http - how secure is it?

[heero_yuy]

Quote:

Originally Posted by Rillington

Thank you for your reply.

So when you say communication with the site do you mean passwords/emails addresses or do you mean all forms of communication, such as simply going to the site and streaming/downloading data from that website?

All the communication to and from the site is encrypted. The older standard was SSL (Secure Sockets Layer). Now TLS (Transport Layer Security) is in use.

Some background reading

[tweetiepooh]

HTTPS doesn't just encrypt the data securing it, it also uses certificates to prove that the site is who it says it is. That's probably more important even if just reading data and that no-one is impersonating the site.



If you use a proxy, especially at work, they will install certificates in the browser so the proxy can intercept, decrypt, inspect and rerecrypt on without warnings but generally if the certificate doesn't match or isn't issued properly you browser should warn you. What is causing pain now are the alternate DNS names being enforced on the main name where previously only needing for additional names. This is where you may use variations in name to provide different services but only want one certificate, e.g. www.bbc.co.uk, news.bbc.co.uk (yes I know they do it different now) can all have one certificate, used to be www.bbc and then new.bbc etc in the alternate names, now also have to have www.bbc in the alternate names.

[Jaymoss]

Quote:

Originally Posted by Itshim

Is that why Kaspersky and now, in my case bit defender react to me using cable forum ?

I think you need to run a few scans

Run one from bitdefender, run one from an online scan such as eset

download and install RKill https://www.bleepingcomputer.com/download/rkill/ and run this program. This will stop any processes that might be malware and block deletion if required. Then download and install malwarebytes and run a scan with that

I have a feeling something else is causing your flags

---------- Post added at 12:13 ---------- Previous post was at 12:12 ----------

Quote:

Originally Posted by Carth

*nods in agreement* . . .

They keep flashing warnings up because they have to be 'seen' to be doing the job . . otherwise you'd think they were crap and not buy it again

I personally think they are flagging warnings where other users are not because the system could be compromised

[Hom3r]

I use Windows Defender.


I don't download dodgy stuff, and I scan the relevent files.

[mrmistoffelees]

Quote:

Originally Posted by heero_yuy

All the communication to and from the site is encrypted. The older standard was SSL (Secure Sockets Layer). Now TLS (Transport Layer Security) is in use.

Some background reading

Correction TLS has been in use for many years and in fact TLS 1.0 & 1.1 are considered not safe and havent been since the back end of 2019. Only TLS 1.2 and above are considered secure.

[MikeyB]

Quote:

Originally Posted by Dude111

Http is as secure as its ever been.......

Which is NOT secure!

ANY site running on http can be intercepted and the contents of the site changed before it gets to your browser, https prevents this happening.
Of course, https encrypts all traffic between your browser & the server, so for example your password & any form you fill in, cannot be snooped upon.

Here's a very good article about why every website needs https
https://www.troyhunt.com/heres-why-y...e-needs-https/

There's a video with a demo of changing the contents of a site, without actually changing the site, just what is delivered to your browser.

But as others have said, https does not mean that the site itself is safe or secure, it's the connection to/from the server

Quote:

Originally Posted by Dude111

I have a question..... If these sites can do it w/o issues,why cant all sites??

I have been trying to get my friend who runs sitcomsonline.com/boards?styleid=1077 to enable http but he doesnt think it will work..... I have told him of city-data but he doesnt understand

All sites could allow http, but the vast majority of sites today choose to only allow https as it's more secure for all involved, simple as that.
If your friend does allow http then he may as well disable https altogether, no point in having it then.

Quote:

Originally Posted by Paul

Many sites simply do not need to be secure.
A news site for example, or indeed, any informational site.

News sites a prime example of needing https, imagine if the contents of the BBC news or any other news site was intercepted as per my link above?

There is no excuse for not having https these days, can be done totally for free with a little work.

[pip08456]

Quote:

Originally Posted by mrmistoffelees

Correction TLS has been in use for many years and in fact TLS 1.0 & 1.1 are considered not safe and havent been since the back end of 2019. Only TLS 1.2 and above are considered secure.

An unnecessary correction. Heero's post contained correct info and included a link for those who wished more info.

[mrmistoffelees]

Quote:

Originally Posted by pip08456

An unnecessary correction. Heero's post contained correct info and included a link for those who wished more info.

ssssh, qualified people talking....

