The web has a padlock problem

Topic

New Reply

Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.
[See the full post at: The web has a padlock problem]

3 users thanked author for this post.

Fred, woody, jburk07

Reply | Quote

Replies

? says:

thanx guys!

done and done, green padlock is back following ghacks along with askvg…

Reply | Quote

Yes I always have to muck about in about:config to get one thing or another turned back on or configured how I want it with each Firefox update. Popups properly disabled for one and that annoying tone when using Find in FF if there where no matches found, what possessed Mozilla to enable that nonsense in the first place.

Firefox just needs a Temporarily Enable popups option like IE that goes away once the browser session/browser tab is ended/closed. Firefox has levels of Popup Blocking that are not fully disabled using the normal checkbox interface so that has to be done in about:config and I removed every popup exception from that environment variable string in the about:config popup settings.

I just hope that FF does not remove more options from about:config as that’s not going to go over well, and that update nagging that can not be fully disabled I do not like.

Reply | Quote

This is a matter for real concern. As to myself, a private user, I have this “two factor” approach: (1) Making sure I am accessing a site known to me or, if the first time, that it is  known to be, or is likely to be a reputable one; (2) I look for the “https” in the URL address line. I do expect to see it in those places I just described, the Website of my bank, for example, and also in places like Woody’s. If it is not (even if it was there before), I hightail it out of there right away. And if the site’s name is something like “Free Porno 24/7 With Coeds Gone Wild!!!”, then I pay no mind to URL or padlocks, because one should not be there, if one has the slightest bit of common sense.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Fred

Reply | Quote

This is no different than the blind spot warning on newer vehicles. Those who learn to trust them will one day have a major accident when they stop working.

Don’t get lazy. Be smart.

Byte me!

Reply | Quote

Since the padlock means nothing important, you need to be aware of the rules for domain names. Understand the rules and you will not be fooled by scam websites with look-alike domain names. An explanation of domain name rules is one of the 34 topics at

https://DefensiveComputingChecklist.com

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

3 users thanked author for this post.

AlexEiffel, Myst, Kirsty

Reply | Quote

This locksign being there is just an indication, nothing more. Websites having this lock shown in the addressbar can be unsafe aswell. A way to make it a little more easy is using always the browser extention HTTPS-everywhere and using it with all options enabled. Amazing to see how many “safe sites” have connections to the unsafe sites, such as pictures gifs links etc. And for the very spicy sites it might be an idea to use for the client to see green handcuffs….

Banks etc are introdusing their own banking apps not just for fun or convenience, and if one has any doubt at all, just call (yes by a real life phone) and ask!

It is a dark world out there

🦃 happy thanksgiving

* _ the metaverse is poisonous _ *

Reply | Quote

A reminder for people that may not desire to use an external site to do domain name research:
A Whois for Windows (there are many others).

For many GNU/Linux distributions the whois program can be installed, some may already include it during the operating system installation.

Reply | Quote

Anonymous has pointed out here:  #2013219  the useful LINUX line command “whois”. It is also available in macOS from Terminal.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

[Alex5723]

Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure.

Chrome browser displays black padlock, and Chrome doesn’t display https” in the URL address line.
Other, none popular browsers, have different colors : Firefox – green padlock, Edge – white padlock…
Chrome has a “not secure” warning when browsing to a HTTP site.

• This reply was modified 3 years, 3 months ago by Alex5723.
• This reply was modified 3 years, 3 months ago by Alex5723.
• This reply was modified 3 years, 3 months ago by Alex5723.

Reply | Quote

I don’t think retraining is needed. I think we should adapt to what people expect. Now that HTTPS isn’t just about pages that need high security, let’s remove the lock altogether. And let’s add a new lock that fits what people expect: sites that have been verified not to be phishing sites by some system.

I’m also all for the EV signals that are being removed. Having some other text that verifies that the site is what it appears to be is good.

HTTPS’s flaw is that anyone can get a certificate. Its use is to verify the lack of a man-in-the-middle problem. It’s never been about phishing–it was just a coincidence that phishing sites didn’t have an easy way to get a certificate before.

So stop treating HTTPS like it prevents phishing. Make the padlock be about phishing, not HTTPS.

Reply | Quote

That is what Extended Validation is for if I understand it correctly. In my browser (PaleMoon a Mozilla spinoff) the domain box (to the left of the URL) will turn from the Blue of plain HTTPS to Green when a site is using Extended Validation.

