Anybody know what this is all about?

Phil Pilgrim (PhiPi)

Just ran across this warning in Chrome on my MacBook:



I'm sure it's benign, but I do wonder what was being blocked.

-Phil

Ron Czapala

Google search found this:

https://support.google.com/chrome/answer/99020?co=GENIE.Platform=Desktop&hl=en

Not real helpful though - "The site you're visiting is not secure."

EDIT: You can turn it off in settings "Protect you and your device from dangerous sites" under Advanced "Privacy & Security"

GordonMcComb

The secure page you are reading contains JavaScript from sites that are not secure, that is, they have http: connection. In your particular case, i.e. this forum, the main culprit appears to be loading JQuery from the Google API repository.

Heater.

That's right.

Used to be that if the web site you visited was secured with HTTPS it could fetch resources, Javascript etc, over the non-secure HTTP. This basically destroys any security you think you have by using HTTPS.

At least Chrome now a days complains when that happens. Warning you about the security hole. Perhaps other browsers have caught up with this idea, I have not checked for ages.

Seems odd the page is trying to download that jQuery from http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js when it has already downloaded jQuery from https://forums.parallax.com/js/library/jquery.js?v=2.1.11

I'd also rather this site did not partake in facebooks tracking of visitors with https://staticxx.facebook.com/connect/xd_arbiter/r/hsBwMj6iLmk.js?version=42 That link leads to this:

SECURITY WARNING: Please treat the URL above as you would your password and do not share it with anyone. See the Facebook Help Center for more information.


Then there is this other link in the page to a sneaky one pixel image served by facebook for tracking purposes: https://www.facebook.com/impression.php/f302cbbe4608974/?lid=115&payload={"source":"jssdk"}

It's a pretty poor show that we have been complaining about for ages.

Clock Loop

All browsers are now doing this warning, and its good, it will force most companies to update their urls to https urls, ALL of them.
http will become obsolete or used for non important data. (IOT)

https everywhere. GET IT.

This addon will help your browser choose the https urls if they can, when connecting to a http address. (yes, it will try the https version of the url first, even if the html links the http url)

https://www.eff.org/https-everywhere

THANKS EFF!

Phil Pilgrim (PhiPi)

I've added https-everywhere to Chrome. What it calls attention to here is gravatar (the auto avatar creator) and wordpress (the dev tool for this website, perhaps where jquery is hosted). Pretty benign stuff.

-Phil

Tor

Gravatar is a privacy problem and Wordpress is a bug-infested attack magnet, so I wouldn't call any of them benign.

yeti

Tor wrote: »

Gravatar is a privacy problem and Wordpress is a bug-infested attack magnet, so I wouldn't call any of them benign.

$ fgrep gravatar /etc/hosts
127.0.0.1       www.gravatar.com
127.0.0.1       secure.gravatar.com

You get the user's name twice with this hack and after a while this stops to look confusing. :-)

GordonMcComb

Phil Pilgrim (PhiPi) wrote: »

...and wordpress (the dev tool for this website, perhaps where jquery is hosted)

If you mean the Parallax Website, they use Drupal for their CMS, not WordPress. The forum uses Vanilla, also open source, but not WordPress-based.

Officially jQuery is provided on a number of content delivery networks, Google being one of them. The "official" ones all have alternative https: access. I'm not sure why the forum pages have both local and CDN access to jQuery (different versions at that), but it's also possible to create mixed-protocol pages to avoid the warning.

Heater.

Perhaps it is possible to create mixed-protocol pages to avoid that warning. Although I hope not now a days.

It's a bad idea.

It's like locking your front door and ignoring somebody who tells you that you have left the back door and all the windows open!