Editing 2634: Red Line Through HTTPS

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 8: Line 8:
  
 
==Explanation==
 
==Explanation==
 +
{{incomplete|Created by a RECURSIVE REDLINE - Please change this comment when editing this page. Do NOT delete this tag too soon.}}
  
This comic pokes fun at the lack of security implied by an unverified {{w|https}} connection as implied by the "red line through (<span style="color:red"><s>https</s></span>)". https is an extension to the http protocol which (among other things) verifies that the server owns the domain name. “Insecure” https is usually caused by invalid TLS certificates, which can be an indication that an attacker is intercepting the connection (the attacker doesn’t have access to the certificates). However reasons for “insecure” https are often caused by benign reasons:
+
Some web browsers display https with a red line through it (<span style="color:red"><s>https</s></span>) to indicate that there is a problem with the HTTPS connection. The red line is supposed to be a clear warning to the user that the connection is not guaranteed to be secure, and that anything about the site might have been modified. But more importantly, that anything you send back (like passwords) might be observable by anyone.
  
* The certificates expired, and the site maintainers have not asked for new certificates.
+
However, in practice some sites simply are misconfigured or have never been updated to use newer security measures. In these cases the red line through https are nothing to be concerned about, and as stated in the comic probably just means the site hasn't been maintained for a long time. This is especially true for websites that are simple documents that don't ask for any sensitive information from the user. Cueball takes this line of reasoning to the extreme, concluding that webpages with the red line are perhaps more likely to be safe than webpages that are more modern and supposed to be more secure.
* The certificates are self-signed by the owners.
 
* The client has an outdated list of CA certificates.
 
  
A comprehensive list of reasons associated with server misconfigurations can be found on [https://badssl.com/ badssl].
+
There is a wide variety of reasons why a HTTPS connection might not be secure. A comprehensive list of reasons with examples can be found on badssl.com[https://badssl.com/].
  
Although a lack of the https protocol in a web process does allow for third party tampering and deception, it also implies that the site is rather old; and, if it has been maintained for this long, it is probably not malicious, as most malicious sites are either reported and taken down or allowed to become defunct by their operators after a short amount of time.
+
The title text uses two very circumstantial (and not really dependable) details as if they were factors reinforcing the misplaced trust. For the first, you may perhaps think that if someone is still paying domain/hosting fees that they are still confident about their site's content. For the second, the search engines/archives appear to have not lost ''their'' confidence in it for whatever reason. There are problems with both these assumptions, and it does little to restore sanity to the already shaky understanding being exhibited.
 
 
The title text essentially explains the joke, noting that maintaining a website costs money and that there are regulatory agencies responsible for taking down sketchy domains, and so if a website is still up despite these obstacles, it is probably trustworthy.
 
 
 
A similar question was asked on [[1256: Questions]].
 
  
 
==Transcript==
 
==Transcript==
:[White Hat is sitting in an office chair at his desk facing his laptop while Cueball is standing behind him looking over his shoulder.]
+
{{incomplete transcript|Do NOT delete this tag too soon.}}
 +
:[White Hat sits at a desk facing his laptop with Cueball standing behind him looking over his shoulder.]
 
:White Hat: What does the red line through https mean?
 
:White Hat: What does the red line through https mean?
 
:Cueball: Oh, just that the site hasn't been updated since 2015 or so.
 
:Cueball: Oh, just that the site hasn't been updated since 2015 or so.
 
:Cueball: And since it's been around that long it means it's probably legit.
 
:Cueball: And since it's been around that long it means it's probably legit.
 +
  
 
{{comic discussion}}
 
{{comic discussion}}
 
+
[[Category:Internet]]
 +
[[Category:Comics featuring Cueball]]
 
[[Category:Comics featuring White Hat]]
 
[[Category:Comics featuring White Hat]]
[[Category:Comics featuring Cueball]]
 
 
[[Category:Computer security]]
 
[[Category:Computer security]]
[[Category:Internet]]
 

Please note that all contributions to explain xkcd may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see explain xkcd:Copyrights for details). Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel | Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://www.explainxkcd.com/wiki/index.php/2634:_Red_Line_Through_HTTPS"