Audiokarma Website not Secure

Brian C

AK Subscriber
Subscriber
I'm getting this message when I log in over the last few weeks. Is anyone else getting this? How can I fix the problem.
Thanks,
Brian
 
I can't force an https connection with HTTPS Everyhwere on Firefox or Vivaldi. Not a big deal. What browser are you using?
 
New "rules" for web developers require better certification and some code tweaks to ignore the older certificates. This will mostly pop up using Chrome on sites that require passwords or credit information. PITA, but there's workarounds.

For me, it wasn't Chrome ... it was Avast. Turned off "https monitoring" and haven't seen the popup since. I understand the newest version of Avast leaves that off by default, so they ain't losing any sleep over it, eh.

PS ... for AK, I imagine the issue is with Xenforo itself, and there's not a whole lot the staff here could do about that other than upgrading the software, assUming there's an upgrade available.
 
All it means is this server is not using SSL (or in other words, the "https" in the URL) for its connection. It involves getting a certificate from a trusted source, and configuring the server to use port 443 (for https) vs. port 80 (for http). Kind of a pain to configure, but the browser companies are forcing this on all of us in the biz.
 
Are you using a wireless connection? I get that same message when I use my wireless connection and Mozilla.
 
Yes I am using a wireless connection, it happens to me with Mozilla or Chrome.
 
This is not just a matter of the browser crying "wolf". It is well established that serving a login page with http (i.e., without https) is insecure regardless of whether SSL is used to send login credentials back to the server. The entire web site does not need to be served via https (although that is better still), just the login page.
 
[10 months later!]
I have been getting the attached 'message' since late March [2018], following an update to Safari 11.1 [Mac OS Sierra]. The sample is dated April 01, and I'm still getting the same 'URL caution', today [Note: The AK website underwent some 'update / maintenance' work, yesterday]. However, on the same m/c [Mac mini], this message does not appear on the Opera browser. I don't have info that I'm concerned about on AK; and I understand that folks here believe that this situation is 'no biggie', so this is written as an 'fyi'.

AK-Not Secure-Mac-April-01-2108.jpg

Cheers, og
 
Realistically..it's not a "big deal"...just an annoyance. But it does, in my book, indicate an improperly configured web-server. IF they don't have a valid certificate for https; then they should disable https entirely so things like this don't happen. But the webserver isn't even remotely configured properly since clicking through the error on https just nets you this:

Not Found
The requested URL /php.fcgi/index.php was not found on this server.

So this tells me that even if they had a valid cert....the webserver isn't even set up to serve pages from the proper location. Furthermore....the cert they do have is self-signed...indicating they're using whatever default configuration the webhost set up for them.

Normally a server is setup to redirect to https if it's available....it's actually a few options you set in Apache when you configure your https domains in the first place..since technically they are served over a different port and require their own configurations. I have about six websites and I set each one up for https because "that's the way the browsers run" and it didn't cost me anything. Hell, I have some web applications that *demand* https:// support and won't respond unless you come in through that method. My ZNC bouncer for example, has a web-interface available on a special port using https:, but it will ignore you if you try http.

But more and more browsers are starting to force https by default, even if the server doesn't indicate it supports it. Older browsers will still pay attention to the server and *should* roll back to http if it doesn't support https. https support has been "standard" for quite some time now.

Ideally, if they don't want to support it, they should disable support for it entirely in the webserver rather than relying on a broken configuration and users over-riding the https for http. I can only suspect browsers will stop allowing you to do this in the future...meaning that unless the problem is solved in a proper way, a lot of people will be unable to access the site at all. Chrome did not want me accessing AK today...at all...I had to over-ride some settings to make it not default to https.
 
As I mentioned earlier, "insecure" only means this site does not have SSL enabled. I don't see what all the fuss is about--it's a known thing, and many sites still are not on SSL. There is nothing else to "read into" this.

I probably have over a dozen under my control that do not yet have it. I'm slowly getting there, using the free certificate authority LetsEncrypt to issue them for non-critical sites (forums, blogs, etc.). For sites that handle financial transactions directly (such as, those with a shopping cart and checkout), we go with a "trust" authority that also has a monetary guarantee behind it.

It's the web browsers that are "forcing" this on webmasters, by throwing these warning messages. And we were all warned about it.

upload_2018-4-9_13-56-33.png

Nothing to see here, in other words...and I'm done watching this thread.
 
There's a difference between going to a normal site and having your browser stop you in your tracks with the big red warning symbol and recommending you go elsewhere.

I don't want to argue for security on this site one way or another..it doesn't matter. But if they're not going to use https; they should at the very least have it disabled entirely so web-browsers that want to force https connections can't. Some browsers if they get a response from https will default and practically force that. That's part of the problem I have now...Chrome gets a response out of https on port 443 and automatically wants to force the connection.

LetsEncrypt certs aren't any less safe than one you purchase from a commercial establishment...the ones you purchase are usually good for a year where as LetsEncrypt are good for 90 days
 
Wildcat said:
As I mentioned earlier, "insecure" only means this site does not have SSL enabled. I don't see what all the fuss is about

I dont either..... THEY ARE JUST TRYING TO SCARE PEOPLE AND LEAD THEM INTO THIER CONTROL PATH!!!

Its sickening..... PEOPLE ARE BLINDLY DOING EXACTLY WHAT THEY WANT and its sick!!

FOR NO REASON........ Nothing going on NOW that hasnt ever been going on ONLINE.... (Only thing going on now is CONTROL (Getting all freedom/privacy away from the end user))
 
Last edited:
That's a new one; encrypting a connection is losing privacy. != logic.

Of more relevance to AK perhaps is SEO. Search ranking will be worse without SSL.
 
www.cellar.org (VBB) has an SSL layer but they also have HTTP for those who either cant or dont wanna use https there......

Thats the way to do it if your gonna do it..... Allow HTTPS but dont block HTTP as you may block some non standard/older browsers from directly connecting and on a site like AK there is no reason to do that!
 
There's a difference between going to a normal site and having your browser stop you in your tracks with the big red warning symbol and recommending you go elsewhere.

I don't want to argue for security on this site one way or another..it doesn't matter. But if they're not going to use https; they should at the very least have it disabled entirely so web-browsers that want to force https connections can't. Some browsers if they get a response from https will default and practically force that. That's part of the problem I have now...Chrome gets a response out of https on port 443 and automatically wants to force the connection.

LetsEncrypt certs aren't any less safe than one you purchase from a commercial establishment...the ones you purchase are usually good for a year where as LetsEncrypt are good for 90 days
Its not as easy as install the cert and that is it.

Images , logos , banners etc all need to be https or you get the same warnings (Different but warnings all the same)

Speculation as to why the site is not https ignores the site is already dealing with a bunch of "HTTPS" served attacks.

Another reason AK's hands are tied and this fricking smear campaign by "Google" while themselves allowing bad ad's is annoying to say the least.

Anyone see the Irony ??

Frannie

PS: They change the littlest thing here and almost instantly people are blasting the site admins. Anyone ever consider that ??
 
Last edited:
Back
Top Bottom