The web has a padlock problem

[KirstyDa Boss]

Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.
[See the full post at: The web has a padlock problem]

3 users thanked author for this post.

Fred, woody, jburk07

[anonymous]

? says:

thanx guys!

done and done, green padlock is back following ghacks along with askvg…

[anonymous]

Yes I always have to muck about in about:config to get one thing or another turned back on or configured how I want it with each Firefox update. Popups properly disabled for one and that annoying tone when using Find in FF if there where no matches found, what possessed Mozilla to enable that nonsense in the first place.

Firefox just needs a Temporarily Enable popups option like IE that goes away once the browser session/browser tab is ended/closed. Firefox has levels of Popup Blocking that are not fully disabled using the normal checkbox interface so that has to be done in about:config and I removed every popup exception from that environment variable string in the about:config popup settings.

I just hope that FF does not remove more options from about:config as that’s not going to go over well, and that update nagging that can not be fully disabled I do not like.

[OscarCPAskWoody Plus]

This is a matter for real concern. As to myself, a private user, I have this “two factor” approach: (1) Making sure I am accessing a site known to me or, if the first time, that it is  known to be, or is likely to be a reputable one; (2) I look for the “https” in the URL address line. I do expect to see it in those places I just described, the Website of my bank, for example, and also in places like Woody’s. If it is not (even if it was there before), I hightail it out of there right away. And if the site’s name is something like “Free Porno 24/7 With Coeds Gone Wild!!!”, then I pay no mind to URL or padlocks, because one should not be there, if one has the slightest bit of common sense.

Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

1 user thanked author for this post.

Fred

[pHROZEN gHOSTAskWoody Lounger]

This is no different than the blind spot warning on newer vehicles. Those who learn to trust them will one day have a major accident when they stop working.

Don’t get lazy. Be smart.

Byte me!

[Michael432AskWoody_MVP]

Since the padlock means nothing important, you need to be aware of the rules for domain names. Understand the rules and you will not be fooled by scam websites with look-alike domain names. An explanation of domain name rules is one of the 34 topics at

https://DefensiveComputingChecklist.com

Get up to speed on router security at RouterSecurity.org

3 users thanked author for this post.

AlexEiffel, willygirl, Kirsty

[FredAskWoody Plus]

This locksign being there is just an indication, nothing more. Websites having this lock shown in the addressbar can be unsafe aswell. A way to make it a little more easy is using always the browser extention HTTPS-everywhere and using it with all options enabled. Amazing to see how many “safe sites” have connections to the unsafe sites, such as pictures gifs links etc. And for the very spicy sites it might be an idea to use for the client to see green handcuffs….

Banks etc are introdusing their own banking apps not just for fun or convenience, and if one has any doubt at all, just call (yes by a real life phone) and ask!

It is a dark world out there

🦃 happy thanksgiving

After all.. Just because we're paranoid doesn't mean they aren't out to get us.

[anonymous]

A reminder for people that may not desire to use an external site to do domain name research:
A Whois for Windows (there are many others).

For many GNU/Linux distributions the whois program can be installed, some may already include it during the operating system installation.

[OscarCPAskWoody Plus]

Anonymous has pointed out here:  #2013219  the useful LINUX line command “whois”. It is also available in macOS from Terminal.

Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

[Alex5723AskWoody Plus]

Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure.

Chrome browser displays black padlock, and Chrome doesn’t display https” in the URL address line.
Other, none popular browsers, have different colors : Firefox – green padlock, Edge – white padlock…
Chrome has a “not secure” warning when browsing to a HTTP site.

• This reply was modified 4 days, 10 hours ago by  Alex5723.
• This reply was modified 4 days, 10 hours ago by  Alex5723.
• This reply was modified 4 days, 10 hours ago by  Alex5723.

[anonymous]

I don’t think retraining is needed. I think we should adapt to what people expect. Now that HTTPS isn’t just about pages that need high security, let’s remove the lock altogether. And let’s add a new lock that fits what people expect: sites that have been verified not to be phishing sites by some system.

I’m also all for the EV signals that are being removed. Having some other text that verifies that the site is what it appears to be is good.

HTTPS’s flaw is that anyone can get a certificate. Its use is to verify the lack of a man-in-the-middle problem. It’s never been about phishing–it was just a coincidence that phishing sites didn’t have an easy way to get a certificate before.

So stop treating HTTPS like it prevents phishing. Make the padlock be about phishing, not HTTPS.

[wavyAskWoody Plus]

That is what Extended Validation is for if I understand it correctly. In my browser (PaleMoon a Mozilla spinoff) the domain box (to the left of the URL) will turn from the Blue of plain HTTPS to Green when a site is using Extended Validation.

