News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • The web has a padlock problem

    Home Forums AskWoody blog The web has a padlock problem

    This topic contains 23 replies, has 9 voices, and was last updated by  Fred 1 day, 14 hours ago.

    • Author
      Posts
    • #2013065 Reply

      Kirsty
      Da Boss

      Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.
      [See the full post at: The web has a padlock problem]

      3 users thanked author for this post.
    • #2013107 Reply

      anonymous

      ? says:

      thanx guys!

      done and done, green padlock is back following ghacks along with askvg…

      • #2013425 Reply

        anonymous

        Yes I always have to muck about in about:config to get one thing or another turned back on or configured how I want it with each Firefox update. Popups properly disabled for one and that annoying tone when using Find in FF if there where no matches found, what possessed Mozilla to enable that nonsense in the first place.

        Firefox just needs a Temporarily Enable popups option like IE that goes away once the browser session/browser tab is ended/closed. Firefox has levels of Popup Blocking that are not fully disabled using the normal checkbox interface so that has to be done in about:config and I removed every popup exception from that environment variable string in the about:config popup settings.

        I just hope that FF does not remove more options from about:config as that’s not going to go over well, and that update nagging that can not be fully disabled I do not like.

    • #2013115 Reply

      OscarCP
      AskWoody Plus

      This is a matter for real concern. As to myself, a private user, I have this “two factor” approach: (1) Making sure I am accessing a site known to me or, if the first time, that it is  known to be, or is likely to be a reputable one; (2) I look for the “https” in the URL address line. I do expect to see it in those places I just described, the Website of my bank, for example, and also in places like Woody’s. If it is not (even if it was there before), I hightail it out of there right away. And if the site’s name is something like “Free Porno 24/7 With Coeds Gone Wild!!!”, then I pay no mind to URL or padlocks, because one should not be there, if one has the slightest bit of common sense.

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

      1 user thanked author for this post.
    • #2013126 Reply

      pHROZEN gHOST
      AskWoody Lounger

      This is no different than the blind spot warning on newer vehicles. Those who learn to trust them will one day have a major accident when they stop working.

      Don’t get lazy. Be smart.

      Byte me!

    • #2013154 Reply

      Michael432
      AskWoody_MVP

      Since the padlock means nothing important, you need to be aware of the rules for domain names. Understand the rules and you will not be fooled by scam websites with look-alike domain names. An explanation of domain name rules is one of the 34 topics at

      https://DefensiveComputingChecklist.com

      Get up to speed on router security at RouterSecurity.org

      3 users thanked author for this post.
    • #2013226 Reply

      Fred
      AskWoody Plus

      This locksign being there is just an indication, nothing more. Websites having this lock shown in the addressbar can be unsafe aswell. A way to make it a little more easy is using always the browser extention HTTPS-everywhere and using it with all options enabled. Amazing to see how many “safe sites” have connections to the unsafe sites, such as pictures gifs links etc. And for the very spicy sites it might be an idea to use for the client to see green handcuffs….

      Banks etc are introdusing their own banking apps not just for fun or convenience, and if one has any doubt at all, just call (yes by a real life phone) and ask!

      It is a dark world out there

      🦃 happy thanksgiving

      After all.. Just because we're paranoid doesn't mean they aren't out to get us.
    • #2013219 Reply

      anonymous

      A reminder for people that may not desire to use an external site to do domain name research:
      A Whois for Windows (there are many others).

      For many GNU/Linux distributions the whois program can be installed, some may already include it during the operating system installation.

      • #2013289 Reply

        OscarCP
        AskWoody Plus

        Anonymous has pointed out here:  #2013219  the useful LINUX line command “whois”. It is also available in macOS from Terminal.

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

    • #2013238 Reply

      Alex5723
      AskWoody Plus

      Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure.

      Chrome browser displays black padlock, and Chrome doesn’t display https” in the URL address line.
      Other, none popular browsers, have different colors : Firefox – green padlock, Edge – white padlock…
      Chrome has a “not secure” warning when browsing to a HTTP site.

      • This reply was modified 4 days, 10 hours ago by  Alex5723.
      • This reply was modified 4 days, 10 hours ago by  Alex5723.
      • This reply was modified 4 days, 10 hours ago by  Alex5723.
    • #2013262 Reply

      anonymous

      I don’t think retraining is needed. I think we should adapt to what people expect. Now that HTTPS isn’t just about pages that need high security, let’s remove the lock altogether. And let’s add a new lock that fits what people expect: sites that have been verified not to be phishing sites by some system.

      I’m also all for the EV signals that are being removed. Having some other text that verifies that the site is what it appears to be is good.

      HTTPS’s flaw is that anyone can get a certificate. Its use is to verify the lack of a man-in-the-middle problem. It’s never been about phishing–it was just a coincidence that phishing sites didn’t have an easy way to get a certificate before.

      So stop treating HTTPS like it prevents phishing. Make the padlock be about phishing, not HTTPS.

      • #2013342 Reply

        wavy
        AskWoody Plus

        That is what Extended Validation is for if I understand it correctly. In my browser (PaleMoon a Mozilla spinoff) the domain box (to the left of the URL) will turn from the Blue of plain HTTPS to Green when a site is using Extended Validation.

