News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Tasks for the weekend – January 2, 2021

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Tasks for the weekend – January 2, 2021

    Viewing 13 reply threads
    • Author
      Posts
      • #2325014
        Susan Bradley
        Manager

        Youtube video here When you are on a web site do you check the SSL certificate? Do you review the site or perhaps use an extension tool like https://w
        [See the full post at: Tasks for the weekend – January 2, 2021]

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2325039
        E Pericoloso Sporgersi
        AskWoody Plus

        Susan: “So? Do you check if all sites have padlocks on them?”

        Nope, never looked for it. But I’ve always checked if there’s an s present in https:// , which is equivalent, isn’t it?

        But from now on, I shall look for the padlock instead of the s.
        (I tend to comply with all reasonable requests, not only with those about Covid19.)  😷


        • #2325043
          Paul T
          AskWoody MVP

          I use Chrome and it doesn’t show the “http(s)”, only the site, e.g. askwoody.com. And the padlock is immediately left of the site name, so it effectively shows the information.

          cheers, Paul

      • #2325112
        HiFlyer
        AskWoody Plus

        I’ve used HTTPS Everywhere for a long time and I like it.

         

         

        1 user thanked author for this post.
        • #2325217
          alphacharlie
          AskWoody Plus

          I am using Firefox 84.0.1 which has an option for HTTPS-only mode.  When I go to a website that is HTTP, Firefox pops up a window and lets me choose whether or not to proceed.  When I enabled that option, I removed the EFF extension called “HTTPS Everywhere” because it seemed redundant.

          Was that correct?

          Thanks

          1 user thanked author for this post.
      • #2325187
        Kirsty
        Manager

        Troy Hunt (of haveibeenpwned.com) has major problems with “padlocks” as an element of security, as does this article on Bleepingcomputer (from June 2019):

        FBI Issues Warning on ‘Secure’ Websites Used For Phishing
        phishing campaigns designed by threat actors to use TLS-secure landing pages which exploit the users’ trust to deceive them into trusting attacker-controlled sites and handing over sensitive personal information.

        “They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, ” as the FBI says in the PSA.

        While in a lot of cases bad actors will get their own SSL certificates to secure pages used in their campaigns to try and trick their targets, there is also a lot of them who just abuse pages hosted on cloud services which automatically inherit the certificates.

         
        From Padlocks, Phishing and Privacy; The Value Proposition of a VPN (TroyHunt.com, September 2020)

        having privacy on your traffic doesn’t mean you’re communicating with someone you actually want to
        ..
        A Secure Connection to Satan is Still a Connection to Satan
        HTTPS & SSL doesn’t mean “trust this.” It means “this is private.” You may be having a private conversation with Satan.

        4 users thanked author for this post.
      • #2325188
        Charlie
        AskWoody Plus

        I’ve noticed that many government websites still come up as http.  These sites have info. I need and I just browse them.  I’m careful not to interact with them in a personal way.  I have my Firefox set to allow http because of that, but I may decide to change that with the way things are nowadays.

      • #2325190
        Microfix
        AskWoody MVP

        Can’t remember if Firefox (at default settings) hides the http/ https but if it does,
        and you want to see it in the address bar type:
        about:config, click [accept risks and continue] then
        copy and paste: browser.urlbar.trimURLs into the search bar and set the value to FALSE, then exit about:config
        HTTP and HTTPS will be visable prior to the site address 😉


        Problems controlling W!N10 updates:
        https://www.askwoody.com/forums/topic/2000016-guide-for-windows-update-settings-for-windows-10/
        1 user thanked author for this post.
        • #2325195
          PKCano
          Manager

          It must not hide it by default.
          I have always seen the http/https in the address bar and I have changed nothing.

      • #2325193
        Charlie
        AskWoody Plus

        Firefox (since ver. 83) comes with “Don’t enable https only” mode as the Default setting for both Windows and Linux.  It hasn’t changed and I’m now at 84.0.1 on both.  All you have to do is click a box in preferences to change it though.

        1 user thanked author for this post.
      • #2325207
        KB6OJS
        AskWoody Plus

        Interesting question. I’ve never thought to do so. The “https” protocol being used kind of lulled me into a (false?) sense of security. I guess I should do so on obscure and/or unknown sites to make sure they’re okay. Thanks for pointing out the tool I can use to do so. //S//

      • #2325210
        OscarCP
        AskWoody Plus

        As Kirsty copied from a Website on this topic

        A Secure Connection to Satan is Still a Connection to Satan
        HTTPS & SSL doesn’t mean “trust this.” It means “this is private.” You may be having a private conversation with Satan.

