Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is really bad - login *has* to be done over https:// because the users password is being transmitted. But browsers complain that the CAPATCHA is pulled in over http:// only so throws an alert!! Doesn't look terribly professional. This is a showstopper for me. Please fix this asap!
Comment | File | Size | Author |
---|---|---|---|
#7 | mollom-DRUPAL-6--1.ssl_.7.patch | 2.76 KB | sun |
#5 | mollom-DRUPAL-6--1.ssl_.5.patch | 1.36 KB | sun |
Comments
Comment #1
Dave ReidAs it says on http://mollom.com/faq/does-mollom-support-ssl, this could be added eventually. I don't have any control over the Mollom servers, just the Drupal module. Marking as postponed for now.
Comment #2
jasonabc CreditAttribution: jasonabc commentedthanks Dave - yeah good point - sorry for the rant in the wrong place! Hopefully someone over there will get this sorted.
thanks!
Jason
Comment #3
jasonabc CreditAttribution: jasonabc commentedjust a footnote to this - I also noticed that Internet Explorer 8 goes one further and pops open a dialog box telling the user some content on the page is not being transmitted securely and asks if they only want to see the secure content. If they click "yes" - the CAPTCHA image is not displayed meaning customers are unable to create accounts... Have emailed them (again) so hopefully this will be resolved/fixed soon.
cheers
J
Comment #4
vitis CreditAttribution: vitis commentedSame problem.
I have an https site. The link on the mollom capcha picture is to http. This is always going to give an "insecure..." popup on internet explorer.
I went to where the mollom picture was pointing, http://mollom.com/, and typed in https://mollom.com/ - there was no page there. I thought I'd give that a shot, because that's how I solved a similar problem with a paypal button.
I hate to do it, but I'm going to disable mollom.
Comment #5
sunAttached patch directs mollom.com to respond with https-URLs. I was not able to test this, because testing keys do not seem to have SSL support.
Comment #6
Dries CreditAttribution: Dries commentedThis looks good. We'll be able to test it as soon as we upgrade the backend.
Comment #7
sunAs discussed, only low-level tests for now.
Comment #8
Dries CreditAttribution: Dries commentedCommitted to DRUPAL-6--1 and CVS HEAD. Thanks!
Comment #10
jasonabc CreditAttribution: jasonabc commentedThe free version of Mollom says "No Secure communication (SSL)". So the patches and commits above won't solve this issue for free users - correct? You have to upgrade to the paid service? This is ridiculous. Since CAPTCHAs largely sit on forms that are always protected by SSL due to password and other sensitive data being transmitted, Mollom's free service rather a waste of time/unusable.
Comment #11
sunYes, SSL support is bound to a paid Mollom subscription, and is not supported by Mollom Free.
The reason for that is mostly technical, but relatively easy to get behind:
Every SSL connection requires up to 4x times more processing resources - and thus, hardware resources - compared to a non-SSL connection. Now, if you consider that the Mollom API processes multiple millions of requests every single day, this has a significant impact on the resources. Namely, if every request would run over SSL, only 25% of the Mollom Free subscriptions could be served for free.
Therefore, I can totally get behind Mollom's decision, which essentially says: If you really need a secure connection, then you probably shouldn't use a free subscription.
Or in other words: If SSL isn't supported for free, then Mollom is able to free up 4x times more low-volume sites from spam.
Makes sense? :)