Shop OBEX P1 Docs P2 Docs Learn Events
Anybody know what this is all about? — Parallax Forums

Anybody know what this is all about?

Just ran across this warning in Chrome on my MacBook:

chrome_warning.png

I'm sure it's benign, but I do wonder what was being blocked.

-Phil

Comments

  • Ron CzapalaRon Czapala Posts: 2,418
    edited 2017-10-29 23:49
    Google search found this:

    https://support.google.com/chrome/answer/99020?co=GENIE.Platform=Desktop&hl=en

    Not real helpful though - "The site you're visiting is not secure."

    EDIT: You can turn it off in settings "Protect you and your device from dangerous sites" under Advanced "Privacy & Security"
  • GordonMcCombGordonMcComb Posts: 3,366
    edited 2017-10-30 00:13
    The secure page you are reading contains JavaScript from sites that are not secure, that is, they have http: connection. In your particular case, i.e. this forum, the main culprit appears to be loading JQuery from the Google API repository.
  • Heater.Heater. Posts: 21,230
    edited 2017-10-30 02:45
    That's right.

    Used to be that if the web site you visited was secured with HTTPS it could fetch resources, Javascript etc, over the non-secure HTTP. This basically destroys any security you think you have by using HTTPS.

    At least Chrome now a days complains when that happens. Warning you about the security hole. Perhaps other browsers have caught up with this idea, I have not checked for ages.

    Seems odd the page is trying to download that jQuery from http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js when it has already downloaded jQuery from https://forums.parallax.com/js/library/jquery.js?v=2.1.11

    I'd also rather this site did not partake in facebooks tracking of visitors with https://staticxx.facebook.com/connect/xd_arbiter/r/hsBwMj6iLmk.js?version=42 That link leads to this:

    SECURITY WARNING: Please treat the URL above as you would your password and do not share it with anyone. See the Facebook Help Center for more information.


    Then there is this other link in the page to a sneaky one pixel image served by facebook for tracking purposes: https://www.facebook.com/impression.php/f302cbbe4608974/?lid=115&payload={"source":"jssdk"}

    It's a pretty poor show that we have been complaining about for ages.
  • All browsers are now doing this warning, and its good, it will force most companies to update their urls to https urls, ALL of them.
    http will become obsolete or used for non important data. (IOT)

    https everywhere. GET IT.

    This addon will help your browser choose the https urls if they can, when connecting to a http address. (yes, it will try the https version of the url first, even if the html links the http url)

    https://www.eff.org/https-everywhere

    THANKS EFF!


  • I've added https-everywhere to Chrome. What it calls attention to here is gravatar (the auto avatar creator) and wordpress (the dev tool for this website, perhaps where jquery is hosted). Pretty benign stuff.

    -Phil
  • TorTor Posts: 2,010
    edited 2017-11-01 06:55
    Gravatar is a privacy problem and Wordpress is a bug-infested attack magnet, so I wouldn't call any of them benign.
  • yetiyeti Posts: 818
    edited 2017-11-01 07:42
    Tor wrote: »
    Gravatar is a privacy problem and Wordpress is a bug-infested attack magnet, so I wouldn't call any of them benign.
    $ fgrep gravatar /etc/hosts
    127.0.0.1       www.gravatar.com
    127.0.0.1       secure.gravatar.com
    
    You get the user's name twice with this hack and after a while this stops to look confusing. :-)
  • ...and wordpress (the dev tool for this website, perhaps where jquery is hosted)

    If you mean the Parallax Website, they use Drupal for their CMS, not WordPress. The forum uses Vanilla, also open source, but not WordPress-based.

    Officially jQuery is provided on a number of content delivery networks, Google being one of them. The "official" ones all have alternative https: access. I'm not sure why the forum pages have both local and CDN access to jQuery (different versions at that), but it's also possible to create mixed-protocol pages to avoid the warning.
  • Heater.Heater. Posts: 21,230
    Perhaps it is possible to create mixed-protocol pages to avoid that warning. Although I hope not now a days.

    It's a bad idea.

    It's like locking your front door and ignoring somebody who tells you that you have left the back door and all the windows open!

Sign In or Register to comment.