I’m not an IT person, so I’m sure it’s something I’ve inadvertently done, but my tablet has suddenly started producing a warning saying that the connection to the EuroGA website is unsecure. Now usually if I were to come across this warning on a site I hadn’t been to before, I would chicken out and not click further. I obviously know the EuroGA forum but wondered why this is suddenly occurring??
Regards, SD..
You wouldn’t happen to have kept a screenshot, would you?
If the error you got was about a non-valid TLS/X.509 certificate (let’s call that the “ID card” of the website), then the warning is fundamentally about ensuring that your browser is indeed connecting to the website that you requested it to connect to, and not to a (potentially malicious) person intercepting the connection.
That error basically says (alas maybe in technobabble and/or not enough explicative language) that the browser couldn’t ensure that the website it is connecting to is indeed the one you asked it to connect to. It may be connecting to the correct website, and it may not, it doesn’t know for sure. Now, often that warning comes up just because the admin of the server didn’t renew the certificate before it expired, or an error in the new certificate on renewal or something benign like that. However, fundamentally, “knowing the website” or “having gone to that website before” is not an answer to the worry raised by the warning. Another common reason is that you are on a wifi network with captive portal, and the router is indeed (but probably non maliciously…) intercepting the communication to show you the captive portal instead of the requested website.
You may analyse that the risk of someone trying to intercept the communication is very small, and that you accept the risk for euroga.org, the biggest risk being that someone impersonates you on euroga.org, changes your password, etc and you are willing to take that risk and on that basis “click through”. That’s a valid answer to the worry raised by warning, but possibly your risk analysis would be different e.g. for your bank’s Internet Banking website.
You may look into the details of the message and manually determine that the certificate is merely expired (as opposed to being to another name, or signed by an “authority” that you don’t trust), and that this is no reason for worry and “click through” on that basis. That’s a valid answer to the worry raised by the warning.
If the error you got was about something else, well, we would have to see the error to comment :)
Does it happen on more than one device?
The certificate is OK. It is managed by Cloudflare and if there was a problem they (a huge outfit) would be on it right away. EuroGA used to manage its HTTPS certificates but no longer does (it is a perpetual hassle). CF also provide other useful anti-attack services.
But it is possible that somebody posted an HTTP (not HTTPS) URL in the forum. That sort of thing breaks a lot of stuff nowadays. In fact, someone did that yesterday…
Peter wrote:
EuroGA used to manage its HTTPS certificates but no longer does (it is a perpetual hassle).
Don’t you need to maintain a valid certificate for the connection between the server and cloudflare?
FYI, with https://letsencrypt.org/ certificates are free of charge and their renewal is fully automated, no perpetual hassle, just set it up and it runs for years without admin intervention.
lionel wrote:
Don’t you need to maintain a valid certificate for the connection between the server and cloudflare?FYI, with https://letsencrypt.org/ certificates are free of charge and their renewal is fully automated, no perpetual hassle, just set it up and it runs for years without admin intervention.
In any case, my browser says that the certificate is valid.
Don’t you need to maintain a valid certificate for the connection between the server and cloudflare?
That would not be client-visible but anyway that one can be self-signed and with a 100 year expiry. One also firewalls the server to accept traffic only from CF, etc, etc…
FYI, with https://letsencrypt.org/ certificates are free of charge and their renewal is fully automated,
Fully automated at your end with a cron job which somebody on $100/hr needs to fix every time it breaks 
Everything in IT costs money, even if unix servers usually have an uptime in years.
my browser says that the certificate is valid.
Yes; I am sure the issue was an HTTP URL posted by someone yesterday.
Peter wrote:
Fully automated at your end with a cron job which somebody on $100/hr needs to fix every time it breaks
Call me, Peter. I’ll do it for only $95/hour!
If this issue persists, @skydriller, please let me know. But I suspect that once that post containing the HTTP URL scrolls off the current page (which will depend on whether you are logged in or not, and then what the page size is set up in your profile) the issue will disappear.
skydriller, does this message show up for just one thread or the whole site?
Peter wrote:
That would not be client-visible but anyway that one can be self-signed and with a 100 year expiry.
To get CloudFlare to accept it, is it specially declared in your CloudFlare account? CloudFlare doesn’t just accept anything blindly (I mean without it being manually whitelisted for your account/your server), do they?
