![]() |
MS-DEFCON 4:
There are isolated problems with current patches, but they are well-known and documented on this site.
|
-
The web has a padlock problem
Home › Forums › AskWoody blog › The web has a padlock problem
Tagged: Browser security, phishing
This topic contains 23 replies, has 9 voices, and was last updated by
Fred 1 day, 14 hours ago.
-
AuthorPosts
-
Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.
[See the full post at: The web has a padlock problem] -
anonymous? says:
thanx guys!
done and done, green padlock is back following ghacks along with askvg…
-
anonymousYes I always have to muck about in about:config to get one thing or another turned back on or configured how I want it with each Firefox update. Popups properly disabled for one and that annoying tone when using Find in FF if there where no matches found, what possessed Mozilla to enable that nonsense in the first place.
Firefox just needs a Temporarily Enable popups option like IE that goes away once the browser session/browser tab is ended/closed. Firefox has levels of Popup Blocking that are not fully disabled using the normal checkbox interface so that has to be done in about:config and I removed every popup exception from that environment variable string in the about:config popup settings.
I just hope that FF does not remove more options from about:config as that’s not going to go over well, and that update nagging that can not be fully disabled I do not like.
-
-
This is a matter for real concern. As to myself, a private user, I have this “two factor” approach: (1) Making sure I am accessing a site known to me or, if the first time, that it is known to be, or is likely to be a reputable one; (2) I look for the “https” in the URL address line. I do expect to see it in those places I just described, the Website of my bank, for example, and also in places like Woody’s. If it is not (even if it was there before), I hightail it out of there right away. And if the site’s name is something like “Free Porno 24/7 With Coeds Gone Wild!!!”, then I pay no mind to URL or padlocks, because one should not be there, if one has the slightest bit of common sense.
Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx
1 user thanked author for this post.
-
This is no different than the blind spot warning on newer vehicles. Those who learn to trust them will one day have a major accident when they stop working.
Don’t get lazy. Be smart.
Byte me!
-
Since the padlock means nothing important, you need to be aware of the rules for domain names. Understand the rules and you will not be fooled by scam websites with look-alike domain names. An explanation of domain name rules is one of the 34 topics at
https://DefensiveComputingChecklist.com
Get up to speed on router security at RouterSecurity.org
3 users thanked author for this post.
-
This locksign being there is just an indication, nothing more. Websites having this lock shown in the addressbar can be unsafe aswell. A way to make it a little more easy is using always the browser extention HTTPS-everywhere and using it with all options enabled. Amazing to see how many “safe sites” have connections to the unsafe sites, such as pictures gifs links etc. And for the very spicy sites it might be an idea to use for the client to see green handcuffs….
Banks etc are introdusing their own banking apps not just for fun or convenience, and if one has any doubt at all, just call (yes by a real life phone) and ask!
It is a dark world out there
🦃 happy thanksgiving
After all.. Just because we're paranoid doesn't mean they aren't out to get us. -
anonymousA reminder for people that may not desire to use an external site to do domain name research:
A Whois for Windows (there are many others).For many GNU/Linux distributions the whois program can be installed, some may already include it during the operating system installation.
-
Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure.
Chrome browser displays black padlock, and Chrome doesn’t display https” in the URL address line.
Other, none popular browsers, have different colors : Firefox – green padlock, Edge – white padlock…
Chrome has a “not secure” warning when browsing to a HTTP site. -
anonymousI don’t think retraining is needed. I think we should adapt to what people expect. Now that HTTPS isn’t just about pages that need high security, let’s remove the lock altogether. And let’s add a new lock that fits what people expect: sites that have been verified not to be phishing sites by some system.
I’m also all for the EV signals that are being removed. Having some other text that verifies that the site is what it appears to be is good.
HTTPS’s flaw is that anyone can get a certificate. Its use is to verify the lack of a man-in-the-middle problem. It’s never been about phishing–it was just a coincidence that phishing sites didn’t have an easy way to get a certificate before.
So stop treating HTTPS like it prevents phishing. Make the padlock be about phishing, not HTTPS.
-
That is what Extended Validation is for if I understand it correctly. In my browser (PaleMoon a Mozilla spinoff) the domain box (to the left of the URL) will turn from the Blue of plain HTTPS to Green when a site is using Extended Validation.
Only CAs who pass an independent qualified audit review may offer EV,[8] and all CAs globally must follow the same detailed issuance requirements which aim to:
Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name;
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer;
Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.[9]With the exception[10] of Extended Validation Certificates for .onion domains, it is otherwise not possible to get a wildcard Extended Validation Certificate – instead, all fully qualified domain names must be included in the certificate and inspected by the certificate authority.[11]
🍻
Just because you don't know where you are going doesn't mean any road will get you there.-
anonymousYes, and that’s why it sucks that both Chrome and Firefox are removing those indicators. They exist for a reason.
