTPS login frame over HTTP pages...

An example HTTPS log in over HTTP

...you will need to change the site to either use HTTPS for the entire site (ideal) or redirect the browser window to an HTTPS page containing the login form:

An example HTTPS log in over HTTPS

Community Manager Community Manager

Re: Pro Plan - Password Protect Browser Security Alert

I updated my version of Chrome and saw what you mean. Chrome is basically saying that the page isn't secure even though it's not even attempting to load over SSL; including a password field on a page is all it takes now.

 

I'm going to send you a PM about this, @NJRFTF - one moment.

- Adam
Community Manager
Mayor

Re: Pro Plan - Password Protect Browser Security Alert

Exactly - and they are aiming soon to simply apply the insecure warning to every page served HTTP regardless of content...

 

Read your PM - thank you very much for the assistance Adam....