Warning message about sl113 site...

[Tom Colitt]

Hi Peter

I didn't find any address to contact the webmaster, so I am posting this warning message that my Firefox browser just showed me when I tried to visit the sl133 site:

Regards, Tom Colitt


Your connection is not secure

The owner of www.sl113.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

Learn more…

Report errors like this to help Mozilla identify misconfigured sites

[Peter van Es]

Hi Tom,

Firefox and other browsers are now encouraging website owners to use https:// instead of http:// links. They've started issuing these sort of warnings to encourage users to force websites to change over.

The advantage of https (or a secure connection) is that all data you exchange with sl113.org is encrypted. Currently we do not support this yet fully. When you renew your subscription, the payment is handled by PayPal which does use a secure https connection. The only bit of data that can pass unencrypted is your password. As long as you use a strong password, and password that you do not use elsewhere, you are ok.

In order to support https:// connections, we need to do a few things:

• buy a certificate for sl113.org and Pagoda SL Group. Without such a certificate the authenticity of the website cannot be validated, and Firefox et al would still display warnings, such as you have reported. We currently have a so-called "self-signed" certificate. Such a certificate costs money, several hundred $ per annum. Acquiring one is a board decision.
• modify part of the software. This is not a huge issue, but it takes effort, and testing. The problem is that some parts of the site are sourced from an unprotected part of the internet (notably graphics, layout elements, and javascript functions). Firefox (and other browsers) prevents these from loading when accessing the site through https:// connections.
• time for the above. I currently do not have this available, until at the earliest october. I'm in the middle of moving between houses.

Note that we have not changed the site. It not suddenly less secure, than it has ever been. We've always taken your privacy and security as very important. That's why we've upgraded and moved the site last year. We have not had password break-ins or leaks.

There are two work-arounds:

• use http:// to access sl113.org (i.e. do not use a secure connection)
• add our self-signed certificate to your exception list, telling your browser to accept it

On Firefox, when you get this message, click Advanced:

• On sites with a weak encryption you will then be shown an option to load the site using outdated security.
  
• On sites which certificate cannot be validated, you might be given the option to add an exception.

The second option will be presented and you can add sl113.org to the exception list.

Peter

[Tyler S]

This started with the most recent release of Firefox. If you go into firefox settings you can add an "exception" in the security settings. This will rid the popup and allow you to connect. You can also set your security settings to "moderate". You will still get a popup but it will ask you if you want to connect to the site instead of denying you.

[Tom Colitt]

Thank you, gentlemen. I will simply add the exception seeing as I am visiting a "trusted" site. As long as visitors know the reason for the warning, I'm sure the certificate will not be necessary.

It looks like I have missed some big changes to the site. Congratulations. I will try to be more active :-)

Regards, Tom

[ghenne]

Going to https is a good idea - I expect all browsers to start enforcing this in the near future.

The signing certificate does not need to cost several hundred dollars, though there are companies scamming that much for the service. You can get one for as little as $4.99/yr from https://www.ssls.com/.

You can even get them for free from https://letsencrypt.org/, but I believe they need to be renewed more often.

[Peter van Es]

You are right, there are free and low-cost services. Of those "Let's Encrypt" looks like the most trustworthy ones.

I still do not have the time to address this now. Ghenne, would you have the capability and the time?

Peter

[Peter van Es]

Dear members,

I’ve made the changes. We have a (free) Let’s Encrypt certificate, which gets renewed automatically every month.

If you access the site it should automatically get to a secure link: https://www.sl113.org (note the 's' after the http)

The Let's Encrypt certificate authenticates the site so that your browser knows that the site is indeed sl113.org and that the encrypted communication is secure. You may need to refresh the browser cache to refresh it. You can inspect the certificate.

I've had to make some changes, but mostly they were simple. I haven’t checked the renewal or payment process yet… so I’ll monitor that for the next couple of days.

If you spot anything not working (e.g. images or video’s or whatever) take a screen shot and mail it admin@sl113.org so I can fix it!

Peter