They just only will work if only those sites get a lock, as otherwise people might think the lock itself is enough to prove it isn’t a phishing attempt, due to the bad messaging.
-
-
-
You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site. But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site. I always practice #1-2, and I use #3 in case I get careless with #1-2.
- Create and use bookmarks/favorites to access banking or important personal related sites. This avoids misspelling a URL if you are in a hurry, or are up too early or late.
- Avoid clicking on URL links in emails or other documents. Type the address in the browser URL bar.
- Use a browser plugin with filters, such as uBlock Origin. This one has many filter lists out of the box, to prevent you from connecting to known bad sites. Mine is currently running 167,536 network filters using the supplied filter lists. The lists are automatically updated (optionally).
uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”.
The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites — through EasyList, EasyPrivacy, Peter Lowe’s ad/tracking/malware servers, various lists of malware sites, and uBlock Origin’s own filter lists.
-
Use a browser plugin with filters, such as uBlock Origin
Add to uBlock Origin uBlock Origin Extra.
-
These extensions in Firefox do all their specific blocks at different sites, together with the specific settings in Ffx itself; it’s hard to make a choice if one must
Firefox settings + extensions….
Cookie Autodelete
uBlock Origin
Privacy Badger
Ghostery
DuckDuckGo Privacy Essentials
Disconnect
HTTPS Everywhere
CanvasBlocker
Malwarebytes Browser Guard
DecentraleyesWebsites!!
reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/Searchengines..
Searx.me
Swisscows.com
Duckduckgo.com
(Startpage.com has been sold out to a data-collector!)After all.. Just because we're paranoid doesn't mean they aren't out to get us.-
(Startpage.com has been sold out to a data-collector!)
To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.
-
-
You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.
The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.
“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”
…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.
-
(Startpage.com has been sold out to a data-collector!)
To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.
…
the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.Please don’t be so very sure about that
These sites have their specific thoughts about the “new” startpage[dot]com : reclaimthenet.org
restoreprivacy.com
https://www.eff.org/
bitsoffreedom.nl/english/My relation that worked there have all left, because they believe in working for privacy [gdpr rulings in datahandling erc]
“It’s not the butcher who has to test his own meat”
After all.. Just because we're paranoid doesn't mean they aren't out to get us.-
Could you please supply reference to EFF being concerned about Startpage? The last result shown is dated 2010, and nothing on their Twitter account’s results either.
-
Quite soon after the publicity from startpage.com (plus startpage-email) with the Dutch government as an example of free and independent company honoring the privacy of their users (NL and EU-GDPR rulings), this company buyout became public.
People are worried that this cie. selling is ending as a submittance to the USA-Patriot-act, regardless where the servers fysically are stationed, and what statements from the company are made about hoovering data and selling; likewise Google and Cambridge-analitica….
Critics here state that there must come real proof, not hear-say.Privacy search engine StartPage has sold to ad tech company System1
https://www.ghacks.net/2019/11/16/startpage-search-owner-changes-raise-serious-questions/
http://techrights.org/2019/10/16/startpage-is-surveillance/
http://techrights.org/2019/11/09/startpage-hypocrisy/
https://www.dslreports.com/forum/r32568229-Startpage-and-DuckDuckGo-may-not-be-private-anymore
http://techrights.org/2019/11/04/startpage-dogpile-webcrawler-metacrawler/
http://techrights.org/2019/11/01/oppressing-people-with-data/
.Regards
After all.. Just because we're paranoid doesn't mean they aren't out to get us.1 user thanked author for this post.
-
-
You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.
The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.
“This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”
…the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.
You quoted me out of context by omitting my very next sentence.
But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site.
Best regards! 🙂
1 user thanked author for this post.
-
My response was only in relation to your opening sentence, hence why only it was quoted 🙂
(I hoped the response may prove useful in the future, to someone that might be skimming through this topic.)
-
-
AuthorPosts
-
-
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
honx on MS-DEFCON 4: Time to get the November patches installed
3 minutes agophaolo on MS-DEFCON 4: Time to get the November patches installed
4 minutes agoKirsty on New Windows 10 HP Notebook
6 minutes agojoep517 on Why am I able to see bcc addressees…?
8 minutes agoPKCano on MS-DEFCON 4: Time to get the November patches installed
9 minutes agoKirsty on Fill and Sign – Adobe Acrobat Reader
9 minutes agoPKCano on MS-DEFCON 4: Time to get the November patches installed
14 minutes agohonx on MS-DEFCON 4: Time to get the November patches installed
15 minutes agowillygirl on Is IOS Security software needed?
