: Are there other options besides HTTPS for securing a website to avoid text input warnings in Chrome? One week ago Google sent me an email to go HTTPS. If I won't transfer HTTP to HTTPS then
One week ago Google sent me an email to go HTTPS. If I won't transfer HTTP to HTTPS then it will show my connection unsecured to all of my site visitors who will try to input text in my site.
Without using SSL, is there any other way to make my connection secured ? As it is related to costly process to use SSL in web URL, I am searching for any other option instead.
More posts by @Dunderdale272
7 Comments
Sorted by latest first Latest Oldest Best
No.
Any hack you try (eg like trying to encrypt with javascript), is very unlikely to even be close to secure.
SSL doesnt have to "expensive", many hosting providers offer it for free. And even things like cloudflare offer free SSL, and keep current hosting.
I have a couple of ideas.
If the reason for HTTPS is to manage logins, then you can minimize the effect across all browsers by offering users to stay logged in. Then when a user logs in, a cookie can be permanently stored on the user's computer so the next time the user turns his computer on to access the site, he would be automatically logged in instead of always being presented with a login prompt and possibly a security warning.
Another idea which can bypass the message but which would be more work on both the guest and the server is to have a guest upload a special file with the proper configuration encrypted. For example, for the login screen, instead of asking the user to enter his username and password in two text boxes, have the user upload a small file that contains his username and password encrypted (for example, compressing the username and password as a zip file with a specific compression level) then the server can decrypt the file to extract the username and password. The potential hacker will see gibberish in transit when the user sends the file to the server. Only slight advantage to this idea is a slightly faster connection speed since SSL connection processing doesn't take place in HTTP.
nobody else seems to have mentioned,
if you own every machine that connects to your site
eg "this is probably not what you want"
, like a corporate setting, you can create a certificate authority of your own, install it's public cert into all the machines (well onto all the browsers and cert stores) that connect to your site. this option is free of third party monetization; it's the same encryption cipher, you don't get signed into the public trust though (eg your authority is not recognised by Google's Chrome, Mozilla's Firefox etc, the way Let's Encrypts's does) but it will be recognised by machines you configured to trust yourself.
admittedly the deals off setting up a certificate authority are tricky somewhat obscure and maintenance can be a lot of work- so I'll leave them off here, you're probably best doing a deep dive research on the topic of you're truly interested in this approach.
though for a nieve deployment, if you can try XCA
For Debian: packages.debian.org/stretch/xca official site: xca.sourceforge.net/
XCS is is a decent way to issue certs for tiny deployments and includes help documentation that walks through the whole setup.
If you're just serving static files or can put a proxy in front you could use a server like caddy server which handles all of this for you by using lets encrypt, this takes the pain out of provisioning certificates and you don't have to install any other software.
Alternatively you could use a service like cloudflare - their free plan offers free https.
Finally, some hosts offer free https certs now, including dreamhost. So check if your current host offers this as an option.
I wouldn't recommend trying to find a workaround, there is only one way to make your site secure, and browsers will eventually be warning on every site that doesn't have https, no matter what the content. The web is moving towards https everywhere.
A free, quick solution is Let's Encrypt. Link
They have documentation for nearly every server OS. We use it at our work, and our W2P vendors use it to secure each of our storefronts.
I don't recommend, but you can bypass this message, by not using the original input text fields. You can create your own input fields, using regular div that have onkeypress event. Or you can create a div element that have the contenteditable attribute set to true.
This way, the users will be able to input information on your site, without using input tag elements.
is there any other way to make my connection secured ?
Google isn't just complaining about "security" (which could include a number of different topics), it is specifically targeting encryption / HTTPS. With plain HTTP the connection between the client and server is unencrypted, allowing anyone to potentially see and intercept anything that is submitted. It would normally only prompt with this if you are allowing users to login (ie. submitting username/password) or submitting payment information over an unencrypted connection. General "text" form submissions would not necessarily be a problem. However, as @Kevin pointed out in comments, Google/Chrome plan to extend this in the future:
Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
Installing an SSL cert on your site (or using a front-end proxy like Cloudflare to handle the SLL) is the only way to encrypt the traffic to your site.
However, this isn't necessarily a "costly process" these days. Cloudflare have a "free" option and Let's Encrypt is a free Certificate Authority that many hosts support by default.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.