PDA

View Full Version : Pandora connection "Not Secure"?



Goodsounds
2018-04-17, 11:17
I've noticed lately when using my SB devices to play Pandora, both when using 7.6.1 or if through a direct connection to Mysqueezebox.com, that the web interface (both with Firefox and Chrome) indicates an insecure connection. I don't listen to Pandora often and maybe this has been the case for awhile and I didn't previously notice it, I can't say.

Is this something to be concerned about? Is there anything that I should do about it?

Thanks

mherger
2018-04-17, 11:36
> I've noticed lately when using my SB devices to play Pandora, both when
> using 7.6.1 or if through a direct connection to Mysqueezebox.com, that
> the web interface (both with Firefox and Chrome) indicates an insecure
> connection. I don't listen to Pandora often and maybe this has been the
> case for awhile and I didn't previously notice it, I can't say.

I think you're mixing up things. When you're listening to Pandora, you
don't interact with pandora itself, but most likely with
mysqueezebox.com or LMS. In the case of mysqueezebox.com you should be
using https://www.mysqueezebox.com

If that's not the case then you might want to elaborate.

--

Michael

Goodsounds
2018-04-17, 23:08
Okay, I looked at it a bit more (I'm a longtime user but I'm not an engineer or other techologist by any means) and it looks like it's telling me that the connection to the LMS "server" (on my home network) is insecure.

Maybe this is a new caution in browsers or I just didn't notice it before.

Thanks, I guess that's okay and normal.

mherger
2018-04-18, 00:23
> Okay, I looked at it a bit more (I'm a longtime user but I'm not an
> engineer or other techologist by any means) and it looks like it's
> telling me that the connection to the LMS "server" (on my home network)
> is insecure.

What browser are you using? AFAIK this warning should only be shown for
public addresses, but not within your LAN. Are you exposing your LMS to
the internet? Can you post a screenshot?

> Maybe this is a new caution in browsers or I just didn't notice it
> before.

Yes, recent updates to browsers are pushing the use of https. Eg. Safari
started to give a warning on non https URLs with the latest macOS
update. But as I said: only for public addresses, not within my LAN.

--

Michael

Paul Webster
2018-04-18, 02:06
What browser are you using? AFAIK this warning should only be shown for
public addresses, but not within your LAN. Are you exposing your LMS to
the internet? Can you post a screenshot?

FYI - When accessing LMS on local LAN with current Chrome on Windows 10 puts a small information icon (circle with horizontal bar through it) which, if clicked on, says that it is insecure and should not be used to enter credit card numbers ;)

mherger
2018-04-18, 02:29
> FYI - When accessing LMS on local LAN with current Chrome on Windows 10
> puts a small information icon (circle with horizontal bar through it)

Interesting - I'd get a circle with an 'i' in it (vertical rather than
horizontal).

> which, if clicked on, says that it is insecure and should not be used to
> enter credit card numbers ;)

That's true.

That 'i' only wants to tell you that the data transferred between your
computer and the server (LMS) is not encrypted. That's true. But as long
as you don't use headphones it's much more likely they'll hear what
you're listening to, than they're sniffing network traffic to figure it
out :-P.

--

Michael

Paul Webster
2018-04-18, 08:11
> FYI - When accessing LMS on local LAN with current Chrome on Windows 10
> puts a small information icon (circle with horizontal bar through it)

Interesting - I'd get a circle with an 'i' in it (vertical rather than
horizontal).

> which, if clicked on, says that it is insecure and should not be used to
> enter credit card numbers ;)

That's true.

That 'i' only wants to tell you that the data transferred between your
computer and the server (LMS) is not encrypted. That's true. But as long
as you don't use headphones it's much more likely they'll hear what
you're listening to, than they're sniffing network traffic to figure it
out :-P.

--

Michael

No idea why I said "horizontal" ... maybe I was still in bed!

Goodsounds
2018-04-18, 08:46
It is as described

mherger
2018-04-18, 09:03
> It is as described

Except that it's not a warning. It's just you asking the browser: "hey,
is this connection secured?", and it says "no, it is not secure". But
it's no less secure than it was a year ago, or ten years.

Unless you have people on your network who you don't trust, this is no
problem. And if you do, then you have bigger problems than LMS...

--

Michael

DanSmedra
2018-04-18, 09:36
I'm getting the same threat warning. It appears the "log in" link misdirects to an unsecured address. Only use the secured URL of https://www.mysqueezebox.com/user/login

Further, the current secure URL for log in doesn't work. Any idea BBB?

24939

mherger
2018-04-18, 13:59
just use the www. prefix as outlined before. We're soon going to update
the certificate to cover for URLs without the prefix, too. But until
then either use www, or accept the warning and continue anyway.
--

Michael