The web has a padlock problem

[Kirsty]

Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.
[See the full post at: The web has a padlock problem]

3 users thanked author for this post.

Fred, woody, jburk07

[anonymous]

? says:

thanx guys!

done and done, green padlock is back following ghacks along with askvg…

[anonymous]

Yes I always have to muck about in about:config to get one thing or another turned back on or configured how I want it with each Firefox update. Popups properly disabled for one and that annoying tone when using Find in FF if there where no matches found, what possessed Mozilla to enable that nonsense in the first place.

Firefox just needs a Temporarily Enable popups option like IE that goes away once the browser session/browser tab is ended/closed. Firefox has levels of Popup Blocking that are not fully disabled using the normal checkbox interface so that has to be done in about:config and I removed every popup exception from that environment variable string in the about:config popup settings.

I just hope that FF does not remove more options from about:config as that’s not going to go over well, and that update nagging that can not be fully disabled I do not like.

[OscarCP]

This is a matter for real concern. As to myself, a private user, I have this “two factor” approach: (1) Making sure I am accessing a site known to me or, if the first time, that it is  known to be, or is likely to be a reputable one; (2) I look for the “https” in the URL address line. I do expect to see it in those places I just described, the Website of my bank, for example, and also in places like Woody’s. If it is not (even if it was there before), I hightail it out of there right away. And if the site’s name is something like “Free Porno 24/7 With Coeds Gone Wild!!!”, then I pay no mind to URL or padlocks, because one should not be there, if one has the slightest bit of common sense.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Fred

[pHROZEN gHOST]

This is no different than the blind spot warning on newer vehicles. Those who learn to trust them will one day have a major accident when they stop working.

Don’t get lazy. Be smart.

Byte me!

[Michael432]

Since the padlock means nothing important, you need to be aware of the rules for domain names. Understand the rules and you will not be fooled by scam websites with look-alike domain names. An explanation of domain name rules is one of the 34 topics at

https://DefensiveComputingChecklist.com

Get up to speed on router security at RouterSecurity.org

3 users thanked author for this post.

AlexEiffel, Myst, Kirsty

[Fred]

This locksign being there is just an indication, nothing more. Websites having this lock shown in the addressbar can be unsafe aswell. A way to make it a little more easy is using always the browser extention HTTPS-everywhere and using it with all options enabled. Amazing to see how many “safe sites” have connections to the unsafe sites, such as pictures gifs links etc. And for the very spicy sites it might be an idea to use for the client to see green handcuffs….

Banks etc are introdusing their own banking apps not just for fun or convenience, and if one has any doubt at all, just call (yes by a real life phone) and ask!

It is a dark world out there

🦃 happy thanksgiving

~ ~ ~

[anonymous]

A reminder for people that may not desire to use an external site to do domain name research:
A Whois for Windows (there are many others).

For many GNU/Linux distributions the whois program can be installed, some may already include it during the operating system installation.

[OscarCP]

Anonymous has pointed out here:  #2013219  the useful LINUX line command “whois”. It is also available in macOS from Terminal.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

[Alex5723]

Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure.

Chrome browser displays black padlock, and Chrome doesn’t display https” in the URL address line.
Other, none popular browsers, have different colors : Firefox – green padlock, Edge – white padlock…
Chrome has a “not secure” warning when browsing to a HTTP site.

• This reply was modified 10 months ago by Alex5723.
• This reply was modified 10 months ago by Alex5723.
• This reply was modified 10 months ago by Alex5723.

[anonymous]

I don’t think retraining is needed. I think we should adapt to what people expect. Now that HTTPS isn’t just about pages that need high security, let’s remove the lock altogether. And let’s add a new lock that fits what people expect: sites that have been verified not to be phishing sites by some system.

I’m also all for the EV signals that are being removed. Having some other text that verifies that the site is what it appears to be is good.

HTTPS’s flaw is that anyone can get a certificate. Its use is to verify the lack of a man-in-the-middle problem. It’s never been about phishing–it was just a coincidence that phishing sites didn’t have an easy way to get a certificate before.

So stop treating HTTPS like it prevents phishing. Make the padlock be about phishing, not HTTPS.

[wavy]

That is what Extended Validation is for if I understand it correctly. In my browser (PaleMoon a Mozilla spinoff) the domain box (to the left of the URL) will turn from the Blue of plain HTTPS to Green when a site is using Extended Validation.

