View Single Post
  #2  
Old July 21st, 2020, 07:41 AM
Jeannie Jeannie is offline
Moderator
 
Join Date: Jan 2013
Location: OKC, Oklahoma
Truck: Shopping for a 1960-61 4x4
Posts: 352
Rep Power: 142
Jeannie is on a distinguished road
Default Re: Big problem with this site

Quote:
Originally Posted by AZKen View Post
Had to get in< in an unsafe manner> the site is using old tls versions>needs to update to tls 1.2 or newer> i will not be back>
AZKen,

This is referring to our method of encryption and has nothing at all to do with the site being "unsafe".

History:
This is part of Google's push for ever newer encryption for site certificates (which they sell). This is how a website talks in code to your browser. Previously, websites talked to your browser straight through. Remember when the internet was fast? Things slowed down after Google demanded that sites visited by users with it's browser add encryption, regardless of if they handle credit card information. As Google goes, so goes the rest of the pack. Other browsers started notifying users that sites may be "unsafe" if they don't encrypt their site. Again, encryption of non-transactional sites (places that aren't selling you things) does nothing for the end user and adds unnecessary burden on the server and the site owner.

This threw Mom and Pop sites in chaos for a few months as they scrambled to find and implement certification. Once the turmoil died down and everyone had bowed to the mighty Google, Google again said, That is not good enough. We demand that you change your configuration or we'll label you as "unsafe" once more.

Why should this matter? It didn't until this year. When Google demanded that websites use the new encryption method, they didn't take into account that many sites are running on software that won't accept the newer "language". And that is where we will be at the next hop.

I believe we will be able to jump the current "unsafe" notification after we hire a coder to effectively jam the new encryption into our setup, but the next google-forced update will require that we abandon our current software and move to the new format, which is full of bugs and security leaks that I have been studying and following for over a year in preparation. This will, and I can't overstate this, be a nightmare for me and a big change for our users. Sadly our current software, while extremely stable and secure, will not operate with the newer backend that we will be forced to implement at that time.

For now, the notification does not appear for all browsers. Rest assured that the site is not "unsafe". For reference, over 2/3 of the internet is using our current encryption level or less.

We have been putting this off due to cost and the lack of necessity, but with the current clout Google has it was only a matter of time before this became an issue.

I will be working on the issue this week.
Reply With Quote