Author Topic: "Not secure"?  (Read 57230 times)

Calilasseia

  • Cryptoverbalist
  • *
  • Posts: 522
  • Pass the dissection kit ...
    • View Profile
Re: "Not secure"?
« Reply #15 on: February 24, 2017, 09:28:16 PM »
Cal ,

You beat me to it , I was just about to make a similar post in which the wording would have been almost identical.
But just for the benefit of the poor souls out there who are not quite as computer literate as we are , could you please clarify that at the end of the day we don't have to much to worry about?

But seriously , when I purchased this computer , it came with Norton security , is that all I need as I keep getting suggestions from other companies that my computer is at risk.

Thanks Les.


This bit of my post above:

Suffice it to say that HTTPS keeps all but the seriously determined and expert miscreants at bay. If you have reason to suspect that some of those expert miscreants are targeting you, then you'll have already hired the people with the tools to keep them out, and spent a lot of money militarising your system. Indeed, some of those expert miscreants end up being recruited to switch sides, and put their knowledge to use keeping other miscreants frustrated - "it takes a thief to catch a thief" and all that.


should provide the reassurance you need. :)
Remember: if the world's bees disappear, we become extinct with them ...

Les303

  • Guest
Re: "Not secure"?
« Reply #16 on: February 24, 2017, 09:54:29 PM »
Thanks for that.

TRex

  • Eulexic
  • ***
  • Posts: 2038
  • ~50 miles from Chicago, in the Corn (maize) Belt
    • View Profile
Re: "Not secure"?
« Reply #17 on: February 25, 2017, 06:33:11 AM »
I think there has been some misinformation posted here.

First, the World Wide Web and the Internet are not synonymous. The Internet (begun in 1969 but not called 'Internet' until 1984) predates the World Wide Web (created by Sir Timothy Berners-Lee in 1989) by quite a few years and has been publicly accessible from the start. The HTTP/HTTPS protocols used by the World Wide Web are but two of many protocols used by the Internet (others include FTP [File Transfer Protocol], POP [Post Office Protocol], SMTP [Simple Mail Transfer Protocol], NTP [Network Time Protocol], etc.).

Second, HTTP/HTTPS headers do not route the packets of information being sent across the Internet — they define how the connection between a website and a web browser will function. (For more information, see List of HTTP header fields.) The Internet uses TCP/IP (Transmission Control Protocol / Internet Protocol): a standard for sending 'packets' of information across the Internet. TCP/IP packets contain headers which route the packets from sender to destination. In each packet, information follows the header, including a numbering of each packet. If the packet is from a website the HTTP/HTTPS headers will be in the information which follows the TCP/IP header. If a website needs to send 500 packets to the requesting web browser to send an entire page, the packets will be numbered 1 to 500. All the packets in a transmission will not necessarily take the same path. One of the great things about TCP/IP is that a server receiving a packet which it will relay to another server (it is quite common for a transmission to go through 20 or more servers before it reaches its destination) is free to 'choose' which server is to receive the packet for relay, based on how busy other servers are at the moment. The recipient uses the numbering of the packets to reassemble the transmission in the proper order. If there are missing packets from the transmission, the recipient sends back a message to the transmitter effectively saying, 'please retransmit packets numbered [whatever] instead of requiring the entire transmission to be resent.¹

Third, there are no 'backbone servers' routing requests to the proper destination. There is a 'backbone' to the Internet: Tier One providers who have huge amounts of bandwidth (Tier Two providers have less bandwidth; Tier Three providers even less). Those huge amounts of bandwidth are the 'backbone'. Sometimes (erroneously), the root name servers which are authoritative servers for the Domain Name System (DNS) are called 'backbone servers'.

Because computers have to use zeroes and ones, but humans cannot deal in binary, DNS exists. Every ISP has at least one DNS server and there are a number of free DNS servers available. So, for example, if you want to use your web browser to go to www (dot) cnn (dot) com, you can just type the characters into the web browser's address field (no, you don't have to enter it in Google's search field and then click on Google's link to CNN!). Your computer will contact a DNS server and ask it for the IP address for www (dot) cnn (dot) com. If that DNS server has the address, it gives it to your computer and then your computer can then reach out to that IP address. If it doesn't have the address, it will contact another DNS server to see if it has the address and that will continue until the IP address for CNN is located. If necessary, the request might go all the way to one of the root name servers (there are thirteen in the world as of now), but the IP address will be sent back to your computer so your computer can reach out to CNN.

As of this writing, the IP address for www (dot) cnn (dot) com is (in decimal format) 151.101.64.73, but of course, a computer uses binary which is 100101111100101100000001001001 — I doubt anyone would prefer to enter that or even the decimal format instead of www (dot) cnn (dot) com!!

