InformAction Forums

Forcing http://www.arkivmusic.com to be secure by adding *.arkivmusic.com to NS>Options>Advanced>Behavior does work but the the website becomes unusable.

For example, try finding the recordings performed by the Hilliard Ensemble. Select the link on the left-side of the homepage labeled 'Ensembles'. Next choose the link for the letter 'H', and finally the letters 'Hi'. This results in a page telling you that an error has occurred. Remove *.arkivmusic.com from NS>Options>Advanced>Behavior and the website works fine, but is not always secure.

Strange

Not all servers will provide an HTTPS connection, or accept your request for one. Actually, many won't.

The issue that really brought about this feature was that some *banks* (Bank of America being one of the biggest examples) and other critical sites would serve you a login page that *was not in itself secure*, even though it *sent your login info* over a secure connection. The former makes it easier for a MITM attacker (Man In The Middle - I know that you know this acronym, but for other readers) to send you a phony BofA login page -- with their phony black "padlock" by the login boxes, even though your browser won't show one. This feature forced the login page itself to be sent over SSL. Most financial sites have fixed this, due to the publicity.

I just tried picking a random, non-sensitive site from my bookmark list and adding it to Force HTTPS. Fx returned an error, code 12263.

I see that arkivmusic.com has a login page that is insecure, so you're right to force security. But I've seen other sites that, once you're securely logged in, do their product searches on insecure pages (to save bandwidth, presumably, although it isn't really that much these days), but so long as they return you to a secure page when you're ready to buy, I think you're OK.

I just logged in to retailer newegg, securely, but as soon as I went to the Home page, to search or shop, it was back to plain HTTP, although I was still logged in. Here's where it's important that the SSL login cookie be secured, too. Didn't buy anything, but I know that when you do, you're back to secure. And even secure for the logout page.

You could email the webmaster and ask for a site enhancement of all browsing being secure while logged in. Might or might not work.

Tom T. wrote:Not all servers will provide an HTTPS connection, or accept your request for one. Actually, many won't.

[snip]

You could email the webmaster and ask for a site enhancement of all browsing being secure while logged in. Might or might not work.

I will see if the webmaster will enhance the site, but I'm not going to hold my breath. I tried to get the webmaster at http://www.grantvillegazette.com to secure his site as they're require subscriptions and request credit card info. He informed me that security of the website wasn't all that important. Jeeesh!!

phule wrote:they're require subscriptions and request credit card info. He informed me that security of the website wasn't all that important. Jeeesh!!

Pathetic, isn't it? ... "security of the website wasn't all that important." What an attitude!

I would *never* submit a credit card over non-secure connection, and hope you didn't. Call them on the phone to subscribe.

Thanks for sharing that sad story. It explains a *lot* of the evil that goes on -- just too easy. But it still looks like arkivmusic.com is keeping you secure for login, logout, purchase. I didn't try to buy anything -- when you go to check out, are you back on HTTPS?

OK to mark this topic resolved, or at least closed, for now?

Mark this topic closed for now!