Page 1 of 1

Google warning - Site may be hacked

PostPosted: Wed Nov 15, 2017 12:58 am
by bret
I'm using a new install of Firefox on my laptop and didn't have ED in my browser history. Being lazy I just typed "everything dulcimer" to get the Google search result. Google has a warning on the search results that the site may be hacked. Just thought someone would want to know. Here's a link to the search results. Clicking on the "This site may be hacked" warning has additional information.

https://www.google.com/search?q=everyth ... 8&oe=utf-8

Re: Google warning - Site may be hacked

PostPosted: Wed Nov 15, 2017 10:20 am
by strumelia
It's simply because ED site is still http, and not https/secure. Major browsers like Google and FF are clamping down on non-https sites by giving pop-up warnings to visitors that the site is not 'secure'. This will continue, and is intended to eventually encourage (force) all sites to be https, which really is more secure for everyone and is a good thing overall. But the change is definitely a pain in the butt for most low tech or small scale sites. I think you can safely ignore the warning for this site, but do be aware that other sites that are not secure/https might actually be less safe for you to be browsing.
This is something that ED owner Bruce Ford can probably address when he has the time. It has to do with getting a 'certificate' onto the server that hosts the site.

Re: Google warning - Site may be hacked

PostPosted: Wed Nov 15, 2017 11:22 am
by bret
I was curious about the lack of HTTPS (posted a message about it some time ago). Not using it leaves the site vulnerable to a number of attacks and any computer invovled in transmitting the content from the server to someone's browser can alter the content or inject other content freely. It also means logins and passwords are visible on the network every time someone logs in.

I maintain a couple websites for my company. We redirect any HTTP requests to HTTPS now. Getting a TLS certificate these days is pretty easy. If money's an issue, Let's Encrypt offers them for free - the idea being to remove any barriers to HTTPS adoption. The only caveat is they need to be updated every 90 days, but that can be automated.

If I can help in any way, I'm happy to.

Re: Google warning - Site may be hacked

PostPosted: Wed Nov 15, 2017 11:46 am
by rz_admin
Bret,

I've already taken steps to fix the "This site has been hacked". The solution is currently under review by Google. I'm not sure how long it's going to take to get an answer as to whether I fixed it correctly. As for https, Bruce is the owner of this site, and I've already asked him about this. He hasn't given me an answer yet.

Ron

Re: Google warning - Site may be hacked

PostPosted: Thu Nov 16, 2017 7:45 pm
by rz_admin
Bret,

The issue with "Site may be hacked" should be resolved now. I still haven't heard from Bruce Ford about https.

Ron

Re: Google warning - Site may be hacked

PostPosted: Tue Nov 21, 2017 11:50 pm
by bret
Ron,

Thanks for looking into it. I just searched Google for the site and can confirm the "may be hacked" warning is gone. :D

Regarding HTTPS, I wanted to pass this along: https://letsencrypt.org/getting-started/

I know the costs for some certificate providers can be prohibitive. I've been using Let's Encrypt certs on a couple sites since they launched and it's been super easy to keep the certs up to date and there is no cost for the certificates. I don't know how Everything Dulcimer is hosted, but in most cases, including hosts that don't offer shell access, it's relatively easy to set up a free Let's Encrypt certificate as many support it. Just wanted to pass the info along.

Best,
Bret

Re: Google warning - Site may be hacked

PostPosted: Wed Nov 22, 2017 9:46 am
by rz_admin
Bret,

Thanks for the information about letsencrypt; I'm already aware of this. I've passed along the concerns about this site being unsecured (you're not the first to mention this), but there's nothing I can do about it. Bruce Ford is the owner of this site, so the decision about https is ultimately up to him. I'm just an admin for the site.

Ron