Hello Guest, Welcome to Apnea Board !
As a guest, you are limited to certain areas of the board and there are some features you can't use.
To post a message, you must create a free account using a valid email address.

or Create an Account


New Posts   Today's Posts

HTTPS
#1
HTTPS
Hi. I'm a new forum user. I created an account intending on getting help with my sleep issues; however, I quickly noticed that your site does not work properly when accessed using HTTPS/TLS. I read your sticky thread on the topic, but as an experienced software developer of over 20 years and an IT security expert, you are not fully appreciating why browsers give "scary" warnings and why the need for HTTPS exists.

HTTPS is not used only to protect login credentials. Using HTTPS for all resources delivered by the server to the user agent (browser) ensures that no tampering has occurred by any man-in-the-middle software or network appliances. To demonstrate the security vulnerability, imagine you are at a Starbucks with your laptop but you unknowingly connect to a fake Starbucks access point. Any HTTP requests/responses that are unencrypted are vulnerable to being changed midstream by the attacker. For example, the attacker can inject malicious JavaScript into the response. To the browser, the JavaScript is simply part of the website; it has no way to detect what is malicious and what isn't. This is a very common class of attack against HTTP, although it can be mitigated by using only known-safe access points.

When I access your site using HTTPS, the HTML delivered by the server contains numerous insecure URLs (i.e., URLs that begin with http://). Modern browsers consider this a "mixed content" scenario and will often block access to those resources. With your site, this means nearly nothing works because nearly every resource including CSS style sheets and JavaScript files are insecure and are thus blocked. The reason browser vendors do this is because most users do not have the awareness that the address bar URL, despite being HTTPS, does not itself guarantee that all resources loaded by the browser are secure. In other words, users will be fooled into thinking the page is secure when it is not. Browsers used to allow this and merely warn the user about the condition, but now most browsers will simply block these requests as insecure.

There is lots of information about this attack vector on the internet if you'd like to research further. However, my free expert advice is you should correct the deployment of your website to use only TLS 1.2+ (SSL is a deprecated protocol) and ensure that all URLs rendered in HTML are using the https:// scheme. This will ensure that all traffic, not just login credentials, is secure and immune to tampering by malicious actors.

Feel free to contact me privately if you'd like more information or advice.
#2
RE: Your website is insecure
Here's a screenshot of the HTML source delivered by your server. You can see that despite the address bar URL being secure, most of the resources are insecure.

The other screenshot shows that Firefox is blocking all the insecure content, meaning hardly any CSS and JavaScript is actually loaded, causing the page to render as if it were bare HTML.


Attached Files Thumbnail(s)
       
#3
RE: Your website is insecure
Enable/Disable HTTPS-Only Mode in Firefox:
  • In the Menu bar at the top of the screen, click Firefox and select Preferences. ...
  •  Select Privacy & Security from the left menu.
  •  Scroll down to HTTPS-Only Mode.
  •  Use the radio button to select whether to enable or disable HTTPS-Only Mode, or select to only enable it for private windows.
Crimson Nape
Apnea Board Moderator
www.ApneaBoard.com
___________________________________
Useful Links -or- When All Else Fails:
The Guide to Understanding OSCAR
OSCAR Chart Organization
Attaching Images and Files on Apnea Board
Apnea Helpful Tips

INFORMATION ON APNEA BOARD FORUMS OR ON APNEABOARD.COM SHOULD NOT BE CONSIDERED AS MEDICAL ADVICE. ALWAYS SEEK THE ADVICE OF A PHYSICIAN BEFORE SEEKING TREATMENT FOR MEDICAL CONDITIONS, INCLUDING SLEEP APNEA. INFORMATION POSTED ON THE APNEA BOARD WEB SITE AND FORUMS ARE PERSONAL OPINION ONLY AND NOT NECESSARILY A STATEMENT OF FACT.
#4
RE: Your website is insecure
There is also a sticky on the subject:
http://www.apneaboard.com/forums/Thread-...ite--23558
Jeff8356

MacBook Air (2017, Intel) | macOS Monterey (12.7) | OSCAR v1.5.1 | VM = Win10/Win11 |
How to Links:
Installing OSCAR on a Mac
Organizing your OSCAR charts
Attaching screenshots and files for the forum
OSCAR Help
OSCAR - The Guide

INFORMATION ON APNEA BOARD FORUMS OR ON APNEABOARD.COM SHOULD NOT BE CONSIDERED AS MEDICAL ADVICE. ALWAYS SEEK THE ADVICE OF A PHYSICIAN BEFORE SEEKING TREATMENT FOR MEDICAL CONDITIONS, INCLUDING SLEEP APNEA. INFORMATION POSTED ON THE APNEA BOARD WEB SITE AND FORUMS ARE PERSONAL OPINION ONLY AND NOT NECESSARILY A STATEMENT OF FACT.
#5
RE: Your website is insecure
Thanks! I was unaware that Firefox had that feature. I've been using the HTTPS Everywhere add-on, which doesn't seem to work the same way. It seems this Firefox feature ignores the HTTP URL scheme and always requests using HTTPS.


Possibly Related Threads...
Thread Author Replies Views Last Post
  Has any heard of this?? It seems unlikely to work… https://www.schlafapnoe.com/en/tre racprops 5 1,888 05-09-2021, 12:13 PM
Last Post: Douglas Morrrison


New Posts   Today's Posts


About Apnea Board

Apnea Board is an educational web site designed to empower Sleep Apnea patients.