[BenMcr]

Quote:

Originally Posted by tweetiepooh

HTTPS doesn't just encrypt the data securing it, it also uses certificates to prove that the site is who it says it is. That's probably more important even if just reading data and that no-one is impersonating the site.

Though I think it's always worth making clear that a certificate that doesn't generate a browser warning just means that the site has a security certificate that has been issued by a valid authority for the site domain.

You could have a valid https certificate for cableforum.uk or cablef0rum.uk.

A valid certificate doesn't guarantee anything about the trustworthiness of the site you're on.

[Carth]

I vaguely recall a year or two ago, I had quite a few certificate warnings on various sites/pages that normally were ok . . . not sure if it was down to a change in how they're done or a cock up somewhere in the system?

Quote:

Originally Posted by MikeyB

News sites a prime example of needing https, imagine if the contents of the BBC news or any other news site was intercepted as per my link above?

Try taking off your tin foil hat for a few minutes.
News sites do not need to use https, of course, they can choose to.

Quote:

Originally Posted by tweetiepooh

What is causing pain now are the alternate DNS names being enforced on the main name where previously only needing for additional names.

I dont really know what you are trying to say here.
A single SSL certificate can have many alt names, hundreds if you are daft enough (our own cerificate here has nine).
You can also get wildcard certificates to cover all the sub domains on a main domain.

[BenMcr]

Quote:

Originally Posted by Carth

I vaguely recall a year or two ago, I had quite a few certificate warnings on various sites/pages that normally were ok . . . not sure if it was down to a change in how they're done or a cock up somewhere in the system?

There have been incidents in the last few years where a certificate authority made errors that meant they couldn't be relied on and their certificates were distrusted.

One of the biggest was Symantec

https://www.thesslstore.com/blog/sym...usted-tuesday/

Quote:

Google Chrome 66 will distrust any Symantec, GeoTrust, Thawte & RapidSSL certificate issued before June 1, 2016

On Tuesday, April 17 [2018], Google will push the newest version of its web browser, Chrome 66, to stable, effectively distrusting any Symantec CA brand (Symantec, GeoTrust, Thawte and RapidSSL) SSL certificate issued before June 1, 2016. Once Chrome 66 goes live and its users begin to update their browsers, any website still using one of the affected Symantec CA brand SSL certificates will be slapped with a browser warning.

But smaller authorities are impacted too https://www.zdnet.com/article/google...a-from-chrome/

[Dude111]

Quote:

Originally Posted by MikeyB

If your friend does allow http then he may as well disable https altogether, no point in having it then.

Well more people use the https side. Some on older browsers cant so they use the HTTP side...

Or the site can install 'NO BROWSER LEFT BEHIND' which lets even older browsers connect HTTPS

http://blog.cloudflare.com/sha-1-dep...er-left-behind

Quote:

Originally Posted by Paul

Honestly, just ditch them all.

I agree...I dont have any!!

[tweetiepooh]

Quote:

Originally Posted by Paul

Try taking off your tin foil hat for a few minutes.
News sites do not need to use https, of course, they can choose to.


I dont really know what you are trying to say here.
A single SSL certificate can have many alt names, hundreds if you are daft enough (our own cerificate here has nine).
You can also get wildcard certificates to cover all the sub domains on a main domain.

It used to be that you didn't have to put the main cert name in the alt DNS names now you do. At work where we gen our own certificates with own signing authority (internal) it's meaning that sometimes we need to get new certificates as newer browsers flag up that the site isn't in cert Alt DNS names. Mostly not a problem but the software we use in one case only allows one name in the Alt DNS names so we have to put main site name in. Now add we have multiple domains as well and it all gets fun if you want to make it easy to access site(s).

[MikeyB]

Quote:

Originally Posted by Paul

Try taking off your tin foil hat for a few minutes.
News sites do not need to use https, of course, they can choose to.

Of course that is an extreme example, but today, what benefit is there for a site not running https?

Quote:

Originally Posted by Dude111

Well more people use the https side. Some on older browsers cant so they use the HTTP side...

And herein lies your issue with https, you are using an unsupported & insecure browser on an unsupported & insecure OS, not much anyone apart from you can do about that.

As I said before, there is no excuse today, for any website not to allow only https connection.