Only CAs who pass an independent qualified audit review may offer EV,[8] and all CAs globally must follow the same detailed issuance requirements which aim to:

Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name;
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer;
Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.[9]

With the exception[10] of Extended Validation Certificates for .onion domains, it is otherwise not possible to get a wildcard Extended Validation Certificate – instead, all fully qualified domain names must be included in the certificate and inspected by the certificate authority.[11]

from https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Creation_of_special_UI_indicators_in_browsers

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

[anonymous]

Yes, and that’s why it sucks that both Chrome and Firefox are removing those indicators. They exist for a reason.

They just only will work if only those sites get a lock, as otherwise people might think the lock itself is enough to prove it isn’t a phishing attempt, due to the bad messaging.

[JohnW]

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site. But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site. I always practice #1-2, and I use #3 in case I get careless with #1-2.

1. Create and use bookmarks/favorites to access banking or important personal related sites. This avoids misspelling a URL if you are in a hurry, or are up too early or late.
2. Avoid clicking on URL links in emails or other documents. Type the address in the browser URL bar.
3. Use a browser plugin with filters, such as uBlock Origin. This one has many filter lists out of the box, to prevent you from connecting to known bad sites. Mine is currently running 167,536 network filters using the supplied filter lists. The lists are automatically updated (optionally).

uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”.

The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites — through EasyList, EasyPrivacy, Peter Lowe’s ad/tracking/malware servers, various lists of malware sites, and uBlock Origin’s own filter lists.

2 users thanked author for this post.

Fred, OscarCP

[Alex5723]

JohnW wrote:

Use a browser plugin with filters, such as uBlock Origin

Add to uBlock Origin uBlock Origin Extra.

[Fred]

These extensions in Firefox do all their specific blocks at different sites, together with the specific settings in Ffx itself; it’s hard to make a choice if one must

Firefox settings + extensions….
Cookie Autodelete
uBlock Origin
Privacy Badger
Ghostery
DuckDuckGo Privacy Essentials
Disconnect
HTTPS Everywhere
CanvasBlocker
Malwarebytes Browser Guard
Decentraleyes

Websites!!
reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

Searchengines..
Searx.me
Swisscows.com
Duckduckgo.com
(Startpage.com has been sold out to a data-collector!)

~ ~ ~

• This reply was modified 10 months ago by Fred.
• This reply was modified 10 months ago by Fred.

[Kirsty]

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

[Kirsty]

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

[Fred]

Kirsty wrote:

Fred wrote:

(Startpage.com has been sold out to a data-collector!)

Kirsty wrote:

To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

Please don’t be so very sure about that

These sites have their specific thoughts about the “new” startpage[dot]com : reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/

My relation that worked there have all left, because they believe in working for privacy [gdpr rulings in datahandling erc]

“It’s not the butcher who has to test his own meat”

~ ~ ~

[Kirsty]

Could you please supply reference to EFF being concerned about Startpage? The last result shown is dated 2010, and nothing on their Twitter account’s results either.

[Fred]

Quite soon after the publicity from startpage.com (plus startpage-email) with the Dutch government as an example of free and independent company honoring the privacy of their users (NL and EU-GDPR rulings), this company buyout became public.

https://www.startpage.com/blog/press-releases/dutch-government-features-search-engine-startpage-com-privacy-example/

People are worried that this cie. selling is ending as a submittance to the USA-Patriot-act, regardless where the servers fysically are stationed, and what statements from the company are made about hoovering data and selling; likewise Google and Cambridge-analitica….
Critics here state that there must come real proof, not hear-say.

Privacy search engine StartPage has sold to ad tech company System1

https://www.ghacks.net/2019/11/16/startpage-search-owner-changes-raise-serious-questions/

http://techrights.org/2019/10/16/startpage-is-surveillance/

http://techrights.org/2019/11/09/startpage-hypocrisy/

https://www.dslreports.com/forum/r32568229-Startpage-and-DuckDuckGo-may-not-be-private-anymore

http://techrights.org/2019/11/04/startpage-dogpile-webcrawler-metacrawler/

http://techrights.org/2019/11/01/oppressing-people-with-data/
.

Regards

 

~ ~ ~

2 users thanked author for this post.

AlexEiffel, JohnW

[JohnW]

Kirsty wrote:

JohnW wrote:

You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

You quoted me out of context by omitting my very next sentence.

But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site.

Best regards! 🙂

1 user thanked author for this post.

Fred

[Kirsty]

My response was only in relation to your opening sentence, hence why only it was quoted 🙂
(I hoped the response may prove useful in the future, to someone that might be skimming through this topic.)

[JohnW]

I wasn’t trying to challenge the theme of the original post, but was actually trying to add to it. That you need to have connected to a secure page, but also to be vigilant that you are on a real page, and not a fake or spoofed one!

1 user thanked author for this post.

Fred

[Author]

Posts