What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Widgets not working - "harmful site" error shown instead

    Asked by PIVITO on November 05, 2015 at 08:23 AM

    Hi,

    Right now there seems to be a critical issue across all my forms: None of the widgets used is displayed. On the user side, it says "Establishing secure connection failed" (translation from Finnish, I do not recall the exact English version, but you get the point). On the other hand, in the editing mode F-Secure's Internet Security reports "Harmful site blocked. This site has been reported harmful, we recommend you not to visit the site." (again, my translation from Finnish).

    Based on calls to colleagues using different platforms, this issue MIGHT be related to F-Secure's security solutions only. Even in this case, it is a major problem especially in the Nordic region where F-Secure is a key player. And, of course, the question is why this content has been blocked in the first place. I cannot instruct users to click "Trust this site"...

    Best Regards,

    Kimmo

    Page URL:
    https://form.jotform.com/PIVITO/Operaatio%20Joulukassi

    Screenshot
    site My Forms Reports translation
  • Profile Image

    Answered by victor on November 05, 2015 at 09:49 AM

    Sorry for this inconvenience. Unfortunately, I was not able to reproduce the issue your users are having. I was able to load your form properly.

    I think I understand what you are indicating. You can indicate the following to your users:

    In CHROME, click the shield shown on the right of the address bar and select LOAD ANYWAY:

    enter image description here

    In FireFox, the shield will be on the left of the address bar and select DISABLE PROTECTION ON THIS PAGE:

    Shield Doorhanger Drop Down UI

    Please let us know if this helps. 

     

  • Profile Image

    Answered by PIVITO on November 05, 2015 at 11:24 AM

    Thank you for your response. Yes, probably this could be solved by answering "Yes, but I do not care" when a security alert displayed. This is what you suggested, but it is not a proper solution. I cannot instruct users to skip security alerts - that would be equal to giving a pill when a surgery is what you really need.

    When looking closer to the error message in Google Chrome, it says "Bad SSL client authentication certificate." And in Opera "Certificate-based authentication failed". IE says "This page cannot be displayed".

    Until today the widgets worked normally, but today a customer of mine reported that she could not fill in the form. The form works in my mobile (Windows Phone 8.1), my father's XP / Avast, and Mac. But all the three Windows 7/8/8.1 laptops (with F-Secure's Internet Security), refuse to display the widgets. I cannot confirm that this is F-Secure spesific, though - actually after finding "SSL certificate" mentioned, I do not think this has necessarily anything to do with F-Secure.

    I am not a genious in this area, but there has to be a proper solution for this. If we cannot find such and the problem remains over the weekend, I have to start looking for another solution provider and re-build all the forms in their system, which I would really like to avoid.

  • Profile Image

    Answered by victor on November 05, 2015 at 01:01 PM

    Again sorry for this. It is not that we do not care. Unfortunately, I was not able to reproduce the issue. I have asked my colleagues and they also could open your form properly with all the widgets.

    Could you please indicate the users that are having problems are in the same office? It could be that you may have a firewall or application that may be blocking this widgets. We also have found the following link, which might help you with the F-Secure Internet Security

    https://community.f-secure.com/t5/Security/Is-there-so-called-white-list/td-p/46617

    Please let us know if you require further assistance.

  • Profile Image

    Answered by PIVITO on November 05, 2015 at 02:48 PM

    We are all working in different organisations, so it is hard to imagine that we would all have the same firewall incompatibility at the same time. But like said, F-Secure is something we have in common, possibly we might all have Windows firewall in use, and probably many office applications as well.

    I now ran two tests:
    1) I temporarily disabled all functions of F-Secure's Internet Security - problem persist.
    2) I temporarily disabled the Windows firewall - problem persist.

    I do not know much about SSL certificates, but I would assume you or your colleages do. I think the best clues so far are "Bad SSL client authentication certificate" (Chrome) and Certificate-based authentication failed" (Opera)? Is this something that you could fix on your server?


    P.S. I did not mean you would not care. What I meant was that even if each user might be able to click the security alert away, it is not the solution we should be seeking for. Sorry for misunderstanding, English is not my native language.

  • Profile Image

    Answered by Ben on November 05, 2015 at 05:19 PM

    Hi Kimmo,

    Unfortunately as mentioned by my colleague above, we are not able to recreate the same issue, but then again, we do not have F-Secure's Internet Security installed.

    Now when it comes to such issues there are usually few usual suspects.

    1. Network access point - such as router.

    2. any computer (if this is happening in office) that checks the traffic and reacts based on this - computer used as a firewall, switch or some other node on your network gate.

    3. security polices

    4. security software on your system

    Now the good thing about the first 2 is that they are easy to rule out or confirm - if they are the ones causing this, all traffic going through them will be impacted. If you have any device that connects through the same network and is not affected, these are not the ones causing these.

    The 3rd option is a bit tricky, since system admin can push the updates to polices without the people using the office devices even knowing of this, so the change can just start happening without any notification

    - To rule this out it is best to talk with your system and network admin to see if they made any changes on the network or the system polices and to try to revert the changes temporarily to see if they are the ones causing this.

    If they are, it is simple, rule out one by one and whitelist the right links for that specific one that was causing it.

    Now if it is security software on your system, it would mean that unlike the other 3 suspects, the issue will only be showing on the systems with the protection.

    To rule it out, it is sometimes not enough to disable them temporarily since their drivers and services as well as self preservation methods are usually still active and can still effect what happens and how.

    To confirm that this is causing it, do try to open the form over some device without F-Secure's Internet Security.

    If that works, then it is needed to whitelist the link to our widgets in it as mentioned how here: https://community.f-secure.com/t5/Security/Is-there-so-called-white-list/td-p/46617

    For example, this is the link to the Configurable list from your form: https://widgets.jotform.io/configurableList/?qid=36&ref=https%3A%2F%2Fform.jotform.com (please note that it is OK that it does not show anything when visited like that).

    Now, having all that said there is something that could have happened as well.

    There are certificates that tell your system what is OK and what is not. If this gets damaged or updated by some security software (since it is easier to utilize the Operating system to protect against something by damaging some certificate than to build the methods to do it through the same app and make sure that nothing can not go around it).

    If this is the case, then you should not see JotForm if you go to it over this link neither: https://www.jotform.com/ since they are using the same certificate.

    Please do let us know how it goes after trying any of the steps above.

    Now I do know that you can not ask your users to do the same, but if it happens to be an issue caused by the F-Secure, we can contact them to see if they can remove the false positive.