Outgoing invites give overdramatic "not secure connection, could be compromised" warning

(Dylan Hunt) #1

This could be a browser warning, but it seems like it’s coming from Discourse:

If this was from Discourse, how about a warning before you send out mass invites that they’ll receive a scary sketchy SSL warning with a recommendation to get SSL before inviting out?

We only launched our forum not long ago and were planning to get SSL in a few weeks. I would’ve definitely waited. It’s sort of an overdramatic message, as this applies to any site without SSL (http).

Even if it’s browser based then… should still show a warning that some browsers may do this. However, just a heads up - this sucks after sending out 2300 invites from our mailing list :frowning: don’t let others make my mistake.

SSL is great practice – i have it for all my sites except my forum because it’s newer and haven’t got around to it yet.

(Jeff Atwood) #2

That is from the browser, and has nothing to do with us specifically.

It is a bit weird that it is applying to the username field in the absence of password though.

(Dylan Hunt) #3

Yea I had a feeling – however, because browsers do this, I still encourage adding a warning if !SSL. It’s quite embarrassing :confused: who would’ve known. I know it’s not a Discourse thing, but it may help future people.

(Jeff Atwood) #4

I believe what you showed is Firefox specific. Chrome just shows a general warning in the address bar. Firefox’ market share is way, way down from where it was 4-5 years ago.

(Felix Freiberger) #5

Maybe we should take this as the last nail in the coffin to add a check to the admin dashboard as long as HTTPS isn’t enabled? I’d highly discourage non-HTTPS installs for security considerations alone…

(Jay Pfaffman) #6

To get HTTPS you just need to run discourse-setup again and provide an email address for let’s​ encrypt.

(Joshua Rosenfeld) #7

I can still think of at least one situation where this isn’t feasible - internal sites that aren’t visible outside the company network. Let’s Encrypt can’t work for those sites, and a constant dashboard warning would be quite obnoxious. There would need to be a way to disable it for situations like these if we add a check to the dashboard.