        Only CAs who pass an independent qualified audit review may offer EV,[8] and all CAs globally must follow the same detailed issuance requirements which aim to:

        Establish the legal identity as well as the operational and physical presence of website owner;
        Establish that the applicant is the domain name owner or has exclusive control over the domain name;
        Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer;
        Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.[9]

        With the exception[10] of Extended Validation Certificates for .onion domains, it is otherwise not possible to get a wildcard Extended Validation Certificate – instead, all fully qualified domain names must be included in the certificate and inspected by the certificate authority.[11]

        from https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Creation_of_special_UI_indicators_in_browsers

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        • #2013592 Reply

          anonymous

          Yes, and that’s why it sucks that both Chrome and Firefox are removing those indicators. They exist for a reason.

          They just only will work if only those sites get a lock, as otherwise people might think the lock itself is enough to prove it isn’t a phishing attempt, due to the bad messaging.

    • #2013390 Reply

      JohnW
      AskWoody Plus

      You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site. But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site. I always practice #1-2, and I use #3 in case I get careless with #1-2.

      1. Create and use bookmarks/favorites to access banking or important personal related sites. This avoids misspelling a URL if you are in a hurry, or are up too early or late.
      2. Avoid clicking on URL links in emails or other documents. Type the address in the browser URL bar.
      3. Use a browser plugin with filters, such as uBlock Origin. This one has many filter lists out of the box, to prevent you from connecting to known bad sites. Mine is currently running 167,536 network filters using the supplied filter lists. The lists are automatically updated (optionally).

      uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”.

      The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites — through EasyList, EasyPrivacy, Peter Lowe’s ad/tracking/malware servers, various lists of malware sites, and uBlock Origin’s own filter lists.

      2 users thanked author for this post.
      • #2013394 Reply

        Alex5723
        AskWoody Plus

        Use a browser plugin with filters, such as uBlock Origin

        Add to uBlock Origin uBlock Origin Extra.

      • #2013949 Reply

        Fred
        AskWoody Plus

        These extensions in Firefox do all their specific blocks at different sites, together with the specific settings in Ffx itself; it’s hard to make a choice if one must

        Firefox settings + extensions….
        Cookie Autodelete
        uBlock Origin
        Privacy Badger
        Ghostery
        DuckDuckGo Privacy Essentials
        Disconnect
        HTTPS Everywhere
        CanvasBlocker
        Malwarebytes Browser Guard
        Decentraleyes

        Websites!!
        reclaimthenet.org
        restoreprivacy.com
        https://www.eff.org/
        bitsoffreedom.nl/english/

        Searchengines..
        Searx.me
        Swisscows.com
        Duckduckgo.com
        (Startpage.com has been sold out to a data-collector!)

        After all.. Just because we're paranoid doesn't mean they aren't out to get us.
        • This reply was modified 2 days, 13 hours ago by  Fred.
        • This reply was modified 2 days, 13 hours ago by  Fred.
        • #2013952 Reply

          Kirsty
          Da Boss

          (Startpage.com has been sold out to a data-collector!)

          To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.

          the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

      • #2013953 Reply

        Kirsty
        Da Boss

        You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

        The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

        “This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

        …the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

    • #2013961 Reply

      Fred
      AskWoody Plus

      (Startpage.com has been sold out to a data-collector!)

      To summarize: Startpage states [that] nothing has changed in regards to how the service operates in regards to user privacy.

      the company representatives state that the investment was made “because we believe Startpage serves a critical role in maintaining consumer privacy, and we hope our resources can help Startpage bring privacy to millions of new users around the world”.

      Please don’t be so very sure about that

      These sites have their specific thoughts about the “new” startpage[dot]com : reclaimthenet.org
      restoreprivacy.com
      https://www.eff.org/
      bitsoffreedom.nl/english/

      My relation that worked there have all left, because they believe in working for privacy [gdpr rulings in datahandling erc]

      “It’s not the butcher who has to test his own meat”

      After all.. Just because we're paranoid doesn't mean they aren't out to get us.
    • #2014070 Reply

      JohnW
      AskWoody Plus

      You definitely want to see a good padlock and/or HTTPS in your browser any time you log into a site.

      The problem in contention is that the padlock only indicates someone has a site certificate – which even phishers get these days, which reduces the effectiveness of seeing such an indicator.

      “This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

      …the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

      You quoted me out of context by omitting my very next sentence.

      But there are some common sense things you should also be doing to limit the risk of loading up a phishing or malware site.

      Best regards! 🙂

      1 user thanked author for this post.
      • #2014179 Reply

        Kirsty
        Da Boss

        My response was only in relation to your opening sentence, hence why only it was quoted 🙂
        (I hoped the response may prove useful in the future, to someone that might be skimming through this topic.)

        • #2014186 Reply

          JohnW
          AskWoody Plus

          I wasn’t trying to challenge the theme of the original post, but was actually trying to add to it. That you need to have connected to a secure page, but also to be vigilant that you are on a real page, and not a fake or spoofed one!

          1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: The web has a padlock problem

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel