AskWoody is now secure

Topic

New Reply

Well, anyway, it’s secure enough. As noted by reader Simpson, https://www.askwoody.com works, and it gets 100% on the Calomel SSL Validation test. We
[See the full post at: AskWoody is now secure]

Reply | Quote

Replies

Firefox reports that askwoody.com has mixed content. A quick look at the Firefox image list indicates that not all of them came from an https connection

Reply | Quote

Thanks! I’ll get my web guys on it.

Weird. Wonder if Gravatar is the source of the problem….

Reply | Quote

I just installed the Calomel for Firefox, but it shows that the Security is broken – 0%.

It shows the certificate is verified.

Not sure if it your end or my end. I will play with the applet on oher sites.

Reply | Quote

My guys are going to require another 2-3 days to get to it. Let me know what you find.

Reply | Quote

Message sent with image of mixed content

Reply | Quote

Only graded ‘F’ at Qualys SSL Server Tests (https://www.ssllabs.com/ssltest/index.html), protocol support vulnerability issue.

Reply | Quote

Got it. Thanks.

Reply | Quote

Yep, this is definitely one for my web guys to tackle. Appreciate it!

Reply | Quote

It is as stated, “secure enough”. Let’s not over-react to what Firefox legitimately flags as “insecure”.

Reply | Quote

I have a query in to my domain folks. Apparently they missed a patch in May. I bet it’s fixed before I get up in the morning.

Reply | Quote

I only get an SSL address if I enable HTTPS Everywhere on Firefox. Otherwise I get http://www.askwoody.com”.

Reply | Quote

I only get an SSL address if I enable HTTPS Everywhere on Firefox. Otherwise I get http://www.askwoody.com.

Reply | Quote

Doesn’t seem to be Gravatar. Here is what Firefox’s Web Developer Console shows for the mixed content:

Loading mixed (insecure) display content “https://www.askwoody.com/wp-content/themes/gear_askwoody/images/bg/shining.png” on a secure page

Loading mixed (insecure) display content “https://www.askwoody.com/wp-content/themes/gear_askwoody/images/header-pattern.gif” on a secure page

Loading mixed (insecure) display content “https://www.askwoody.com/wp-content/themes/gear_askwoody/images/bg/banner/banner-bg-blue-extended.gif” on a secure page

Reply | Quote

Mixed content, mixed display content, that of images :

https://www.askwoody.com/wp-content/themes/gear_askwoody/images/bg/banner/banner-bg-blue-extended.gif
https://www.askwoody.com/wp-content/themes/gear_askwoody/images/header-pattern.gif
https://www.askwoody.com/wp-content/themes/gear_askwoody/images/bg/shining.png

This is the only slight problem.

Reply | Quote

Ah, if that’s the problem, then moving those internal libraries over to a secure site should fix it. My web guys say it could take up to 3 days to fix.

Reply | Quote

My http:// links above mentioned magically got shifted to https:// and indeed they are now secured as well => No more display mixed content, askwoody.com is 100% secured operational. Go, man, go

Reply | Quote

AWWWWRIGHT.

Need to get somebody to test the “subscribe to posts” option.

Reply | Quote

Woody, I’ve just subscribed to this very post, successfully. No mixed content, nice. All seems in order from here.

Reply | Quote

Yup, has a green padlock in Firefox now. This morning it wasn’t green yet (due to mixed content)

Reply | Quote

Well I’ve just subscribed to posts….. Had the https with the lock. Not sure what else I needed to look for….. Privacy Badger 0 trackers – Ghostery 0 trackers…… and ABP 0 ads. Ok…. I’ve clicked
on the green lock in the address bar and come up with
further details which I’ve copied and will send you
by email. All looks fine and secure! Using SRWare Iron (Chrome) LT

Reply | Quote

Same as Simpson above

“My http:// links got shifted to https://”

I always use https everywhere.
JF

Reply | Quote

AWWWWRIGHT!

