Website is not secure. Can it be fixed without https? - google-chrome

I have made a website for a small local company and on that website, there's a log-in-page so the staff can edit the content. The problem is that Google Chrome says the log-in-page isn't secure. I have tried searching for solutions, but everybody just says that I just make the website https. Are there other ways to do it? The company doesn't have the budget to pay for https.

Have a look at these guys. => https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

You have enabled SSL on Your webserver. If you use Apache check this
sudo a2dismod ssl
service apache2 restart

Related

website in chrome with self-signed certificate is not secure

I got a very simple website without any link or something else. I created a self-signed certificate. (link to create self-signed certificate). After this I added it to my site in the IIS (link to add the self-signed certificate to IIS site). My Problem is now that my site is still not secure (local). Chrome, Firefox and IE are not accept my certificate. When I look if my certificate is valid: It's valid.
Can Anyone tell me why it's still not secure and how to fix it?
Self signed certificates are not trusted by default. You need to get the certificate from a trusted CA so that the users web browser trusts it. One recent example of a CA that issues free trusted certificates is Let's Encrypt.
I can see that you are using WordPress for your blog. Let's try a plugin really simple SSL. If you have any certificate install on your site it will detect and convert your pages in https. LetsEncrypt.org also is a way to obtain CA certificate.
You must need to install SSL certificate October 2017 onwards as per Google.
If you need further help read my blog to know that why we need SSL October onwards.
Hopefully, your issue will be resolved by a plugin.
Thank you

Can I use html5 Websockets with windows domain authentication?

Our setup is like this: we use a coldfusion 10 server, and files are on a local intranet. Users use a domain login to access any files over https. I'm interested in using html5 websockets, but the first attempt gave me an error because no credentials were supplied. Is there a way around this? If not, is there a recommended technology for this scenario?
The user does log in on the client side. If it's possible, what I'd really like to do here is pass those credentials when making the connection to the server.
you should be able to supply the authentication header to your web socket server before the elevation to web socket read that and send it back in the headers for the elevation (first frame) then when the browser connects it should have the authentication it needs.
if your using a custom authentication E.G in page not authentication header you can also do this by passing any custom header to your server.
Or mandate that the first thing your web client sends is the authentication details this could be something like {username_hash}.{password_hash} if they don't close the socket to them.
Do not do this.
You're now responsible for sending and encrypting the authentication credentials yourself, bypassing something that already works and is tested.
Anyone can snoop on an unencrypted websocket port. Use HTTPs for an intranet, use stable solutions, don't reinvent this wheel because it tickles your fancy.
In a couple of years some colleague will have to maintain this and will have to figure out how your homebrew version works versus something that's solid like plain browser authentication.
My advice: Leave this to the browser and to well-tested coldfusion libraries.

why does Google Chrome only warn about certain unencrypted connections?

Compare the 2 screencaps below.
Each is to a different unsecured page where a login can be performed.
Why does Chrome warn only in the first instance and not the second?
I'm assuming it is something to do with encryption... and if yes, what exactly?
Note:
the first screencap is from a visit to: http://test.idempiere.org/
the second screencap is from a visit to a PrestaShop installation on a private VPS. PrestaShop is a popular e-Commerce CMS
If you use http connections you are always prone to many attack vectors, but they are still so used that no browser warns about them yet (although, see Mozilla proposal for deprecating unencrypted http). But you are right, those connections are definitely insecure.
However, currently HTTPS connections are checked against "known good" Certificate Authorities. If your connection does not have a trusted certificate chain, it is frowned upon.
Thankfully, these days you can get a free HTTPS validation thanks to EFF's initiative Let's Encrypt.
First the SSL Certificate is created by PrestaShop, not by an SSL company, your os does not know the issuer of the SSL Cert. And the cert is expired. You can make a certificate at letsencrypt, if you want to make it free: https://letsencrypt.org/.
That was my browser say(in german)

Site loads on HTTP but not on HTTPS

Is there any reason why a file may load over http but not over https?
I am curious because I just enabled ssl on a subdomain and it does not seem to be properly. I can see the green lock but if i load the site with it, i see no files.
Like if I have a file at
http://site.exmpl.org/file.html
when i go to
https://site.exmpl.org/file.html
it does not load.
I have ssl enabled because i have the green lock, also i am using cloudflare if that helps
I assume that you may have your SSL mode configured to "Full" in the CloudFlare Crypto section- But lack a ssl certificate installation on your subdomain.
--If not--
You may not have SNI or a Dedicated IP setup for your website then your apache server is likely using your certificate, but connecting to the web space of whoever first setup a SSL Certificate on that server. This is often a problem on shared web hosting environment. You can attempt to contact your provider to ask for help in getting SNI properly configured. You can also acquire a Dedicated IP from your provider.
in cloudflare dashboard under SSL/TLS section go to Edge Certificate instead of overview.
In Edge Certificate there is option called "Always Use HTTPS" which explains "Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone." just turn in on and after sometimes you are good to go.

How to distribute a web site for review?

I'm not sure if this is a programming question, or would be better served on a sister site.
I want to mock up a web site & distribute it by email to some non-tech people for comment.
I can't ask then to install an Apache server, but wondered if I could bundle the site into an .exe, or a .zip and have them open Index.php and play around with the site.
All users are non-techie; all will use Windows; the site is coded in PHP and all internal references to URLs, CSS< images are by way of $_SERVER['DOCUMENT_ROOT']
Any advice?
Just throw it on a web server hiding behind some authentication.
It'd be hard to ask a non-techie person to get it running seeing that it would need apache or another server that would run the php. If I were you I'd probably set up a site that's password protected, you send the link & password to the people and they have a look.
I recommend using something like XAMPP if you can get them to install it. Unfortunately, your website cannot run locally as is without the proper software.
Alternatively, you can either pay for web-hosting or create a server that you can access via its IP address from another user's machine. Make use of this guide for access control if you wish.