Hey,
I noticed that when typing in forums.comodo.com into my web browser, I load the forum with http and not https.
I was just wondering, if it is deliberate that HTTPS is not forced, what the reason was for doing so.
If it’s not deliberate, then I am just brining this up.
Not so with me. It begins mit https. ‘i’ says: ‘The connection to this site is not fully secure’
But you can enforce fully secure connection which means https.
Or the extension ‘HTTPS everywhere’ and enable: ‘Block all unencrypted requests’
There is no redirect to https, but HSTS (HTTP Strict Transport Security) is used, which means that once a secure connection has been made, it is not possible to connect insecurely with the same browser in the next 182,5 days.
A redirect – or even better HSTS-preload – would be a good compliment.
But isn’t it so if I force https a.s.o. that I can’t use all the functions of a website, i.e. I don’t see any or all images embedded in a website? That’s a problem if I want to shop online.
Even when I open Klarna (subsidiary of a Swedish bank in Germany) I get the info: This side is not fully secure.
You can forbid sites with mixed elements, which I do if I want to be really sure.
Could it be that I make a mistake, or I don’t set a I don’t give a period of time that I never can browse on a certain site any more?
It’s getting more and more complicated and not funny when doing online banking or other sensitive activities/processes/operations. Can I be sure when I do online banking with ‘Comodo Secure Shopping’ or is it better to transfer money manual with paper again?
The problem with HTTPS and HSTS is new to me. I thought HTTPS is sure. But what is considered to be safe?
Perhaps this is the wrong thread for this topic/problem to discuss.
If there is mixed content (insecurely delivered content in a secure context) on a site, and you only allow securely delivered content, som content will be blocked. See attached image for https://mixed-favicon.badssl.com/
If you go to a site which uses HSTS, it will place a cookie on your computer, telling your browser to only connect securely to that site (or rather domain). Those cookies may have different “max-age” (duration). For this forum it is 15 768 000 seconds (182,5 days).
HTTPS is secure (if securely configured). HSTS is used to enforce HTTPS, and prevent “stripping” (of TLS), or downgrade to plain-text HTTP. With HSTS-preload, browsers know in advance that HTTPS must be used for a certain domain.
Many thx for your explanation and I see I need more information.
prodex I would be very suprised at any European bank that is serving unsecure content from the point of the login form. I would be more inclined to think that you may have some sort of plugin or other software on your machine that is injecting code into your browser session. No reputable website should require you to downgrade to HTTP in order to use it.
I would like to see it forced also.
The login form does link to the https version of the forum meaning that everything from login should go through HTTPS.
In this day and age I would still expect to see the none logged in version to force HTTPS even if it is not proving much extra security or privacy. This is because I think we need to move to an internet where as many websites are using HTTPS as the default as possible, and I think that Comodo should be settings an example of such.
Thank you for your tip!
No, it’s not my bank, I only transfer money from by bank to Klarna. But I can open its site without account to see if there is a bill to be paid: ‘There is no bill still to pay.’ Not more. Otherwise I would avoid this bank. But I once let this know the bank .
I often let test if there are plugins I don’t know about. My plugins are privacy badger, https everywhere, ublock origin, umatrix, disconnect facebook and comodo online security.
As I wrote, when I type in only ‘forums.comodo.com’ then the site opens with https://forums.comodo.com
You could test if it is your plugins causing the ‘connection to this site is not fully secure’ warning, by disabling them all, and again loading the site.
The best way to do this would be to make sure that the plugins are set not to run in Incognito/Private Browsing mode from your browser settings, then open Incognito/Private Browsing mode on your browser and then revisit the website that gave you the warning.
If you no longer see any warning message, it may have been one of your plugins.
Just to keep in mind, other software on your machine may also inject code into browser sessions without a plugin, such as Kaspersky for example.
As a disclaimer disabling any security software on your machine could put it at extra risk of course, so I would recommend testing it on websites you do not have to login to see the warning message that you describe.
I should point out, websites like forums may include mixed content, some https and some not as not everything will be hosted on the same server, e.g. someone posting an image on the forum which is hosted on a none https server. So it would be normal to see this on the Comodo Forums on posts where people attatch images. I would not consider it normal on a banking website however.
As for this forum, as JoWa has pointed out, you will redirect to the https version because you have already been here recently. If you open Incognito/Private Browsing mode in your browser then type in forums.comodo.com you should be taken to the non https version.
Hope that helps.
It seems the bank took my hint seriously. I didn’t open the site for a longer time and now I did and no longer the hint that the site is not secure. That means for me that I “have (no) some sort of plugin or other software on your my machine that is injecting code into your my browser session.”
Once more: With comodo, malwarebytes, checking my PC with adwcleaner AND BRAIN 2.0 
I feel very well protected - still, and this for years!
Now I do understand the plugins even better now. It is exhausting to read English manuals with all the English/technical terms. English pages on this topic I now understand much better and read them more easily. Of course, there are German sites, too. It’s not like I didn’t know or understand anything or didn’t know what I do, but it can still go deeper.