Reply | Quote

Well something has gone pear shape….. I notice that my post (above) has been attributed to Anonymous! hmmmm!! LT

Reply | Quote

Woody,
Yay!
Testing the subscription option. Will save me searching for old posts!
Morty

Reply | Quote

Let me know how/if it works…

Reply | Quote

Worked great!
I also have in in https and have the green padlock in Firefox. Is that how it’s supposed to be? I get the same thing coming in through the front door of Askwoody.com.
Morty

Reply | Quote

Yep. You’re covered no matter how you get here.

Beats me why anybody would want to use a secure connection to post here – but what the heck…

Reply | Quote

URL changed to https, cookies don’t pass that barrier, re-enter your info.

Reply | Quote

AHA!

Reply | Quote

Qualys is still grading you at ‘F’ (even after clearing the cache on their page), though my browser (Pale Moon) now shows no warning about end to end encryption (I saw this being warned about on attempting to comment here yesterday as well, I’ll make a further reply if PM warns this time).

So, some valid improvements (MITM attack/interception risk lowered) but more checks needed?

(Subbed.)

Reply | Quote

Hey Woody,

Welcome to 2010!

Reply | Quote

HA! Dragged me kickin’ and screamin’….

Reply | Quote

I think it’s reacting to the missing patch. Should be cleared up in a day or two. I hope.

Reply | Quote

Well, securityheaders.io is rating a “D” which is, from their part, a rather good score (you’d be surprised of the number of SSL sites rated “F”!)

Reply | Quote

Allan,

I think what you mean to say is “Otherwise I get https://www.askwoody.com”

You don’t need “Https Everywhere” to access the site securely all you have to do is make sure you type https instead of http… What “Https Everywhere” does is automatically include the S in case you forget.

Reply | Quote

haha it automatically put the S in my return comment

Reply | Quote

I don’t know what is happening here, I submitted a comment on another thread last night and it seemed as though it hadn’t been accepted.
When I use to post before this change, I would always see my post and “Awaiting Moderation” but now it is not appearing. What am I doing wrong?

Reply | Quote

Not sure…..

Reply | Quote

I am not a computer-techie person, so I don’t know most of what you folks have been talking about on this thread in terms of a recent spate of “mixed content” on AskWoody.com,

but I’m wondering if the “mixed content” is at all related to the odd behavior on Peerblock regarding this site that I had found a few weeks ago and which I described, in summary, in the following comment:
https://www.askwoody.com/2016/are-we-fighting-a-losing-battle-for-privacy/comment-page-2/#comment-89550

If what I was talking about then was different to this current “mixed content” issue, then that’s absolutely fine — I’m just curious.

[ I described in more detail the unexpected behavior that I was finding vis-a-vis Peerblock IPs and AskWoody.com in my set of comments beginning here:
https://www.askwoody.com/2016/are-we-fighting-a-losing-battle-for-privacy/comment-page-2/#comment-89540 ]

Reply | Quote

poohsticks, you can find information about mixed content at https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
It concerns Firefox but I guess the scheme is the same for all browsers.

To make it short, when a site’s access is encrypted (https) and when it calls for data for another site, the url called should be encrypted as well. There is mixed content when that url is not encrypted.

Active content is risky content (i.e. scripts) and forbidden by default (as mixed), at least on Firefox.

Passive (or Display) content, less risky because handling images, audio, video (& so-called “objects”) is allowed by default (on Firefox) and many https sites have, call Display content from non-https sites.

Be it mixed active or display content, an add-on such as Calomel will bark (!) if it spots mixed content.

Sorry, no time right now to elaborate on your comment’s content, precisely- Hope this has helped (from a non-techie to another non-techie!)

Reply | Quote

@simpson@posteo.eu,

“when a site’s access is encrypted (https) and when it calls for data for another site, the url called should be encrypted as well. There is mixed content when that url is not encrypted.”

Okay, that makes sense! Thank you.

Reply | Quote

As a user of the HTTPS Everywhere Extension in my browsers, I was getting tired of getting errors like “access denied” or lack of permissions, when the extension went to the HTTPS side of AskWoody. Glad not to have that happening anymore, and not having to make an exception or manually delete the “s” before going to this site.

Reply | Quote

Woody, you’re now running a tight site, Qualys reports an A+.

Your techs did a fine job of patching

Reply | Quote

THANKS!

Reply | Quote