SSL + your website = ?

dvsman

2[H]4U
Joined
Dec 2, 2009
Messages
3,629
So I noticed that google chrome is giving me the stink eye about websites I visit that aren't SSL secured lately. Is this really a big deal that I should be concerned about? What about for personal websites / blogs that don't do e-commerce or financial transactions of any kind?

I wanted to see what my fellow [H]'ers thought about this since google (on Chrome) is pushing the big error messages that say "INSECURE, GOING TO THIS WEBSITE WILL GIVE YOU AIDS" type warnings on sites that aren't SSL certified now.
 

Vashypooh

2[H]4U
Joined
May 25, 2006
Messages
2,495
SSL certs are free.

Put one on it.

The warnings are going to get even worse than they are now. The ultimate plan will likely result in the website having a giant red warning bar as well.
 

Mr. Baz

2[H]4U
Joined
Aug 17, 2001
Messages
2,815
There is way more to SSL than just "Put one on it."
Any person or company that doesn't bother with SSL certs isn't worth my time or effort. SSL certs are for so much more than just websites you perform monetary transactions on or enter sensitive data.

For testing our browser and servers:
https://www.ssllabs.com/

An SSL cert can be just as useless as no cert if the server is not configured correctly.
Hardforum.com gets an A+, which is fantastic -- even though they still have TLS 1.0 enabled.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
So I noticed that google chrome is giving me the stink eye about websites I visit that aren't SSL secured lately. Is this really a big deal that I should be concerned about? What about for personal websites / blogs that don't do e-commerce or financial transactions of any kind?

I wanted to see what my fellow [H]'ers thought about this since google (on Chrome) is pushing the big error messages that say "INSECURE, GOING TO THIS WEBSITE WILL GIVE YOU AIDS" type warnings on sites that aren't SSL certified now.

Chrome is transitioning to http = bad. All sites without a valid cert will be flagged and the user warned. I think they plan to flag self-signed certs as well.

It sucks for sites that don't do any type of form data, like old informational archives. It implies the site isn't safe, so random Joe Blow will transition away.

It also creates a false sense of security, as people think certs = safety. So they see a green bar and assume they're safe, not realizing that it's a valid cert, but the site is a counterfeit page.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Chrome is transitioning to http = bad. All sites without a valid cert will be flagged and the user warned. I think they plan to flag self-signed certs as well.

It sucks for sites that don't do any type of form data, like old informational archives. It implies the site isn't safe, so random Joe Blow will transition away.

It also creates a false sense of security, as people think certs = safety. So they see a green bar and assume they're safe, not realizing that it's a valid cert, but the site is a counterfeit page.


This should have been done long ago. It's not just to protect transactions, but also snooping from ISPs and manipulation of the data in transit. So technically your site isn't safe as all data is sent as clear text over HTTP.

Certs that have not been created/signed by a trusted Root Authority have always been flagged by the browser. A self signed cert is the equivalent of a site saying you can trust me because I am who I say I am.

And you cannot have a valid cert on an invalid page unless you failed to protect your private SSL key, and someone else gained access to that. That is a failure of the sites security, not of the SSL mechanism. That would be like leaving your house key under your mat, then complaining that the locks are shitty because someone accessed your house.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,771
Chrome is transitioning to http = bad. All sites without a valid cert will be flagged and the user warned. I think they plan to flag self-signed certs as well.

are you sure re: the self-signed certs, too? do you have a source you can post about that? would be nice to provide for some people that would like us to spend a lot of time and resources on an SSL inspection project...

seems like SSL inspection may just get more and more difficult if what you're saying is true...
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
So I noticed that google chrome is giving me the stink eye about websites I visit that aren't SSL secured lately. Is this really a big deal that I should be concerned about? What about for personal websites / blogs that don't do e-commerce or financial transactions of any kind?

I wanted to see what my fellow [H]'ers thought about this since google (on Chrome) is pushing the big error messages that say "INSECURE, GOING TO THIS WEBSITE WILL GIVE YOU AIDS" type warnings on sites that aren't SSL certified now.

Part of it is to help prevent sites from masquerading as the site you want to visit. Mainly this is to help cut down on people going to malicious sites and getting infected. It is only one part of the security onion, but an essential part that could help a lot of people, especially those that don't pay attention to what they click.
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
Part of it is to help prevent sites from masquerading as the site you want to visit. Mainly this is to help cut down on people going to malicious sites and getting infected. It is only one part of the security onion, but an essential part that could help a lot of people, especially those that don't pay attention to what they click.
I don't think SSL does this at all. There are TONS of paypal look alite sites with lets encrypt certs for fishing...
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
I don't think SSL does this at all. There are TONS of paypal look alite sites with lets encrypt certs for fishing...

But then you are agreeing to use a self-signed or unverified cert for the site...
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
But then you are agreeing to use a self-signed or unverified cert for the site...
SSL tries to be something that encrypts a channel & validates who a remote party is.

On goal 1, this works most of the time (yeah some sites still use SSL3...). On goal 2, this works some of the time, as phishing certs/typo certs/etc are never pulled/revoked from what I've seen. SSL is "better" but doesn't really guarantee anything unless you have the technical chops to look at & understand the certificate which 99.999% of people aren't able to do.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
SSL tries to be something that encrypts a channel & validates who a remote party is.

On goal 1, this works most of the time (yeah some sites still use SSL3...). On goal 2, this works some of the time, as phishing certs/typo certs/etc are never pulled/revoked from what I've seen. SSL is "better" but doesn't really guarantee anything unless you have the technical chops to look at & understand the certificate which 99.999% of people aren't able to do.

I never claimed SSL was perfect. He asked why Google was complaining, I answered why Google was complaining.

I am also not sure what you mean by pulled or revoked? Are you saying that the root cert organizations do not remove/revoke a phishing site's cert? They definitely are. How well revocation works is another issue.
 
Last edited:

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
I never claimed SSL was perfect. He asked why Google was complaining, I answered why Google was complaining.

I am also not sure what you mean by pulled or revoked? Are you saying that the root cert organizations do not remove/revoke a phishing site's cert? They definitely are. How well revocation works is another issue.

Let's Encrypt at one point had 14k+ paypal fishing site certs. They refused to revoke them.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Let's Encrypt at one point had 14k+ paypal fishing site certs. They refused to revoke them.

Okay, but that isn't the sum total of all CAs... Your comment was that they were never revoked. That isn't true.
 

ZeqOBpf6

Gawd
Joined
Aug 24, 2014
Messages
842
Is there much value to https for a site where a user can do nothing but read? If I'm just reading some blog/website about something new, and there's no way for me to log in or input any info at all, what risk is there that https mitigates?
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Is there much value to https for a site where a user can do nothing but read? If I'm just reading some blog/website about something new, and there's no way for me to log in or input any info at all, what risk is there that https mitigates?

That is more for the validity of the site itself. Again, its supposed to be a way you know you are at the right site and are actually reading real content from that site. If it was just an http site, anyone could spoof traffic to from that site and misdirect you with no real effort.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,771
Ssl doesn't validate who a remote party is, control of DNS does... There are some add-ons to a lot of services CAs offer that try to do this, but it's always a joke
 
Top