20 minutes agoJohnW on Born: Reported profile problems with the newly updated Firefox
28 minutes agoDemeter on MS-DEFCON 4: Time to get the November patches installed
28 minutes agolurks about on Microsoft 365 Life – your opportunity to rent an Office 365 superset
33 minutes agoAlex5723 on Potential Windows 10 Update Database error detected
37 minutes agojoep517 on Windows 10 Insider Preview build 19035 (20H1) released to FAST & SLOW rings
38 minutes agoPKCano on Why am I able to see bcc addressees…?
42 minutes agoPKCano on MS-DEFCON 4: Time to get the November patches installed
45 minutes agoCADesertRat on MS-DEFCON 4: Time to get the November patches installed
50 minutes agoWSVictor Delta on Why am I able to see bcc addressees…?
54 minutes agoAlex5723 on MS-DEFCON 4: Time to get the November patches installed
59 minutes agoPaul T on Why am I able to see bcc addressees…?
1 hour, 19 minutes agoAJNorth on MS-DEFCON 4: Time to get the November patches installed
1 hour, 23 minutes agodmt_3904 on Is IOS Security software needed?
1 hour, 24 minutes agoPaul T on Fill and Sign – Adobe Acrobat Reader
1 hour, 25 minutes agoEP on Avast snooping gets called out by Firefox
1 hour, 26 minutes agoCharlie on MS-DEFCON 4: Time to get the November patches installed
1 hour, 27 minutes agoCasey H on Router & DSL Modem
1 hour, 33 minutes agoEP on Born: Reported profile problems with the newly updated Firefox
1 hour, 34 minutes agoEP on Born: Reported profile problems with the newly updated Firefox
1 hour, 35 minutes agoWSVictor Delta on Why am I able to see bcc addressees…?
1 hour, 38 minutes agoPKCano on New Windows 10 HP Notebook
1 hour, 53 minutes ago
Recent Topics
-
Microsoft 365 Life – your opportunity to rent an Office 365 superset
34 minutes ago
-
Fill and Sign – Adobe Acrobat Reader
10 minutes ago
-
New Windows 10 HP Notebook
7 minutes ago
-
MS-DEFCON 4: Time to get the November patches installed
4 minutes ago
-
EPS import, probably not coming back… right?
4 hours, 42 minutes ago
-
BMW: CarPlay is free on some cars.
7 hours, 13 minutes ago
-
Audio issues in Windows 10 1909
7 hours, 30 minutes ago
-
2019 13” MacBook Pro Random Shut Down Resolution
9 hours, 17 minutes ago
-
iOS 13 Wi-Fi Message
9 hours, 27 minutes ago
-
iPhone 11 Pro Location Sending Issue
15 hours, 53 minutes ago
-
Safe Mode Anyone?
16 hours, 44 minutes ago
-
Windows 10 Insider Preview build 19035 (20H1) released to FAST & SLOW rings
38 minutes ago
-
Root folder rights
16 hours, 39 minutes ago
-
Great free source for training for Network+ exam
20 hours, 51 minutes ago
-
The anti-robocalls law is finally up for a vote in Congress: a call to arms.
23 hours ago
-
Patch Lady – watch out for banner ad scams
6 hours, 23 minutes ago
-
Born: Reported profile problems with the newly updated Firefox
28 minutes ago
-
Firefox 71 and 68.3.0 upgrade issues
1 day, 5 hours ago
-
What's wrong with Firefox's development in a nutshell
15 hours, 26 minutes ago
-
Create a button for Word Quick Access bar containing several macros
15 hours, 55 minutes ago
-
Copying files to a new Win 10 computer
7 hours, 54 minutes ago
-
Search Baron Malware
16 hours, 5 minutes ago
-
Patch Lady – Office 365 in the cross hairs
17 hours, 53 minutes ago
-
HP Envy 15 very slow to wake from sleep with Win 10
1 day, 17 hours ago
-
December 2019 Office non-Security updates have been released
20 hours, 3 minutes ago
-
Where we stand with the November 2019 patches
16 hours, 20 minutes ago
-
Potential Windows 10 Update Database error detected
37 minutes ago
-
Avast snooping gets called out by Firefox
1 hour, 27 minutes ago
-
About that nonsense FBI warning about TVs stalking you
3 hours, 20 minutes ago
-
Smith & Wesson Web Site Hacked to Steal Customer Payment Info
2 days, 11 hours ago
Search for Topics
Recent blog posts
- Microsoft 365 Life – your opportunity to rent an Office 365 superset
- MS-DEFCON 4: Time to get the November patches installed
- Patch Lady – watch out for banner ad scams
- Born: Reported profile problems with the newly updated Firefox
- Patch Lady – Office 365 in the cross hairs
- December 2019 Office non-Security updates have been released
- Where we stand with the November 2019 patches
- Avast snooping gets called out by Firefox
Copyright © 2019 AskWoody LLC. All rights reserved.