Finally, the push for HTTPS instead of HTTP is primarily because of the snooping by the 'Five Eyes'. That it makes 'injection attacks' (intercepting communication between a web browser and website and adding malicious content for nefarious purposes) more difficult is a secondary issue. A web server which has been improperly configured or running software for which a security flaw has been discovered is still vulnerable to injection attacks even if using HTTPS. Injection attacks have been going on for years, but the push for HTTPS did not start until the Snowden revelations.

_______
¹ Because the Internet was designed to not care about the order packets are received, information being 'streamed' uses a 'buffer' which is designed to allow time for out-of-order packets to be received and resequenced — receiving a voice message out-of-order wouldn't work very well!

Alan W

  • Administrator
  • Eulexic
  • *****
  • Posts: 4961
  • Melbourne, Australia
    • View Profile
    • Email
Re: "Not secure"?
« Reply #18 on: February 25, 2017, 12:10:31 PM »
Les, I found a few very recent queries online from people who had seen the same message you saw - "Suspicious link. This link leads to an untrusted site." Many of these people were also clicking on a confirmation link as part of a user registration process. All of these people were using Gmail as their email system. Were you perhaps using Gmail, Les?

Gmail - Google again! Am I getting paranoid about Google, or is it the big G that's getting paranoid?

To test this out, I tried creating a new Chihuahua user ID, giving a Gmail address for the email. The confirmation message was hidden away in the Spam directory, but when I eventually found it and clicked on the link, I didn't get the same warning message. But maybe this warning is an innovation that Google is rolling out to its Gmail accounts in stages - perhaps to see how much consternation it causes.

I think it's well known in security circles that an over-zealous security alert policy runs the risk that people will start completely disregarding all warnings. It may be the case that any security warning you see while trying to use the Chihuahua site will almost certainly be something you can safely disregard, but I'm certainly not going to advise people to automatically disregard all such warnings - at the Chi site or anywhere else. Unfortunately we all have to make our own judgements about how to react to such messages, even though most of us are in no position to make an informed decision.

Les, regarding your question about shutting down the computer, have you noticed sign-in problems only occur immediately after you re-start the computer? If so, do you normally keep Chrome running all the time when the computer is on? If the answer to both questions is yes, it might be worth checking your cookie settings. If the setting is to "Keep local data only until you quit your browser", this would interfere with automatic signing in to both Chihuahua and the forum.

To check this, click on the three vertical dots near the top right of the screen, then click on "Settings", then at the bottom of the screen click on "Show advanced settings...", then by scrolling down a bit you will see a button labeled "Content settings..." - click this and finally you will see the Cookies options. For automatic signing in to work, you need to have the top option selected, "Allow local data to be set (recommended)". (I would also tick the box labeled "Block third-party cookies and site data", but this is about protecting your privacy from advertisers, so it is not a great concern for Google.)
Alan Walker
Creator of Lexigame websites

Les303

  • Guest
Re: "Not secure"?
« Reply #19 on: February 25, 2017, 12:55:11 PM »
Yes Alan ,
I do use Gmail & your a bloody genius as when I eventually found these three insignificant looking little dots tucked away in the corner , I was not only able to adjust my cookie settings as recommended but also found several other useful settings that I had no idea were even available.

Alan W

  • Administrator
  • Eulexic
  • *****
  • Posts: 4961
  • Melbourne, Australia
    • View Profile
    • Email
Re: "Not secure"?
« Reply #20 on: March 09, 2017, 04:28:05 PM »
A few updates on this story.

Around the same time that Google Chrome started displaying "Not secure" messages, Firefox started displaying a warning icon in similar circumstances: a padlock with a red line through it.

In the near future I will be converting the alternate site, www.chihuahua-puzzle.com, to SSL, so that it can be visited using the "https:" prefix, avoiding all alarming messages. Once things are running smoothly I'll make a further change on that site so that all visitors to the site will automatically be switched to "https:" mode. Anybody who is concerned that the Five Eyes intelligence agencies may be intercepting their puzzle moves might wish to use that site in future. (Although I don't what's the point if they can spy on us through our TV sets and numerous other appliances, as per latest Wikileaks revelations.)

For the time being chi.lexigame.com will remain a non-SSL site. The hosting service I use for that site tell me they are looking at options for making free SSL available to their customers, so I will wait and see what comes out of that.

I'm looking into changing things so that the password field is only present when needed, so that warning messages will, for the time being, be seen less often. In particular, those who are signed in automatically need never see the warnings, except when they first register at the site, or if they change their password. This is the way many sites function, including this forum. However, I don't want to put a lot of effort into re-organizing the site if these messages are soon to be shown whether or not there is a password field.