Only CAs who pass an independent qualified audit review may offer EV,[8] and all CAs globally must follow the same detailed issuance requirements which aim to:

Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name;
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer;
Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.[9]

With the exception[10] of Extended Validation Certificates for .onion domains, it is otherwise not possible to get a wildcard Extended Validation Certificate – instead, all fully qualified domain names must be included in the certificate and inspected by the certificate authority.[11]

from https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Creation_of_special_UI_indicators_in_browsers

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Yes, and that’s why it sucks that both Chrome and Firefox are removing those indicators. They exist for a reason.

They just only will work if only those sites get a lock, as otherwise people might think the lock itself is enough to prove it isn’t a phishing attempt, due to the bad messaging.

Reply | Quote

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site. But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site. I always practice #1-2, and I use #3 in case I get careless with #1-2.

1. Create and use bookmarks/favorites to access banking or important personal related sites. This avoids misspelling a URL if you are in a hurry, or are up too early or late.
2. Avoid clicking on URL links in emails or other documents. Type the address in the browser URL bar.
3. Use a browser plugin with filters, such as uBlock Origin. This one has many filter lists out of the box, to prevent you from connecting to known bad sites. Mine is currently running 167,536 network filters using the supplied filter lists. The lists are automatically updated (optionally).

uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”.

The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites — through EasyList, EasyPrivacy, Peter Lowe’s ad/tracking/malware servers, various lists of malware sites, and uBlock Origin’s own filter lists.

2 users thanked author for this post.

Fred, OscarCP

Reply | Quote

JohnW wrote:

Use a browser plugin with filters, such as uBlock Origin

Add to uBlock Origin uBlock Origin Extra.

Reply | Quote

[Fred]

These extensions in Firefox do all their specific blocks at different sites, together with the specific settings in Ffx itself; it’s hard to make a choice if one must

Firefox settings + extensions….
Cookie Autodelete
uBlock Origin
Privacy Badger
Ghostery
DuckDuckGo Privacy Essentials
Disconnect
HTTPS Everywhere
CanvasBlocker
Malwarebytes Browser Guard
Decentraleyes

Websites!!
reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

Searchengines..
Searx.me
Swisscows.com
Duckduckgo.com
(Startpage.com has been sold out to a data-collector!)

* _ the metaverse is poisonous _ *

• This reply was modified 3 years, 3 months ago by Fred.
• This reply was modified 3 years, 3 months ago by Fred.

Reply | Quote

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

Reply | Quote

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

Reply | Quote

Kirsty wrote:

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

Please don’t be so very sure about that

These sites have their specific thoughts about the “new” startpage[dot]com : reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

My relation that worked there have all left, because they believe in working for privacy [gdpr rulings in datahandling erc]

“It’s not the butcher who has to test his own meat”

* _ the metaverse is poisonous _ *

Reply | Quote

Could you please supply reference to EFF being concerned about Startpage? The last result shown is dated 2010, and nothing on their Twitter account’s results either.

Reply | Quote

Quite soon after the publicity from startpage.com (plus startpage-email) with the Dutch government as an example of free and independent company honoring the privacy of their users (NL and EU-GDPR rulings), this company buyout became public.

https://www.startpage.com/blog/press-releases/dutch-government-features-search-engine-startpage-com-privacy-example/

People are worried that this cie. selling is ending as a submittance to the USA-Patriot-act, regardless where the servers fysically are stationed, and what statements from the company are made about hoovering data and selling; likewise Google and Cambridge-analitica….
Critics here state that there must come real proof, not hear-say.

https://reclaimthenet.org/startpage-buyout-ad-tech-company/

https://www.ghacks.net/2019/11/16/startpage-search-owner-changes-raise-serious-questions/

http://techrights.org/2019/10/16/startpage-is-surveillance/

http://techrights.org/2019/11/09/startpage-hypocrisy/

https://www.dslreports.com/forum/r32568229-Startpage-and-DuckDuckGo-may-not-be-private-anymore

http://techrights.org/2019/11/04/startpage-dogpile-webcrawler-metacrawler/

http://techrights.org/2019/11/01/oppressing-people-with-data/
.

Regards

 

* _ the metaverse is poisonous _ *

2 users thanked author for this post.

AlexEiffel, JohnW

Reply | Quote

Kirsty wrote:

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

You quoted me out of context by omitting my very next sentence.

But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site.

Best regards! 🙂

1 user thanked author for this post.

Fred

Reply | Quote

My response was only in relation to your opening sentence, hence why only it was quoted 🙂
(I hoped the response may prove useful in the future, to someone that might be skimming through this topic.)

Reply | Quote

I wasn’t trying to challenge the theme of the original post, but was actually trying to add to it. That you need to have connected to a secure page, but also to be vigilant that you are on a real page, and not a fake or spoofed one!

1 user thanked author for this post.

Fred

Reply | Quote