Outgoing invites give overdramatic "not secure connection, could be compromised" warning

This could be a browser warning, but it seems like it’s coming from Discourse:

If this was from Discourse, how about a warning before you send out mass invites that they’ll receive a scary sketchy SSL warning with a recommendation to get SSL before inviting out?

We only launched our forum not long ago and were planning to get SSL in a few weeks. I would’ve definitely waited. It’s sort of an overdramatic message, as this applies to any site without SSL (http).

Even if it’s browser based then… should still show a warning that some browsers may do this. However, just a heads up - this sucks after sending out 2300 invites from our mailing list :frowning: don’t let others make my mistake.

SSL is great practice – i have it for all my sites except my forum because it’s newer and haven’t got around to it yet.

That is from the browser, and has nothing to do with us specifically.

It is a bit weird that it is applying to the username field in the absence of password though.

4 Likes

Yea I had a feeling – however, because browsers do this, I still encourage adding a warning if !SSL. It’s quite embarrassing :confused: who would’ve known. I know it’s not a Discourse thing, but it may help future people.

I believe what you showed is Firefox specific. Chrome just shows a general warning in the address bar. Firefox’ market share is way, way down from where it was 4-5 years ago.

2 Likes

Maybe we should take this as the last nail in the coffin to add a check to the admin dashboard as long as HTTPS isn’t enabled? I’d highly discourage non-HTTPS installs for security considerations alone…

To get HTTPS you just need to run discourse-setup again and provide an email address for let’s​ encrypt.

3 Likes

I can still think of at least one situation where this isn’t feasible - internal sites that aren’t visible outside the company network. Let’s Encrypt can’t work for those sites, and a constant dashboard warning would be quite obnoxious. There would need to be a way to disable it for situations like these if we add a check to the dashboard.

3 Likes