Re: http - how secure is it?
 

All the communication to and from the site is encrypted. The older standard was SSL (Secure Sockets Layer). Now TLS (Transport Layer Security) is in use.

Some background reading

Re: http - how secure is it?
 

HTTPS doesn't just encrypt the data securing it, it also uses certificates to prove that the site is who it says it is. That's probably more important even if just reading data and that no-one is impersonating the site.



If you use a proxy, especially at work, they will install certificates in the browser so the proxy can intercept, decrypt, inspect and rerecrypt on without warnings but generally if the certificate doesn't match or isn't issued properly you browser should warn you. What is causing pain now are the alternate DNS names being enforced on the main name where previously only needing for additional names. This is where you may use variations in name to provide different services but only want one certificate, e.g. www.bbc.co.uk, news.bbc.co.uk (yes I know they do it different now) can all have one certificate, used to be www.bbc and then new.bbc etc in the alternate names, now also have to have www.bbc in the alternate names.

Re: http - how secure is it?
 

I think you need to run a few scans

Run one from bitdefender, run one from an online scan such as eset

download and install RKill https://www.bleepingcomputer.com/download/rkill/ and run this program. This will stop any processes that might be malware and block deletion if required. Then download and install malwarebytes and run a scan with that

I have a feeling something else is causing your flags

---------- Post added at 12:13 ---------- Previous post was at 12:12 ----------

I personally think they are flagging warnings where other users are not because the system could be compromised

Re: http - how secure is it?
 

I use Windows Defender.


I don't download dodgy stuff, and I scan the relevent files.

Re: http - how secure is it?
 

Correction TLS has been in use for many years and in fact TLS 1.0 & 1.1 are considered not safe and havent been since the back end of 2019. Only TLS 1.2 and above are considered secure.

Re: http - how secure is it?
 

Which is NOT secure!

ANY site running on http can be intercepted and the contents of the site changed before it gets to your browser, https prevents this happening.
Of course, https encrypts all traffic between your browser & the server, so for example your password & any form you fill in, cannot be snooped upon.

Here's a very good article about why every website needs https
https://www.troyhunt.com/heres-why-y...e-needs-https/

There's a video with a demo of changing the contents of a site, without actually changing the site, just what is delivered to your browser.

But as others have said, https does not mean that the site itself is safe or secure, it's the connection to/from the server


All sites could allow http, but the vast majority of sites today choose to only allow https as it's more secure for all involved, simple as that.
If your friend does allow http then he may as well disable https altogether, no point in having it then.

News sites a prime example of needing https, imagine if the contents of the BBC news or any other news site was intercepted as per my link above?

There is no excuse for not having https these days, can be done totally for free with a little work.

Re: http - how secure is it?
 

An unnecessary correction. Heero's post contained correct info and included a link for those who wished more info.

Re: http - how secure is it?
 

ssssh, qualified people talking....

Re: http - how secure is it?
 

Though I think it's always worth making clear that a certificate that doesn't generate a browser warning just means that the site has a security certificate that has been issued by a valid authority for the site domain.

You could have a valid https certificate for cableforum.uk or cablef0rum.uk.

A valid certificate doesn't guarantee anything about the trustworthiness of the site you're on.

Re: http - how secure is it?
 

I vaguely recall a year or two ago, I had quite a few certificate warnings on various sites/pages that normally were ok . . . not sure if it was down to a change in how they're done or a cock up somewhere in the system?

Re: http - how secure is it?
 

Try taking off your tin foil hat for a few minutes.
News sites do not need to use https, of course, they can choose to.

I dont really know what you are trying to say here.
A single SSL certificate can have many alt names, hundreds if you are daft enough (our own cerificate here has nine).
You can also get wildcard certificates to cover all the sub domains on a main domain.

Re: http - how secure is it?
 

There have been incidents in the last few years where a certificate authority made errors that meant they couldn't be relied on and their certificates were distrusted.

One of the biggest was Symantec

https://www.thesslstore.com/blog/sym...usted-tuesday/

But smaller authorities are impacted too https://www.zdnet.com/article/google...a-from-chrome/

Well more people use the https side. Some on older browsers cant so they use the HTTP side...

Or the site can install 'NO BROWSER LEFT BEHIND' which lets even older browsers connect HTTPS

http://blog.cloudflare.com/sha-1-dep...er-left-behind


I agree...I dont have any!!

Re: http - how secure is it?
 

It used to be that you didn't have to put the main cert name in the alt DNS names now you do. At work where we gen our own certificates with own signing authority (internal) it's meaning that sometimes we need to get new certificates as newer browsers flag up that the site isn't in cert Alt DNS names. Mostly not a problem but the software we use in one case only allows one name in the Alt DNS names so we have to put main site name in. Now add we have multiple domains as well and it all gets fun if you want to make it easy to access site(s).

Re: http - how secure is it?
 

Of course that is an extreme example, but today, what benefit is there for a site not running https?


And herein lies your issue with https, you are using an unsupported & insecure browser on an unsupported & insecure OS, not much anyone apart from you can do about that.

As I said before, there is no excuse today, for any website not to allow only https connection.