1. Time for some upgrades in server hardware and software to enhance security and take AK to the next level. Please contribute what you can to sales@audiokarma.org at PayPal.com - Thanks from the AK Team
    Dismiss Notice

Audiokarma Website not Secure

Discussion in 'AK New Format' started by Brian C, Jun 5, 2017.

  1. Brian C

    Brian C AK Subscriber Subscriber

    Messages:
    81
    Location:
    Central CT
    I'm getting this message when I log in over the last few weeks. Is anyone else getting this? How can I fix the problem.
    Thanks,
    Brian
     

     

    Please register to disable this ad.

  2. c.coyle

    c.coyle Crisis actor Subscriber

    Messages:
    3,185
    Location:
    40.333434 -76.423714
    I can't force an https connection with HTTPS Everyhwere on Firefox or Vivaldi. Not a big deal. What browser are you using?
     
    txjazzman likes this.
  3. Poinzy

    Poinzy Super Member

    Messages:
    1,985
    Location:
    SE Michigan
    I never get that message. I have no idea what that means, though.
     
  4. c.coyle

    c.coyle Crisis actor Subscriber

    Messages:
    3,185
    Location:
    40.333434 -76.423714
  5. sKiZo

    sKiZo Hates received: 8642 Subscriber

    New "rules" for web developers require better certification and some code tweaks to ignore the older certificates. This will mostly pop up using Chrome on sites that require passwords or credit information. PITA, but there's workarounds.

    For me, it wasn't Chrome ... it was Avast. Turned off "https monitoring" and haven't seen the popup since. I understand the newest version of Avast leaves that off by default, so they ain't losing any sleep over it, eh.

    PS ... for AK, I imagine the issue is with Xenforo itself, and there's not a whole lot the staff here could do about that other than upgrading the software, assUming there's an upgrade available.
     
  6. Wildcat

    Wildcat Audio Sommelier

    Messages:
    5,091
    Location:
    MI, US
    All it means is this server is not using SSL (or in other words, the "https" in the URL) for its connection. It involves getting a certificate from a trusted source, and configuring the server to use port 443 (for https) vs. port 80 (for http). Kind of a pain to configure, but the browser companies are forcing this on all of us in the biz.
     

     

    Please register to disable this ad.

  7. daveyh

    daveyh Super Member

    Messages:
    1,453
    Location:
    USA
    Are you using a wireless connection? I get that same message when I use my wireless connection and Mozilla.
     
  8. Brian C

    Brian C AK Subscriber Subscriber

    Messages:
    81
    Location:
    Central CT
    Yes I am using a wireless connection, it happens to me with Mozilla or Chrome.
     
  9. botrytis

    botrytis Trying not to be a Small Speaker Hoarder Subscriber

    Messages:
    29,349
    Location:
    PODUNC USA......
    All it means is the data stream is not encrypted. It doesn't mean the site isn't secure, as you use 'https' when you log into the site. As long as no money or major identifications are used, you shouldn't worry.
     
  10. buglegirl

    buglegirl I Want To Be The Girl With The Most Cake Subscriber

    Messages:
    11,957
    Location:
    Mid Atlantic
  11. Brian C

    Brian C AK Subscriber Subscriber

    Messages:
    81
    Location:
    Central CT
    OK thanks guys, I'll read through the thread provided by Frannie.
     

     

    Please register to disable this ad.

  12. audiotemp

    audiotemp Well-Known Member

    Messages:
    578
    This is not just a matter of the browser crying "wolf". It is well established that serving a login page with http (i.e., without https) is insecure regardless of whether SSL is used to send login credentials back to the server. The entire web site does not need to be served via https (although that is better still), just the login page.
     
  13. oldgringo

    oldgringo Is this 'just a dream'? Subscriber

    [10 months later!]
    I have been getting the attached 'message' since late March [2018], following an update to Safari 11.1 [Mac OS Sierra]. The sample is dated April 01, and I'm still getting the same 'URL caution', today [Note: The AK website underwent some 'update / maintenance' work, yesterday]. However, on the same m/c [Mac mini], this message does not appear on the Opera browser. I don't have info that I'm concerned about on AK; and I understand that folks here believe that this situation is 'no biggie', so this is written as an 'fyi'.

    AK-Not Secure-Mac-April-01-2108.jpg

    Cheers, og
     
    Hyperion likes this.
  14. dewdude

    dewdude I fix stuff.

    Messages:
    3,055
    Location:
    Manassas, VA
    Realistically..it's not a "big deal"...just an annoyance. But it does, in my book, indicate an improperly configured web-server. IF they don't have a valid certificate for https; then they should disable https entirely so things like this don't happen. But the webserver isn't even remotely configured properly since clicking through the error on https just nets you this:

    Not Found
    The requested URL /php.fcgi/index.php was not found on this server.

    So this tells me that even if they had a valid cert....the webserver isn't even set up to serve pages from the proper location. Furthermore....the cert they do have is self-signed...indicating they're using whatever default configuration the webhost set up for them.

    Normally a server is setup to redirect to https if it's available....it's actually a few options you set in Apache when you configure your https domains in the first place..since technically they are served over a different port and require their own configurations. I have about six websites and I set each one up for https because "that's the way the browsers run" and it didn't cost me anything. Hell, I have some web applications that *demand* https:// support and won't respond unless you come in through that method. My ZNC bouncer for example, has a web-interface available on a special port using https:, but it will ignore you if you try http.

    But more and more browsers are starting to force https by default, even if the server doesn't indicate it supports it. Older browsers will still pay attention to the server and *should* roll back to http if it doesn't support https. https support has been "standard" for quite some time now.

    Ideally, if they don't want to support it, they should disable support for it entirely in the webserver rather than relying on a broken configuration and users over-riding the https for http. I can only suspect browsers will stop allowing you to do this in the future...meaning that unless the problem is solved in a proper way, a lot of people will be unable to access the site at all. Chrome did not want me accessing AK today...at all...I had to over-ride some settings to make it not default to https.
     
  15. Wildcat

    Wildcat Audio Sommelier

    Messages:
    5,091
    Location:
    MI, US
    As I mentioned earlier, "insecure" only means this site does not have SSL enabled. I don't see what all the fuss is about--it's a known thing, and many sites still are not on SSL. There is nothing else to "read into" this.

    I probably have over a dozen under my control that do not yet have it. I'm slowly getting there, using the free certificate authority LetsEncrypt to issue them for non-critical sites (forums, blogs, etc.). For sites that handle financial transactions directly (such as, those with a shopping cart and checkout), we go with a "trust" authority that also has a monetary guarantee behind it.

    It's the web browsers that are "forcing" this on webmasters, by throwing these warning messages. And we were all warned about it.

    upload_2018-4-9_13-56-33.png

    Nothing to see here, in other words...and I'm done watching this thread.
     
    Grumpy likes this.
  16. dewdude

    dewdude I fix stuff.

    Messages:
    3,055
    Location:
    Manassas, VA
    There's a difference between going to a normal site and having your browser stop you in your tracks with the big red warning symbol and recommending you go elsewhere.

    I don't want to argue for security on this site one way or another..it doesn't matter. But if they're not going to use https; they should at the very least have it disabled entirely so web-browsers that want to force https connections can't. Some browsers if they get a response from https will default and practically force that. That's part of the problem I have now...Chrome gets a response out of https on port 443 and automatically wants to force the connection.

    LetsEncrypt certs aren't any less safe than one you purchase from a commercial establishment...the ones you purchase are usually good for a year where as LetsEncrypt are good for 90 days
     

     

    Please register to disable this ad.

  17. Dude111

    Dude111 Analogue is Awesome

    Messages:
    1,667
    I dont either..... THEY ARE JUST TRYING TO SCARE PEOPLE AND LEAD THEM INTO THIER CONTROL PATH!!!

    Its sickening..... PEOPLE ARE BLINDLY DOING EXACTLY WHAT THEY WANT and its sick!!

    FOR NO REASON........ Nothing going on NOW that hasnt ever been going on ONLINE.... (Only thing going on now is CONTROL (Getting all freedom/privacy away from the end user))
     
    Last edited: Apr 10, 2018
  18. JP

    JP 7480 74111110101115

    Messages:
    2,521
    Location:
    NYC and Brookfield, CT
    That's a new one; encrypting a connection is losing privacy. != logic.

    Of more relevance to AK perhaps is SEO. Search ranking will be worse without SSL.
     
  19. Dude111

    Dude111 Analogue is Awesome

    Messages:
    1,667
    www.cellar.org (VBB) has an SSL layer but they also have HTTP for those who either cant or dont wanna use https there......

    Thats the way to do it if your gonna do it..... Allow HTTPS but dont block HTTP as you may block some non standard/older browsers from directly connecting and on a site like AK there is no reason to do that!
     
  20. buglegirl

    buglegirl I Want To Be The Girl With The Most Cake Subscriber

    Messages:
    11,957
    Location:
    Mid Atlantic
    Its not as easy as install the cert and that is it.

    Images , logos , banners etc all need to be https or you get the same warnings (Different but warnings all the same)

    Speculation as to why the site is not https ignores the site is already dealing with a bunch of "HTTPS" served attacks.

    Another reason AK's hands are tied and this fricking smear campaign by "Google" while themselves allowing bad ad's is annoying to say the least.

    Anyone see the Irony ??

    Frannie

    PS: They change the littlest thing here and almost instantly people are blasting the site admins. Anyone ever consider that ??
     
    Last edited: Apr 11, 2018
    nedseg likes this.

Share This Page