Latest news underscores why encryption is necessary

I just saw this article:

I’m not going to comment on the politics or whether or not this was deliberate, but I want to point out that this shows why strong encryption (including HTTPS) is so important.

If a hostile actor manages to redirect traffic to/from a major site (Apple, this time around, but could be Microsoft, Google, Facebook or any other site), They can get access to all the data you send/receive to/from that site.

If the site is hijacked (replacing the original server), it won’t be able to produce the certificates needed to validate the DNS domain. Web browsers will warn you that the site may be insecure. Don’t ignore the warning - either don’t visit the site or be sure to not send anything sensitive (including login credentials) to it.

If the site hasn’t been hijacked, but the network traffic has been routed through a hostile server en route to the real server (e.g. to capture and monitor traffic), you won’t see any warnings, but the operator of the hostile server will see your data. In this case, encryption will prevent that intermediate sever from getting anything useful from the captured data. If the encryption used is strong (e.g. TLS with a strong AES key), then the amount of time needed to hack the session will be so long that the attacker won’t bother unless you are specifically being targeted.

5 Likes

So,
For novices
What websites encrypt?
Is encryption necessary going to a website?
What app can be used to encrypt using any browser going to any website?
If the questions are “dumb” its because I’m not proficient here.

thank you,
David

Rule of thumb for any novice: use https. That s is the important part.

And when your browser tells you there’s a problem with the certificate, take that seriously.

1 Like

These days, most do. To check, look at the URL in your web browser. If it begins with https:// (please note the “S” in there - that’s critical), then some form of encryption is used.

To find out the details (what kind of encryption, security certificates, etc.) your web browser should prove something to click on. For Firefox (what I use), there’s a padlock icon in the location bar:

Screen Shot 2022-07-28 at 13.55.25

Safari also uses a padlock icon:

No, but you should be careful what you do on a site that is not encrypted.

When you connect to a web site, it is never a direct connection between your computer and the web server (unless it’s a private server running on the same LAN as your computer).

Instead, the data used by your connection goes through many intermediate computers (routers and servers). These will include:

  • Your home router (which is probably not a problem)
  • Your internet service provider’s routers
  • Routers owned by the various telecom companies connecting your ISP’s network to the web server’s ISP’s network
  • The web server’s ISP’s network
  • Various routers in the data center where the web server is running
  • Other routers and servers used to distribute the web site’s service worldwide (multiple data centers in multiple locations)

Anybody with access to any of these routers and servers can, in theory, get a copy of your data. This might be for legitimate reasons (e.g. law enforcement request, network performance testing, etc.) or for malicious/criminal reasons.

When your connection is encrypted, the data still flows through all these systems and can still be intercepted, but the person doing this will only get encrypted data. Without the correct decryption key, it will be very difficult to access the original data. With modern encryption ciphers, it will take many years to crack the encryption - long enough that most attackers won’t bother.

Now, this doesn’t mean you should never visit a non-encrypted web site. But it does mean you should not provide any sensitive information to a web site that is not encrypted, because there is a possibility that the data could be intercepted by a malicious person.

Sensitive information includes obvious things like account numbers and passwords (including the credentials you provide when logging on to a site), but could be anything, depending on what you are doing and how much you care about a third-party getting a copy.

See above. Most web sites these days already support encryption, via the HTTPS protocol.

Sites that are not encrypted (e.g. an http:// URL - note that there’s no “S”) are inherently insecure and there’s not much you can do about it other than asking the site owner to start encrypting it. The most important thing you can do is be aware of such sites and be careful what you do when you’re using the site.

Modern web browsers will include an indication that a site is not encrypted or that it contains a mix of encrypted/non-encrypted content.

Firefox indicates insecure sites with a padlock icon that has a red line across it. And clicking on that padlock will tell you why it is considered insecure. For instance (this is from a web server I run in my home office):

Screen Shot 2022-07-28 at 14.19.26

Safari puts the text “Not Secure” in the location bar:

4 Likes

There are good explanations and advice here:

And Apple is adamant about developers including HTTPS on their apps;

Another good explanation here:

3 Likes

No, it’s worse than this, and you should probably never visit a non-encrypted web site. While sensitive data flowing from the user’s browser to the web site is definitely a concern, remember that it’s a two way street. The web site is sending data back to the user’s browser, and if it’s not encrypted, it can not only be intercepted along the way (so any sensitive data the web site embeds in the page can be captured), but potentially modified. Images can be replaced, text modified to give misleading or incorrect information, URLs modified to either track the user or to direct them to a phishing site, etc.

5 Likes

I have found that sometimes when I end up on a non-encrypted (http) site I can edit the URL address by changing ‘http’ to ‘https’ and it works. Some web sites have both versions running and you just need to tell your browser to move to the https version. The ‘HTTPS Everywhere’ extension for Firefox (and browsers other than Safari) will do this automatically for you. I highly recommend it.

Well, as far as https, I still do a couple three websites for free and the SSL certificate my hosting provider offers is around $100 a year which my clients (well friends really) think is high. They are not e-commerce sites and have simple contact forms that require no personal info. I have seen yearly costs for a certificate range from less than $10 to many hundreds. And the security offered (encryption strength) seems to vary, too. So just seeing an https url isn’t a perfect guarantee!

Another thing having a https certificate gives the website owner is liability insurance for data theft, and of course the level of coverage varies with the price too!

