Sorry if this is a stupid question, but I would like to know. Beside my address bar on Chrome there is a little padlock next to the https. It's usually green, but over the past couple of days it has started changing into a grey padlock with a yellow triangle icon. When I click on it it tells me that e621 uses a 'weak security configuration'. The site as a whole also seems a bit slower. Is that something I should be concerned about, or should I just leave it be? Again, sorry if this is a silly question, I'm terrible with computers D:

Cloudflare is currently looking into this and the related slowness. I don't have much in the way of updates but most users shouldn't have reason to worry security-wise for normal day-to-day browsing.

I've got to get some sleep, but I can answer any questions in the morning. Also, if you would like me to explain this in more detail, let me know.

parasprite said:
Cloudflare is currently looking into this and the related slowness. I don't have much in the way of updates but most users shouldn't have reason to worry security-wise for normal day-to-day browsing.

I've got to get some sleep, but I can answer any questions in the morning. Also, if you would like me to explain this in more detail, let me know.

Thanks, that makes me feel less worried. I just have a question though. I know FA uses Cloudflare as well, is this issue the same reason why FA doesn't seem to have http anymore in their website adressess?

Sorry for the delayed reply. Thanks for taking the time to explain it to me, I appreciate it!

Kataphraktarii said:
I know FA uses Cloudflare as well, is this issue the same reason why FA doesn't seem to have http anymore in their website adressess?

FA supports both http and https as far as I know.

Chessax said:
FA supports both http and https as far as I know.

Ah, sorry, I meant https (forgot to type the s). I didn't know there was such a thing as http. Honestly, I don't even know the difference between https or http or what they even do. All I know is that FA's adressess used to have https (the green padlock) in them and now they don't, and I'm wondering if it's related to this Cloudflare issue.

Sorry, I'm a complete brickhead when it comes to anything more technologically complicated than turning a computer on and off D:

Kataphraktarii said:
Ah, sorry, I meant https (forgot to type the s). I didn't know there was such a thing as http. Honestly, I don't even know the difference between https or http or what they even do. All I know is that FA's adressess used to have https (the green padlock) in them and now they don't, and I'm wondering if it's related to this Cloudflare issue.

Sorry, I'm a complete brickhead when it comes to anything more technologically complicated than turning a computer on and off D:

How CloudFlare works is outside of my expertise. Though I'm not that good at cryptography and the like either, but when you get a green padlock there are essentially two main parts:

• Encryption: The data is encrypted meaning only you and the server knows what is being sent, i.e. a man in the middle will be able to see the encrypted data but (hopefully) not be able to decrypt it. Though they will still see who sent it where (for that you need other mechanisms such as VPN and ideally TOR). E.g. without https the passwords you enter may be picked up by anyone who knows how, https is especially good when using wireless to avoid "sniffers".
• Certificates: You can trust that the website you think you are visiting actually is the one that you are seeing (as long as the certificate authorities, the organizations who tell which certificates are actually valid, can be trusted themselves).

If you don't get a padlock at all, that means you are not using https, the solution is to explicitly type in https:// in the address bar, if that doesn't work, then https isn't supported on that domain. In almost all cases https will help you and not be a hindrance.

Also, you shouldn't feel bad for not knowing things, the only ones that should feel bad are the ones who doesn't learn, or rather, refuse to learn.

If there is one thing you should take with you from all this, it is this:

Always use HTTPS if possible

Kataphraktarii said:
Ah, sorry, I meant https (forgot to type the s). I didn't know there was such a thing as http. Honestly, I don't even know the difference between https or http or what they even do. All I know is that FA's adressess used to have https (the green padlock) in them and now they don't, and I'm wondering if it's related to this Cloudflare issue.

Sorry, I'm a complete brickhead when it comes to anything more technologically complicated than turning a computer on and off D:

No worries. Most people find this stuff pretty complicated, and it can be really overwhelming if you don't have someone to simplify it for you.

• http - Not encrypted, easy for an outsider to look at your traffic
• https - The s is for secure. It means the traffic is encrypted and (ideally) only you should be able to look at the traffic (at the bare minimum, a site should have https for password/logins, credit card numbers, and other personal information)

The details with how it works and the different types are a bit beyond the discussion here, but all you really need to know is that older types of encryption are generally less secure. Think of less secure forms as having a password that is easy to guess.

It's becoming more and more common to see forced https on every website (for security reasons), but since a lot of very old devices often don't support newer encryption types, some websites will support both http (non-encrypted) and https (encrypted). FA in this case supports both, but which one you use is more/less up to you. It's possible they forced https at one point, but backed off when some older devices were having issues connecting, but that's my own guess.

However, if you have a reasonably new device and up-to-date software, you usually shouldn't have anything to worry about with compatibility, so this...

Chessax said:

Always use HTTPS if possible

is definitely a good thing to keep in mind. :)

You can use the HTTPS Everywhere plug-in to force encryption for a bunch of websites specified in their ruleset, not just the website you are visiting but also many of their third party services like ad services if not blocked and formatting services. The one caveat with this plug-in, as with all such plug-ins that modify connection defaults (e.g., NoScript has been the biggest offender), is that their rules sometimes break websites, and you need the awareness to identify a broken website and the willingness to begin a short troubleshooting process to correct the issue if necessary. It's a minor annoyance, but not hard: just temporarily turn off the plug-in(s), refresh the page, and isolate and disable the specific rule breaking the page. Usually, one just needs to click the plug-in's icon to find these enable/disable functions.

Furaffinity gave me an issue before where I had to manually change http to https in the address bar after signing in for the website to actually display content that a signed in member could see. I didn't want to go to the trouble of setting up a rule for HTTPS Everywhere since that route did not appear straightforward, but I discovered that NoScript also has the ability to force HTTPS, which was simpler and remedied my issue. For that method: NoScript > Options > Advanced > HTTPS > Behavior > "Force the following..." > add *.furaffinity.net > OK.

Ah, I see. Thanks everyone for taking the time to explain all this to me, I learned something new today. I'll try out some of what you guys suggested. Thanks again! :D