Feed
 

Safari's "Not Secure" Warning

Avatar Trevor Hewson
I see that my own website (bartonhewsons.uk) and this AUG Wessex one are now adorned with this slightly sinister addition in the address bar when browsing using Safari.

It seems that this is to warn users that any information sent via the site, e.g. by filling in a form, will be sent unencrypted. However, since there are no such forms on my site, this seems a bit unnecessary and might make users think that the site is dangerous to browse and riddled with malware of some sort.

No doubt modifying my site to get rid of the warning (and gain the https prefix) would cost real money? I'd be interested to hear what others (including AUGWessex) might plan to do about this, if anything.

Re: Safari's "Not Secure" Warning

Avatar Mick Burrell
I don't get that warning here or on your site Trevor

Re: Safari's "Not Secure" Warning

Avatar Douglas Cheney
I do on version 12.1 of Safari for the club site

Re: Safari's "Not Secure" Warning

Avatar Trevor Hewson
Yes, I believe it's a new 'feature' of Safari. Could it be that our chairman isn't up to date? :)

Re: Safari's "Not Secure" Warning

Avatar Mick Burrell
That's probably it - I'm running 12.0.3. But I'm not offered an update - yet!

Re: Safari's "Not Secure" Warning

Avatar Mick Burrell
Just checked and Mojave 10.14.4 is available though I've not been pestered to install it 😉. In the notes for Safari it says "Adds a warning when an insecure web page is loaded".

I'm guessing that there's nothing wrong with our web site i.e. it's not riddled with nasties but what is Apple's criteria for marking it "insecure"? No doubt Chris will find out and make any necessary changes - it may be as simple as the certificate needing to be updated or it may be the site is marked if it's not using https (which of course it may not need to). I suspect there will be lots of people panicking when almost every site they visit is deemed insecure!

Re: Safari's "Not Secure" Warning

Avatar Douglas Cheney
I am running OS 10.13.6 and an update for Safari came up and also a security update as well on the App Store

Re: Safari's "Not Secure" Warning

Avatar Mick Burrell
Yes, it's available for the latest version of Sierra too but Mojave needs to be v4

Re: Safari's "Not Secure" Warning

Avatar Mick Burrell
Chris is changing all pages of the site to use SSL but you'll notice that the login page where you enter data does not say insecure - that's always used SSL.

Re: Safari's "Not Secure" Warning

Avatar Tony Still
The website is considered "non-secure" because it is using HTTP, not https, meaning that communication is not encrypted.

Trevor observed that his website does not have any forms so there is no risk to user information: this is true as far as it goes. However, the encryption serves more than one purpose. The main risk here is that the website could be being impersonated by a malicious player, a so-called "man in the middle" attack. This is a more sophisticated version of sending someone a fake link that leads to a lookalike web site: in this case, the real address leads to a fake website. The https protocol uses encryption to validate that the browser is connected to the genuine website (assuming that you used the genuine address).

A fake website would be able to steal data or send fake data/malware. The risk is not generally considered great as it's much harder to create this sort of attack than just to send a malicious link. However, there is a general move towards making the web more secure and this is a part of it.

As to costs, I know that my hosting company offers an https certificate as part of all its packages but I have yet to investigate using it.

Re: Safari's "Not Secure" Warning

Avatar Trevor Hewson
Thanks. Unless Mick does it first, I’ll contact my hosting company (Easily) and report back in due course.

Re: Safari's "Not Secure" Warning

Avatar Trevor Hewson
Okay, here's what I received back from Easily:

"Thank you for contacting Easily support.

We suggest that you install SSL certificate on your website. Please find more information at the link below.
https://supportportal.zendesk.com/hc/en-us/sections/360002097673-SSL-Manager

Please let us know if we can be of further assistance."

The link seems to be a FAQ page for an app. After a bit more digging, I think the app is 'SSL Manager' from SSL.com. There's no hint of charges for the app but a mention that you need to set up a customer account. Eventually, I found an indication of charges of about $40p.a.

I don't think I'm ready to blaze this particular trail at the moment!

Re: Safari's "Not Secure" Warning

Avatar Lionel Ogden
Another feature of Mojave 14.4 I noticed was that my printer did not work after installation and HP do not have an updated driver for that version of MacOS
 
Feed