If it’s a certificate from an agency that is trying to provide a digital identity (e.g. prove who owns the site, not just validate the domain), then $100/yr may be reasonable.

If, however, it is a certificate that only validates your domain name and encrypts content (e.g. the kind you get from Let’s Encrypt), then that’s massively overpriced. Since Let’s Encrypt is a free service, support for or something else with similar capabilities it should be very inexpensive, if not free.

1 Like

The hosting company for three Websites that I run apparently does not offer support for Let’s Encrypt, and the encryption service that it does offer would cost me $66/year for each of the three. Since all of them are effectively read-only and public service, adding encryption would nor provide any benefit to me or to my readers. Furthermore, it would make these Websites effectively unavailable to folks who are living with old machines, because old Web browsers will throw up misleading security alerts when the real problem is that their some of their own certificates are obsolete. For that very reason, there are up-to-date Websites that I cannot access from my old machines–only from my newer ones. (I have five machines of various vintages, from MacOS 8.1 up to Monterey.) While it’s theoretically possible to import additional certificates, I’ve never found it sufficiently important to take the time to investigate where such certificates could safely be found.

Free Let’s Encrypt certificates should be automatic for any shared hosting provider, I would find another host rather than pay for certificates.

Even when the information is not critical or private, having encryption on a site is reassuring and the norm. It also prevents a man-in-the-middle attack from inserting malicious content in the pages as they’re delivered (including things like ISPs inserting ads).

The vast majority of users are using an OS/browser that works with Let’s Encrypt certificates after their change last year. For users using iOS before v10 or macOS before Sierra (10.12.1, and haven’t manually installed the current certificate or switched to using Firefox), rather than pay for a more compatible certificate for such content, I would leave HTTP active instead of redirecting all requests to the HTTPS equivalent.

To permit really old browsers to connect, you need an unencrypted version anyway because they don’t support more modern, secure TLS protocols or ciphers. A shared hosting provider might configure the server to use the oldest, most compatible (and least secure) settings to avoid complaints but it still wouldn’t be compatible with an OS/browser from 20+ years ago.

2 Likes

Here it is: https://letsencrypt.org/certs/isrgrootx1.pem

It’s easy to add on a Mac, download the certificate, double-click it, accept the prompts, type in your password, done. The steps are about the same if you click the link on an iOS device.

From last year: Root security certificate expiring September 30 affecting El Capitan and older

2 Likes

Also, Google has been threatening to not index http sites for quite a while, and is possibly downgrading their position in results right now.

I think not indexing unencrypted sites is unlikely.

I don’t think lack of encryption is affecting a site’s position in search results yet but I could see it happening. This recent article is not high quality (it repeatedly fails to include the “S” in “HTTPS”) but it quotes a John Mueller, Webmaster Trends Analyst at Google, who says it’s a good idea to replace HTTP links with HTTPS ones but not for search algorithm reasons. Google: “Always Try” To Replace HTTP Links With HTTPS, makes a meal out of a very brief comment.

That’s probably true now–a search result that is the top hit on DuckDuckGo appears near the bottom of the second page on Google. But since I’m not selling anything, nor trying to persuade folks of something, that’s not a problem for me.

Thanks, Curtis. That worked on Firefox 37, though I had to add a security exception to get to letsencrypt.org in the first place, and then it wasn’t a “download & double-click,” as Firefox recognized that it was an incoming certificate. Of course FF37 is too old to handle a lot of modern Websites properly, but that’s a different problem.

Unlike most browsers, Firefox doesn’t use the Mac’s root certificate store, it includes its own, so the steps are different.

Any Mac that can run Firefox 37 can run Firefox 47 (installer, OS X 10.6 or newer). Firefox 78 runs on 10.9 or newer (installer), the last ESR release was from less than a year ago. Using 47 instead of 37 means means having support for a number of JavaScript language features that are likely to be used on more modern sites. Using 78 means having CSS Grid support, an important feature for creating page layouts. Web feature comparison of all three versions.

Because this thread is about encryption, I’ll point out running 47 means having support for more ciphers and running 78 means having support for TLS 1.3, the latest version.

TenFourFox ceased work last year but the last release was based on Firefox 45 but with some features and security updates back ported from Firefox 78; it runs on PowerPC Macs with OS X 10.4 or 10.5 (installer). I don’t really keep track of other browser forks that might work on older systems but have more modern web features.

3 Likes

It has been nearly a year since this thread was started but there is a lot of information relevant to my issue…

I have created dozens of web pages over the years with links to news and research relevant to a wide range of topics, but mainly vehicle safety and astronomy. None of these have data entry forms and I have never seen the need for the expense and effort (i.e. updating numerous links) to move to “secure” https webpages with SSL certificates.

However I have noticed that several of my webpages that were once easy to find with Google/Duckduckgo are no longer listed. I realise that, these days, search engines are swamped with URLs but I am wondering if they are avoiding listing web pages without SSL certificates, as discussed above.

The other issue is that web browsers now tend to warn users that a web page is “not secure” and this might put people off viewing them.

As it should, and that’s not bad in the grand scheme of things. It’s an iffy proposition from a security standpoint to ignore what’s now baseline security by not deprecating http and offering web sites with https.

1 Like

Not addressing your question exactly, but I would be glad to visit your astronomy links. Currently excruciating over whether astronomy is just “one too many expensive interests with steep learning curves”… or whether I wouldn’t be better off using a Windows machine for it.