Today I received an email from Google - presumably sent to every web site owner in a similar situation who has, like me, used Google Analytics and hence associated their web site with a Gmail account.

Quote
Non-Secure Collection of Passwords will trigger warnings in Chrome 56 for http://chi.lexigame.com/

To: owner of http://chi.lexigame.com/

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. The list is not exhaustive.

http://chi.lexigame.com/

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.

Thanks for the advance warning, Google. January 2017 - that gives me plenty of time to prepare.
Alan Walker
Creator of Lexigame websites

TRex

  • Eulexic
  • ***
  • Posts: 2038
  • ~50 miles from Chicago, in the Corn (maize) Belt
    • View Profile
Re: "Not secure"?
« Reply #21 on: March 10, 2017, 01:11:25 PM »
Anybody who is concerned that the Five Eyes intelligence agencies may be intercepting their puzzle moves might wish to use that site in future.

I suspect the spooks will be more interested in the forum, what with all the discussion about blowing up government buildings, assassinating Trump, supporting ISUS and jihad!
 >:D

mkenuk

  • Eulexic
  • ***
  • Posts: 2671
  • Life? Don't talk to me about life.
    • View Profile
Re: "Not secure"?
« Reply #22 on: March 10, 2017, 03:40:29 PM »
Today's big word (Standard) might interest them, though!

 :police: :police:

2dognight

  • Linguissimo
  • *****
  • Posts: 275
    • View Profile
Re: "Not secure"?
« Reply #23 on: March 10, 2017, 05:04:07 PM »
Just add the challenge word and the 10 letter word That would really get them going ???

mkenuk

  • Eulexic
  • ***
  • Posts: 2671
  • Life? Don't talk to me about life.
    • View Profile
Re: "Not secure"?
« Reply #24 on: March 10, 2017, 06:25:27 PM »
Indeed.
Write them in order - 'standard - 10-letter - challenge' and it could be a front page headline from 'The Sun' or the 'Daily Star'

 ;D

Or perhaps not. Few of the purchasers of those rags can read words of more than one syllable.
« Last Edit: March 10, 2017, 07:44:02 PM by mkenuk »

2dognight

  • Linguissimo
  • *****
  • Posts: 275
    • View Profile
Re: "Not secure"?
« Reply #25 on: March 10, 2017, 06:43:17 PM »
The mind boggles

TRex

  • Eulexic
  • ***
  • Posts: 2038
  • ~50 miles from Chicago, in the Corn (maize) Belt
    • View Profile
Re: "Not secure"?
« Reply #26 on: March 17, 2017, 12:28:07 PM »
It's time to turn on HTTPS: The benefits are well worth the effort

Interesting story from a reputable source. The WWW is converting to HTTPS.

Alan W

  • Administrator
  • Eulexic
  • *****
  • Posts: 4961
  • Melbourne, Australia
    • View Profile
    • Email
Re: "Not secure"?
« Reply #27 on: March 18, 2017, 02:08:31 PM »
Here's a further update.

Firefox has released another browser upgrade which now has a pop-up warning when a user puts their cursor in a user name or password input field on a site visited using the "http:" protocol. Like this -



This message will appear on chi.lexigame.com for some time, but you can now view the chihuahua-puzzle.com site using https, and avoid that particular warning. Go to https://chihuahua-puzzle.com/. Unfortunately, this site still attracts warnings from Chrome and Google, to the effect that parts of the page are not secure. This is caused by the mechanism used to keep the two copies of the Chihuahua puzzle synchronized, so that as far as possible a player can switch between the sites at will and see the same words and scoreboard. I'm looking into a scheme for getting rid of these warnings by using a secure connection to a cloud-based messaging system, but this will take a while to implement.
Alan Walker
Creator of Lexigame websites

Alan W

  • Administrator
  • Eulexic
  • *****
  • Posts: 4961
  • Melbourne, Australia
    • View Profile
    • Email
Re: "Not secure"?
« Reply #28 on: May 17, 2017, 03:09:19 PM »
Now the www.chihuahua-puzzle.com site should be completely free of security warnings in all browsers. To achieve this I had to make some significant changes "under the hood", but it should function pretty much the same as always from a player's point of view.

The main difference is, as discussed elsewhere (see here, here and here), the "Forum Latest" panel is not quite the same as on chi.lexigame.com.

Also, visiting www.chihuahua-puzzle.com will now automatically connect you using the "https" protocol - that is, the most secure method of connecting to the site.

Enabling https for the main lexigame site will probably have to await changes implemented by the relevant hosting service.
Alan Walker
Creator of Lexigame websites