boinc.berkeley.edu/dev/img/head_20.png
Is not being served securely.

---

You worry about the BOINC forums, but not about the Seti forums/back-end communicating with your computer with the same certificate?

The BOINC forums do little that require a very up-to-date certificate, we don't sport advertisements, we don't throw 17 scripts your direction before you're allowed to see anything, we don't ask you for your full name, address, place of birth, social security number, back-account details, or are sending you anything that really requires an up-to-the-minute updated certificate. Or whatever Google finds is necessary before it stops showing the "aaah, you're screwed!" icon.

In any case, as I said earlier, it's out of our hands. The certificate is given out by the University of California, Berkeley, and so we'll have to wait until they find it in their hearts to renew it, or get a better one. They won't get it just for the BOINC website.

But as I also said, you should be more worried about it over at Seti, because that does communicate with your computer on a different level, sending you executables and such that you do want to be correct. The only reason I can think of that you are crying about it here, and not there is that there you're using the even less secure HTTP protocol, instead of HTTPS.

---

Christian Beer has committed generic code Web: use https urls everywhere, triggered by a similar report of head_20.png (but not other image urls) being served insecurely at Einstein.

What I read was that Christian added code to make all possible URLs sent by the project HTTPS when the project sets itself sending secure URLs.

I thought that what Gary meant was the warning that some browsers are now giving about some of the URLs not being secure, but that's something code can't change, but an updated certificate. Shrug. Sorry if I misunderstood, but then saying that 'this website is not secure' and pointing to an image isn't exactly helpful.

Aside from that, I warned the developers a long time ago about the certificate, it's out of their hands as well.

---

What I read was that Christian added code to make all possible URLs sent by the project HTTPS when the project sets itself sending secure URLs.

I thought that what Gary meant was the warning that some browsers are now giving about some of the URLs not being secure, but that's something code can't change, but an updated certificate. Shrug. Sorry if I misunderstood, but then saying that 'this website is not secure' and pointing to an image isn't exactly helpful.

Aside from that, I warned the developers a long time ago about the certificate, it's out of their hands as well.

Jord, it is a bad href to http not https. That is something they can fix!

---

David Anderson wrote:

The code used HTTPS for forms with passwords, which is the only place where it matters.
Previously projects could use HTTPS for these forms, and HTTP for other pages.
With this change, if a project defines SECURE_URL_BASE, then HTTPS is used for all pages, which is not necessarily what they want.

---

David Anderson wrote:

The code used HTTPS for forms with passwords, which is the only place where it matters.
Previously projects could use HTTPS for these forms, and HTTP for other pages.
With this change, if a project defines SECURE_URL_BASE, then HTTPS is used for all pages, which is not necessarily what they want.

DA better keep up with practice. Two of the biggest browsers intend upon soon displaying a "get me out of here" if they encounter any non-https connection on a https web page, including hacked security methods, self signed certificates, etc. It isn't a bad thing, it just means the web page designer has to do his job and get the CSS right too.

---

I just put the image link the complaint is about in an HTTPS URL in Firefox, which comes out as:

---

seems a bit more work may be needed




Avatars and signatures.

---

seems a bit more work may be needed
..

The connection is a known issue, but requires a new SSL certificate. I spoke in length with David about it, he's now going to check what can be done about that.

Avatars and signatures.

Avatars are images provided by the forum software and stored on the local server.
Gravatar is a separate entity, although I see it does have HTTPS possibilities, so I'll forward that.
Signatures have external URLs, which don't always have HTTPS. And besides, when they do, you can change this yourself through your account.

---

Gravatar avatars are now using HTTPS connections.

---