Pro Plan - Password Protect Browser Security Alert

NJRFTF · ‎03-20-2017

Until Weebly makes SSL available in the Pro Plans it appears that both Chrome and Firefox will generate a "Security Alert" when using the Weebly "Password Protect" option!!

Users selecting a protected page will see the following when the log-in page loads...

Google Chrome

Firefox

Does any Mod have any update regarding the provision of SSL for Pro Plans?

Adam7 · ‎03-20-2017

I don't have any update yet, unfortunately. I wasn't aware that our password protection was defaulting to SSL on non-business sites, though. Let me see what I can find out about this, @NJRFTF.

NJRFTF · ‎03-20-2017

@Adam

Adam - it's not defaulting to SSL - Google Chrome and now Firefox as well are moving to a mores secure web...

"Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.

In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

This is the main reason why Wix and others have moved to SSL by default for all of their websites regardless of plan level - coming soon in Chrome and Firefox EVERY HTTP page will be labelled as non-secure and carry the red triangle that Chrome currently uses to indicate broken HTTPS.

Adam7 · ‎03-20-2017

Oh, so you changed it to https manually? We're definitely working on changes as a result of Google and other browsers, so I don't expect things to stay as they are now.

NJRFTF · ‎03-20-2017

@Adam

No - I didn't change anything!!

Here's alink to a blank page that I have put a weebly password on - it is on Pro plan and is a regular HTTP page with of course no SSL.

http://www.njrunforthefallen.org/401/login.php?redirect=/browser-check.html

Try opening that page with the latest Firefox and Chrome browsers and you will see the "not secure" warnings - Chrome in the browser bar and Firefox in the log-in box!!

EVERY weebly password protected page on every weebly website (except Business plans that have implimented SSL) will show the "Not Secure" warnings on the latest Chrome and Firefox versions when served as HTTP. The browser is detecting the presence of any form field that is either a password field or Credit Card field and will then display the warning...

Here's the Chrome Console warning

Adam7 · ‎03-21-2017

Ahh! Check the settings you have in Chrome/FireFox and see if it has something that tells it to always use HTTPS.

NJRFTF · ‎03-21-2017

@Adam

Adam - this has nothing to do with a "user" option - this is down to the "host" - please read this extract from Google Developers: https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Resolve warnings

To ensure that the Not Secure warning is not displayed for your pages, you must ensure that all forms containing <input type=password> elements and any inputs detected as credit card fields are present only on secure origins. This means that the top-level page must be HTTPS and, if the input is in an iframe, that iframe must also be served over HTTPS.

Warning: It is NOT sufficient to place an HTTPS iframe inside a HTTP page; the top-level page itself must be HTTPS as well.

If your site overlays an HTTPS login frame over HTTP pages...

...you will need to change the site to either use HTTPS for the entire site (ideal) or redirect the browser window to an HTTPS page containing the login form:

Adam7 · ‎03-21-2017

I updated my version of Chrome and saw what you mean. Chrome is basically saying that the page isn't secure even though it's not even attempting to load over SSL; including a password field on a page is all it takes now.

I'm going to send you a PM about this, @NJRFTF - one moment.

NJRFTF · ‎03-21-2017

Exactly - and they are aiming soon to simply apply the insecure warning to every page served HTTP regardless of content...

Read your PM - thank you very much for the assistance Adam....

Heirloom_Angel · ‎03-31-2017

So glad I checked in and read this!

Am I correct in stating that this WILL affect every page not having SSL? If not, I apologize. I am wondering if this will be taken care of for all Weebly accounts.

@Adam- Can you answer that one for me, please?

Thanks in advance!

Heirloom_Angel · ‎04-04-2017

So glad I checked in and read this!

Am I correct in stating that this WILL affect every page not having SSL? If not, I apologize. I am wondering if this will be taken care of for all Weebly accounts.

@Adam- Can you answer that one for me, please?

Thanks in advance!

Adam7 · ‎04-04-2017

Every password-protected page, or just every page in general? I do expect this resolved once we have a solution in place to provide SSL for non-business sites.

Heirloom_Angel · ‎04-11-2017

@Adam wrote:
Every password-protected page, or just every page in general? I do expect this resolved once we have a solution in place to provide SSL for non-business sites.

Adam - Sorry! I re-read the statement that was released and understand it now. Must have needed more coffee the first time. Thanks.

Adam7 · ‎04-12-2017

That's ok! I pretty much always need more coffee.