Bitdefender wants encrypted login text

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
J-W43
Registered User
Posts: 60
Joined: Sun Jan 17, 2016 3:38 pm

Bitdefender wants encrypted login text

Post by J-W43 » Fri Sep 27, 2019 8:26 am

One of my new forum members couldn't login for the first time because he got a warning from Bitdefender on his work pc which has tight security.
It said "This page was blocked for your protection. [forum page url] An attempt to send your password unencrypted, in plain text, was prevented on this page...
[link] Take me back to safety.
[link] I understand the risks.
If you know this page is not dangerous... add it to your exceptions list."

Unfortunately some of my members get confused by this sort of thing.

Is phpBB likely to edit login software? Would Https help?

Has anyone else had this problem?

User avatar
WelshPaul
Registered User
Posts: 329
Joined: Tue Aug 19, 2014 2:09 pm

Re: Bitdefender wants encrypted login text

Post by WelshPaul » Fri Sep 27, 2019 8:42 am

You should be using https.

User avatar
John connor
Registered User
Posts: 2238
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Bitdefender wants encrypted login text

Post by John connor » Fri Sep 27, 2019 9:36 am

Not sure if you are using HTTPS or not and if that's the issue, but I had Bitdefender Free on my parent's computer and I used to use it, but the virus protection as well as others now interpret an HTTPS connection and will give you or a user all kinds of issues. On my parent's computer, a simple Google search would be a PITA with Bitdefender's HTTPS interception. So either you had to keep white listing URL after URL, or use another anti-virus product. Well, that's exactly what I did despite my liking of Bitdefenrder, their HTTPS interception was a real annoyance. So now on my parent's computer I have Immunet. So far so good. Lets hope they too don't go with intercepting HTTPS connections.

Now if your site is not HTTPS and this is why your user is getting that error, you can, or at least should be able to deploy a free HTTPS certificate right from your cPanel using Lets Encrypt. All good, reputable hosts should give you that option. Lets Encrypt is free and the certificate will auto renew every three months. I've read that Lets Encrypt isn't the most ideal for what ever that's worth, but it's better than nothing and will satisfy a user's anti-virus policy if this is the case.

If you do deploy HTTPS, you'll more than likely have to use some htaccess code for a 301 redirect. If that's the case ask here about that code. The other issue inherit of a website that is forum-based is that you'll more than likely have a lot of so-called mixed content. Meaning stuff like images being hosted from an HTTP address rather than an HTTPS address will cause the lock in the address bar to show broken and give you the mixed content warning. It just means the images or what ever are being sent to the browser outside of an encrypted connection, but everything else remains encrypted.

There's two ways to combat the mixed content issue using HTTPS. One is an extension here (who's name escapes me) that uses a proxy to fix the mix content warning. The other is by using CloudFlare. When you use CloudFlare there is an option in your Dashboard to fix mixed content. It does this by CloudFlare using two mechanisms that I know of. One is that they use the HTTPS Everywhere database and the other is some other source which I can't remember. What happens is that if CloudFlare detects an insecure connection, it immediately looks for a HTTPS version of the insecure URL and if there is one CloudFlare will rewrite the URL thus your website won't get a mixed content warning. With my use of CloudFlare ever since I started my forum over four years ago, I have not once seen a mixed content warning since I deployed an HTTPS certificate. Also, once you use a Lets Encrypt certificate, CloudFlare will automatically issue you a free Comodo Certificate.

Anyway. Have a look at these two websites.


https://www.cloudflare.com/website-opti ... s-rewrite/

https://blog.vpn.ac/disable-https-scanning.html

J-W43
Registered User
Posts: 60
Joined: Sun Jan 17, 2016 3:38 pm

Re: Bitdefender wants encrypted login text

Post by J-W43 » Fri Sep 27, 2019 10:07 am

Thanks for the advice. I may be able to do some of the above with my "second level" Admin privileges without needing to contact the founder who is always difficult to contact.

Post Reply

Return to “General Discussion”