PDA

View Full Version : Page trying to load scripts from unauthenticated sources



DaleB
05-04-2018, 05:00 PM
Every time I visit the EAA forums, I get an "Insecure content blocked" message from Chrome, and the page loads as plain text with no images, theme, etc. I suspect it's complaining about this:


<script type="text/javascript" src="http://eaaforums.org/clientscript/vbulletin-core.js?v=424"></script>

7181
If I tell it to load the unsafe scripts, the page looks normal but the URL bar tells me the site is not secure.
7180
Am I the only one?

cwilliamrose
05-04-2018, 08:40 PM
Firefox 59.0.3 is not giving me any problems with this site.

DBurr
05-04-2018, 09:41 PM
No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.

DaleB
05-05-2018, 07:58 AM
No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.
I think so too. Note that it's an HTTPS URL with a valid cert and encryption, but then it has a link to an unencrypted http URL to load some accursed Javascript. Odd that it just started doing this a week or two ago; it's a recent problem. Don't know if it was a change on the EAA side, or a Chrome update that did it.

DBurr
05-05-2018, 12:16 PM
Are you running a developer version of Chrome? For better or worse, starting in July Chrome 68 will begin flagging all http: sites as insecure as part of Google's push for end-to-end web encryption:

https://techcrunch.com/2018/02/08/chrome-will-soon-mark-all-unencrypted-pages-as-not-secure/

There's a lot of web politics for and against this, but the end result is going to be a lot of web brokenness for a while as sites like this slowly get around to fixing all their issues--like the one you just found.

DaleB
05-05-2018, 12:41 PM
Nope. Chrome 66.0.3359.139 (Official Build) (64-bit)

Personally, I think requiring SSL everywhere is ridiculous. Yes, if there's PII, passwords, account numbers, etc. in transit, then absolutely it's needed. But for the other 99.99% of the average person's web browsing, it's simply not.

Take for example vansaircraft.com, or fisherflying.com, or - well, take your pick. SSL serves no useful purpose. If you want to encrypt everything, great -- but it shouldn't be a requirement. I have a personal web page, running on my own server, that has absolutely no facility for anyone to provide any personal information. No accounts, no logins, no nothing. Why should I have to pay for SSL certs, just to make Google happy? I couldn't care less if Google is happy.

Rant off. :)

DBurr
05-06-2018, 11:48 AM
Preaching to the choir :) Not sure why my personal build-log website composed entirely of static pages needs an SSL certificate, but apparently it does or I'm flagged as a miscreant.

DaleB
05-08-2018, 10:50 AM
Interested to hear from someone on the EAA side -- do you guys have any plans to fix this? It looks like just a matter of having a non-SSL URL calling scripts in an SSL page.It's a little annoying to have to load scripts manually every time the page loads.

Sam Oleson
05-08-2018, 11:26 AM
Hi Dale,

At this point, we're not experiencing any issues with the problem you described. I am also running the Forums page on Chrome and it seems to be working fine. If we plan on making any changes to the Forums website, we'll let you know.

Thanks.

FlyingRon
05-09-2018, 08:04 AM
I'm sorry, Sam. But it is indeed broken NOW and on nearly every page of the site. Chrome marks these pages as unsafe. There are a few URLs that have "HTTP:" hardcoded in them in the protocol, both icons (which will also annoy Chrome's security sensibility) but also some of the scripts such as this line:

<script type="text/javascript" src="http://eaaforums.org/clientscript/vbulletin-core.js?v=424"></script>

DaleB
05-09-2018, 01:55 PM
Indeed. You may not see the brokenness, but it is broken. It could very easily be fixed by either changing the URL to https, or using a relative rather than absolute URL (/clientscript/vb....). Either one would work. Or you could just wait until your system catches up on patches and starts complaining too, then figure it out.

7189

Sam Oleson
05-10-2018, 09:47 AM
We'll check in with our IT team to see if they have a suggestion for a fix. Might I suggest loading our Forums page in a different browser in the meantime?

wmgeorge
05-15-2018, 08:48 AM
I just posted about my slow EAA site, and this is the Only one when I am typing its impossible. See my post.

DaleB
05-20-2018, 09:14 AM
I see we're now back to non-SSL, and no more warning messages. :)

DaleB
05-20-2018, 10:16 PM
Sigh... now if only I didn't have to log in every single time I restarted my web browser.

PaulDow
05-30-2018, 04:55 PM
Why should I have to pay for SSL certs, just to make Google happy? I couldn't care less if Google is happy.
I use letsencrypt.org for the chapter 1310 site. It's free, and Cpanel automatically handles the renewal.
After I set the redirection to https, I haven't had to do anything.

I care if Google isn't happy. They know everything about everyone. Even more than FB ;-)

FlyingRon
05-31-2018, 06:29 AM
It's not to make "google happy". Not having the certs invalidates the whole point of ssl and many browsers will complain. Google is just more annoying about it than others.