        Quite so. For this reason, I prefer, if possible, to use my browser to connect to sites I know and trust to be OK. Otherwise, I rely on the padlock/https in the address bar to remain connected for just long enough to have a look to see if the site really has something of some interest to me, before doing anything else. This happens when I’m looking for something on the Web and decide to have a look in what seems to be a promising site. If I am asked up front there to register, allow cookies, etc. I run away fast, unless I can see it has information I really need and it’s only asking me to accept their cookies, that shall be removed by the browser as soon as I close the page.

        I don’t believe this makes one invulnerable to malicious attacks when visiting sites one thinks to be OK, but have been craftily compromised; for my part, I’m trying to strike a balance between the potential risk and the expected reward of using the Web to get something I want from it.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        1 user thanked author for this post.
      • #2325274
        Paul T
        AskWoody MVP

        FF shows the full URL.

        Capture-1

        cheers, Paul

        Attachments:
      • #2325280
        OscarCP
        AskWoody Plus

        Waterfox is the same as FF in this respect. Vivaldi shows a shield with a lightning bolt inside (?), then the padlock and then, same as Chrome, the URL with no “http(s)://www.” prefix. Safari shows a shield, not a padlock, and the full URL, same as FF, etc. So, the padlock is used in FF, WF, Vivaldi and Chrome. In all these except WF, the padlock is black.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        • #2325296
          Mele20
          AskWoody Lounger

          I never look for a lock and I dislike https as pretentious and unneeded for most sites. I still prefer http. I don’t use credit cards on websites on my computers. I don’t visit bank sites, etc ….that’s why I have an iPhone XR with Face ID for such things (and the banking apps where Face ID is again used inside each app).

          I see the lock is GREEN on Fx and Basilisk and non-existent on Brave. Plus, Brave obviously thinks no one cares as it gives almost no information about the “secure” connection. I recall all the past fighting over the lock issue on gecko based browsers. At least there is pertinent information but you have to click too many times to get to it. It used to be much better when most sites were http.

          • This reply was modified 2 weeks ago by Mele20.
      • #2325302
        topshot
        AskWoody Lounger

        As @Kirsty pointed out above, talking with Satan can still be secure since bad guys can get SSL certs just as easy as anyone else. The key is whether the cert really goes to the domain you believe you should be on (and are willing to trust if it’s not known to you already). I’m not sure how the various browsers handle that anymore with just the padlock icon. Chrome used to show an extra green area with the company name if the website’s identity was also verified but no longer does. I personally would click on the padlock and view the certificate data and verify it was issued to the actual domain you are wanting to view. From what I read, it doesn’t seem that the extension noted by Susan does anything in this regard. If it’s a site you go to all the time like a financial institution, Amazon, etc. it should be fine if you are using a bookmark/favorite once you have checked it the first time. If hand typing, you need to watch for typos since it’s common for bad guys to duplicate a site with a common misspelling.

      • #2326493
        Ascaris
        AskWoody_MVP

        I only look for a secure site (I use the HTTPS:// protocol tag also) when I am about to sign into a site and I would not want my password, or anything I do once I have entered the password, to be leaked. When I am just browsing read-only stuff, I don’t really worry about it. There is no sensitive information being exchanged; anyone can read what the anonymous author wrote in that Wikipedia article about rats. The kinds of entities that would like to know that I read an article about rats (like Google, Facebook, etc., just because they want to collect everything) are not likely to get it by snooping on HTTP packets. They will also get the wrong idea if they put “rats” in my interest list… I think they would be interesting to have as pets, as I do with many different kinds of creatures, but I’ve never had one (I have a cat, though, and she might think the rat was even more interesting). I also don’t have a rat infestation, so any ads about rat control means would be useless too.

        I do have HTTPS only mode on Firefox, though, FWIW, ’cause why not? Nearly everything is HTTPS now, and if I try to follow a HTTP only link, it blocks it and lets me choose whether to proceed, so then I know what I am dealing with if I do go ahead and see the site.

        Group "L" (KDE Neon Linux 5.20.5 User Edition)

      • #2326566
        Paul T
        AskWoody MVP

        I do have HTTPS only mode on Firefox, though, FWIW, ’cause why not?

        Can’t access my home router with that on as the router is http only.
        HTTPS only is not security, it’s window dressing.

        cheers, Paul

    Viewing 13 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Tasks for the weekend – January 2, 2021

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

?
This website collects data via Google Analytics. Click here to opt in. Click here to opt out.
×