Announcement

**whatthefunk** · Sep 21, 2018, 05:55 PM

Originally posted by MadMage999 View Post

Hilarious. The stupidity of chromes security warnings in this present time. SMDH.

All that Chrome is doing is looking for things over the network that come from non-secure sites. Images embedded in the page via img tags are downloaded in the same way as all other page resources. It doesnt seem to distinguish between file types when checking, which is good considering that even an image can contain harmful code, or not even be a real image. It would be very easy to embed a script in some resource that watches the page and then makes a request. If that script came from a non-secure site, can browsers really say that the page is secure? I dont think so.

Personally I think its a positive thing that browsers are trying harder to alert people of potential security threats. Firefox also gives these warnings, btw.

**MadMage999** · Sep 21, 2018, 05:59 PM

Originally posted by whatthefunk View Post

All that Chrome is doing is looking for things over the network that come from non-secure sites. Images embedded in the page via img tags are downloaded in the same way as all other page resources. It doesnt seem to distinguish between file types when checking, which is good considering that even an image can contain harmful code, or not even be a real image. It would be very easy to embed a script in some resource that watches the page and then makes a request. If that script came from a non-secure site, can browsers really say that the page is secure? I dont think so.

Personally I think its a positive thing that browsers are trying harder to alert people of potential security threats. Firefox also gives these warnings, btw.

I'm not sure I follow. How does using an encrypted connection to transmit data make the sites content any more secure? You keep saying "secure site", but somehow that doesn't add up for me.

**claydoh** · Sep 21, 2018, 06:05 PM

I see this only on KFN, almost never anywhere else, so i am leaning to a forum feature, or external images, not a plugin. I see this in chrome as well as a Firefox with zero addons

Look at the bottom of each page, and those badges for the website security software may be the culprit as they are not secure themselves (http url instead of https), if it isn't the software itself.

**claydoh** · Sep 21, 2018, 06:06 PM

Um nope it is purely vinnie's fault

And anyone with an image/avatar/footer image hosted externally on a non-https site.

It is also the skimlinks thingy, that the forum uses to load keyword ads/links for visitors that are not logged in.
Forgot we have that for some reason.

**whatthefunk** · Sep 21, 2018, 06:12 PM

The content over a secure connection is at least encrypted as it is sent, that is all. This limits the possibility of a third party gaining access to any data that is sent. Of course its very possible that you could be sending data to a site you probably shouldnt be sending to via an encrypted connection, but that responsibility falls on the user.

So when Chrome or Firefox or any other browser give the security warning, they are basically saying that something on the page got there via a non-encrypted connection and so the connection is not 100% secure. Might not want to send bank info or login credential from those pages.

**Snowhog** · Sep 21, 2018, 06:21 PM

Originally posted by claydoh View Post

It is also the skimlinks thingy, that the forum uses to load keyword ads/links for visitors that are not logged in.
Forgot we have that for some reason.

That's Open Source. He installed/uses skimlinks as an additional source of revenue for KFN. As you stated, it only affects guests or members who are not logged in.

**MadMage999** · Sep 21, 2018, 06:22 PM

Originally posted by whatthefunk View Post

The content over a secure connection is at least encrypted as it is sent, that is all. This limits the possibility of a third party gaining access to any data that is sent. Of course its very possible that you could be sending data to a site you probably shouldnt be sending to via an encrypted connection, but that responsibility falls on the user.

So when Chrome or Firefox or any other browser give the security warning, they are basically saying that something on the page got there via a non-encrypted connection and so the connection is not 100% secure. Might not want to send bank info or login credential from those pages.

How would a picture being delivered by a non-encrypted connection in ANY way pose more of a security risk than one delivered by a "secure" one? If the picture poses any threat it has to do with the content, not the delivery, so the warning is completely off base. Had it checked for malicious code embedded and found it, I would think very differently.

**MadMage999** · Sep 21, 2018, 06:25 PM

Skimmers? You installed skimmers? LIke at the gas pump. <Runs away in panic>.

**whatthefunk** · Sep 21, 2018, 06:46 PM

Originally posted by MadMage999 View Post

How would a picture being delivered by a non-encrypted connection in ANY way pose more of a security risk than one delivered by a "secure" one? If the picture poses any threat it has to do with the content, not the delivery, so the warning is completely off base. Had it checked for malicious code embedded and found it, I would think very differently.

It doesnt differentiate between file types. How do you know its actually an image? How do you know there isn't some script embedded in the image? All the warning is saying is that the connection is not secure, which is is not. It doesnt know why, it just knows that something is not secure about it. You're right that it would be better if it actually scanned the code to look for malicious code, but this would be difficult at best and definitely lead to a slower browser experience.

**MadMage999** · Sep 21, 2018, 06:49 PM

Originally posted by whatthefunk View Post

It doesnt differentiate between file types. How do you know its actually an image? How do you know there isn't some script embedded in the image? All the warning is saying is that the connection is not secure, which is is not. It doesnt know why, it just knows that something is not secure about it. You're right that it would be better if it actually scanned the code to look for malicious code, but this would be difficult at best and definitely lead to a slower browser experience.

That's my entire point. The warning doesn't mean anything. What a chicken little google has become.

**vinnywright** · Sep 21, 2018, 06:54 PM

Originally posted by claydoh View Post

Um nope it is purely vinnie's fault

[ATTACH=CONFIG]7750[/ATTACH]

And anyone with an image/avatar/footer image hosted externally on a non-https site.

It is also the skimlinks thingy, that the forum uses to load keyword ads/links for visitors that are not logged in.
Forgot we have that for some reason.

Doh

,,,,,,,,Ill see what I can do about that in the next few days ,,,,,I have not been to photobucket in so long I don't know if I can remember the password.

VINNY

**MadMage999** · Sep 21, 2018, 07:34 PM

I suppose the warning could make sense is if you consider the possibility of a man in the middle injection attack. Seems a roundabout attack vector.

**claydoh** · Sep 21, 2018, 07:46 PM

Originally posted by Snowhog View Post

That's Open Source. He installed/uses skimlinks as an additional source of revenue for KFN. As you stated, it only affects guests or members who are not logged in.

But it still loads when users are logged in, though. Some might have concerns, I am sure.
Interestingly the skimlinks cookie is not present when logged out. It must be there to turn it off for logged in members, if set to do so.

**Snowhog** · Sep 21, 2018, 07:50 PM

Logged in users won't see Skimlink 'words/phrases' within any posts or other content.

**claydoh** · Sep 21, 2018, 08:27 PM

but the skimlink script is still attempting to run on logged in users, but blocked by the browser(s) as it is not connecting to the javascript source securely. it also is blocked by the browser for anon users, so it isn't working period

An anon user gets hit with about 29 cookies, mainly ads it seems. A logged in user has 8, one being the skimnlink, the rest iirc site-specific settings, etc.
I wonder if we even need the ads, if they bring in any usable income. The skimlinks are definitely no longer doing so

Announcement

Unauthorized scripts on KFN?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment