It's just because the site uses HTTP (un-encrypted) rather than HTTPS (encrypted). Ideally it'd use HTTPS, which with Let's Encrypt, is now a lot easier than it used to be but, even so, I can imagine Keith not being bothered.

Just don't use the same password here as anywhere else, but everybody's using different passwords everywhere, aren't they?

Posted By: Ed DaviesIt's just because the site uses HTTP (un-encrypted) rather than HTTPS (encrypted). Ideally it'd use HTTPS, which with Let's Encrypt, is now a lot easier than it used to be but, even so, I can imagine Keith not being bothered.

Just don't use the same password here as anywhere else, but everybody's using different passwords everywhere, aren't they?

Haha, you'd hope so. You'd have to be an idiot to use the same password for multiple sites.


*quietly changes password*

As Ed says, you need to run HTTPS, which also means you need a certificate. There's some explanation at https://letsencrypt.org/getting-started/

I think for one or more of us to be able to help, we'd need to know a lot more about how the system is installed, who your ISP is etc etc.

<blockquote>Can anyone suggest any code that I could add to the page or somewhere in the filesystem that will override the ‘not secure’ message that google displays..</blockquote>

The problem is that your 'secure' https pages actually do in reality include non-secure resources from regular http URIs; as only part of the page content is secure the warning is generated. It should be fairly simple to correct that.

For example the main page (https://www.greenbuildingforum.co.uk/newforum/) pulls through all these elements from insecure http pages:

http://www.greenbuildingpress.co.uk/images/shining_star.jpg
http://www.greenbuildingpress.co.uk/images/small/gbb_fourth_both_covers_170.jpg
http://www.greenbuildingpress.co.uk/pagegraphics/spacer10x10.gif
http://www.newbuilder.co.uk/pagegraphics/nav_buzz2.gif
http://www.greenbuildingpress.co.uk/pagegraphics/top_curve_yellow.gif
http://www.greenbuildingpress.co.uk/pagegraphics/top_curve_yellow2.gif

If you move those resources to https locations, that should fix that problem. For example, literally move the image "shining_star.jpg" on the server
from
http://www.greenbuildingpress.co.uk/images/shining_star.jpg
to
https://www.greenbuildingforum.co.uk/images/shining_star.jpg
and update the link accordingly in the bulletin board software

Similarly, the secure main page is linking to and displaying content summaries from non https threads, such as this one you're reading now at
http://www.greenbuildingforum.co.uk/newforum/comments.php?DiscussionID=16677&page=1
which needs to be switched to
https://www.greenbuildingforum.co.uk/newforum/comments.php?DiscussionID=16677&page=1
That page does already exist; you need to add code to the server to automatically deliver the https version (possibly in the .htaccess file, but it depends on your setup)

That page also contains a link to the the insecure feed
http://www.greenbuildingforum.co.uk/newforum/comments.php?DiscussionID=16677&page=1&Feed=RSS2
which should be switched to
https://www.greenbuildingforum.co.uk/newforum/comments.php?DiscussionID=16677&page=1&Feed=RSS2
which again already exists, but isn't being served, presumably due to the absence of the above mentioned server code.

Making that server change should also take care of uploaded attachments, which can already be accessed by https links, but are currently being served as http. For example
http://www.greenbuildingforum.co.uk/newforum/extensions/InlineImages/image.php?AttachmentID=7806
https://www.greenbuildingforum.co.uk/newforum/extensions/InlineImages/image.php?AttachmentID=7806

Standard links to regular http external pages - such as the link to http://www.greenbuilding.co.uk/ - shouldn't be a problem, though in that case I guess you may want to move to https://www.greenbuilding.co.uk/ anyway.

The Let's Encrypt certificate you already have is fine, and you don't need Cloudflare.

BTW, although I run a couple of https websites, I'm not an 'expert', so may have forgotten something...

Oh wow thank you all for this. i’ll read through and digest over the next 24 hours and make some sort of logical reply and action plan to get this sorted. the reason I’ve been so tardy at fixing this is because, like Damon I think it is a bit heavy handed but sadly I think it is all beginning to have an effect on traffic to the sites so time to comply I think. i find that trying to Keep up with the ever-changing technology is a real drain on the psyche.

GBP-Keith, If the website is administered through C-panel you can now simply force redirect all pages to https, including any sub-domains. It's usually a 5 minute job. Happy to assist if you need any further info.

Ah, mixed results so far. I managed (using Simon’s suggestion) to get rid of the not secure message but then I couldn't log in with the site then telling me the log In form was not secure and even though I accepted, it failed to log me in so I still need to do some more homework.

Thanks for the feedback so far guys

I've just had a look over the page source. There are a couple of things you could look at that might be causing problems.

The first is that in the sign in page, the form points to an absolute http url:

form id="frmSignIn" method="post" action="http://www.greenbuildingforum.co.uk/newforum/people.php"><input type="hidden" name="ReturnUrl" value="http%3A%2F%2Fwww.greenbuildingforum.co.uk%2Fnewforum%2Fcomments.php%3FDiscussionID%3D16677" />

I don't know whether the vanilla forum writes the urls dynamically as absolute, whether there's a mixture of static and dynamic code on the page that writes urls as absolute, or whether when you have created pages during the setup the systems sets the urls in this way. It may be worth checking if the configuration console for the forum has any options for writing urls, or alternatively check pages you've created for the forum to see if you can modify the urls there.

I'm not familiar with the Vanilla forum but the current version is now quite old at version 1.0.3 (2015) so trying to get support for this version may be difficult. It's also unlikey to be compatible with current standards and less secure. For example, when I look at the page source I receive several warnings that PHPSESSID will soon be treated as a cross-site cookie which means if visitors set their browsers to block these it's going to break functions of the forum.

You may well be able to sort this ssl problem but although probably a pita, it may be the time to seriously consider upgrading to the latest stable version of vanilla?