Only CAs who pass an independent qualified audit review may offer EV,[8] and all CAs globally must follow the same detailed issuance requirements which aim to:

Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name;
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer;
Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.[9]

With the exception[10] of Extended Validation Certificates for .onion domains, it is otherwise not possible to get a wildcard Extended Validation Certificate – instead, all fully qualified domain names must be included in the certificate and inspected by the certificate authority.[11]

from https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Creation_of_special_UI_indicators_in_browsers

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

[anonymous]

Yes, and that’s why it sucks that both Chrome and Firefox are removing those indicators. They exist for a reason.

They just only will work if only those sites get a lock, as otherwise people might think the lock itself is enough to prove it isn’t a phishing attempt, due to the bad messaging.

[JohnWAskWoody Plus]

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site. But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site. I always practice #1-2, and I use #3 in case I get careless with #1-2.

1. Create and use bookmarks/favorites to access banking or important personal related sites. This avoids misspelling a URL if you are in a hurry, or are up too early or late.
2. Avoid clicking on URL links in emails or other documents. Type the address in the browser URL bar.
3. Use a browser plugin with filters, such as uBlock Origin. This one has many filter lists out of the box, to prevent you from connecting to known bad sites. Mine is currently running 167,536 network filters using the supplied filter lists. The lists are automatically updated (optionally).

uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”.

The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites — through EasyList, EasyPrivacy, Peter Lowe’s ad/tracking/malware servers, various lists of malware sites, and uBlock Origin’s own filter lists.

2 users thanked author for this post.

Fred, OscarCP

[Alex5723AskWoody Plus]

JohnW wrote:

Use a browser plugin with filters, such as uBlock Origin

Add to uBlock Origin uBlock Origin Extra.

[FredAskWoody Plus]

These extensions in Firefox do all their specific blocks at different sites, together with the specific settings in Ffx itself; it’s hard to make a choice if one must

Firefox settings + extensions….
Cookie Autodelete
uBlock Origin
Privacy Badger
Ghostery
DuckDuckGo Privacy Essentials
Disconnect
HTTPS Everywhere
CanvasBlocker
Malwarebytes Browser Guard
Decentraleyes

Websites!!
reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

Searchengines..
Searx.me
Swisscows.com
Duckduckgo.com
(Startpage.com has been sold out to a data-collector!)

After all.. Just because we're paranoid doesn't mean they aren't out to get us.

• This reply was modified 2 days, 13 hours ago by  Fred.
• This reply was modified 2 days, 13 hours ago by  Fred.

[KirstyDa Boss]

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

[KirstyDa Boss]

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

[FredAskWoody Plus]

Kirsty wrote:

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

Please don’t be so very sure about that

These sites have their specific thoughts about the “new” startpage[dot]com : reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

My relation that worked there have all left, because they believe in working for privacy [gdpr rulings in datahandling erc]

“It’s not the butcher who has to test his own meat”

After all.. Just because we're paranoid doesn't mean they aren't out to get us.

[KirstyDa Boss]

Could you please supply reference to EFF being concerned about Startpage? The last result shown is dated 2010, and nothing on their Twitter account’s results either.

[FredAskWoody Plus]

Quite soon after the publicity from startpage.com (plus startpage-email) with the Dutch government as an example of free and independent company honoring the privacy of their users (NL and EU-GDPR rulings), this company buyout became public.

https://www.startpage.com/blog/press-releases/dutch-government-features-search-engine-startpage-com-privacy-example/

People are worried that this cie. selling is ending as a submittance to the USA-Patriot-act, regardless where the servers fysically are stationed, and what statements from the company are made about hoovering data and selling; likewise Google and Cambridge-analitica….
Critics here state that there must come real proof, not hear-say.

Privacy search engine StartPage has sold to ad tech company System1

https://www.ghacks.net/2019/11/16/startpage-search-owner-changes-raise-serious-questions/

http://techrights.org/2019/10/16/startpage-is-surveillance/

http://techrights.org/2019/11/09/startpage-hypocrisy/

https://www.dslreports.com/forum/r32568229-Startpage-and-DuckDuckGo-may-not-be-private-anymore

http://techrights.org/2019/11/04/startpage-dogpile-webcrawler-metacrawler/

http://techrights.org/2019/11/01/oppressing-people-with-data/
.

Regards

 

After all.. Just because we're paranoid doesn't mean they aren't out to get us.

1 user thanked author for this post.

JohnW

[JohnWAskWoody Plus]

Kirsty wrote:

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

You quoted me out of context by omitting my very next sentence.

But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site.

Best regards! 🙂

1 user thanked author for this post.

Fred

[KirstyDa Boss]

My response was only in relation to your opening sentence, hence why only it was quoted 🙂
(I hoped the response may prove useful in the future, to someone that might be skimming through this topic.)

[JohnWAskWoody Plus]

I wasn’t trying to challenge the theme of the original post, but was actually trying to add to it. That you need to have connected to a secure page, but also to be vigilant that you are on a real page, and not a fake or spoofed one!

1 user thanked author for this post.

Fred

[Author]

Posts