explain xkcd - User contributions [en]

Talk:2634: Red Line Through HTTPS

2022-06-18T11:33:30Z

Jespertheend: fix formatting

HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available.
With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired).
[[User:Darrylnoakes|Darrylnoakes]] ([[User talk:Darrylnoakes|talk]]) 04:28, 18 June 2022 (UTC)

:I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. [[Special:Contributions/108.162.221.101|108.162.221.101]] 06:29, 18 June 2022 (UTC)

:2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like [https://www.mixedcontentexamples.com/ mixed content]. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. [[Special:Contributions/172.69.69.250|172.69.69.250]] 08:30, 18 June 2022 (UTC)

::Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. [[Special:Contributions/172.69.79.201|172.69.79.201]] 10:11, 18 June 2022 (UTC)

:It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I ''do'' occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
 I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. [[Special:Contributions/172.70.90.173|172.70.90.173]] 11:21, 18 June 2022 (UTC)

:You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url. And as can be seen here [https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:32, 18 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here.
Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke.
I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:23, 18 June 2022 (UTC)

Talk:2634: Red Line Through HTTPS

2022-06-18T11:32:22Z

Jespertheend:

HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available.
With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired).
[[User:Darrylnoakes|Darrylnoakes]] ([[User talk:Darrylnoakes|talk]]) 04:28, 18 June 2022 (UTC)

:I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. [[Special:Contributions/108.162.221.101|108.162.221.101]] 06:29, 18 June 2022 (UTC)

:2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like [https://www.mixedcontentexamples.com/ mixed content]. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. [[Special:Contributions/172.69.69.250|172.69.69.250]] 08:30, 18 June 2022 (UTC)

::Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. [[Special:Contributions/172.69.79.201|172.69.79.201]] 10:11, 18 June 2022 (UTC)

:It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I ''do'' occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
 I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. [[Special:Contributions/172.70.90.173|172.70.90.173]] 11:21, 18 June 2022 (UTC)

:You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url.
As can be seen here [https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:32, 18 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here.
Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke.
I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:23, 18 June 2022 (UTC)

Talk:2634: Red Line Through HTTPS

2022-06-18T11:23:53Z

Jespertheend:

HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available.
With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired).
[[User:Darrylnoakes|Darrylnoakes]] ([[User talk:Darrylnoakes|talk]]) 04:28, 18 June 2022 (UTC)

:I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. [[Special:Contributions/108.162.221.101|108.162.221.101]] 06:29, 18 June 2022 (UTC)

:2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like [https://www.mixedcontentexamples.com/ mixed content]. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. [[Special:Contributions/172.69.69.250|172.69.69.250]] 08:30, 18 June 2022 (UTC)

::Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. [[Special:Contributions/172.69.79.201|172.69.79.201]] 10:11, 18 June 2022 (UTC)

:It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I ''do'' occasionally follow a normal-looking link (maybe locally CSSed in a on over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
 I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. [[Special:Contributions/172.70.90.173|172.70.90.173]] 11:21, 18 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here.
Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke.
I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:23, 18 June 2022 (UTC)

2634: Red Line Through HTTPS

2022-06-18T11:12:29Z

Jespertheend: Clarify what a red line through https actually means and remove mentions of 'http'

{{comic
| number = 2634
| date = June 17, 2022
| title = Red Line Through HTTPS
| image = red_line_through_https.png
| titletext = Some organization has been paying to keep this up and it hasn't been removed from search results. Seems like two votes of confidence to me.
}}

==Explanation==
{{incomplete|Created by a RECURSIVE REDLINE - Please change this comment when editing this page. Do NOT delete this tag too soon.}}

Some web browsers display https with a red line through it (<s>https</s>) to indicate that there is a problem with the HTTPS connection. The red line is supposed to be a clear warning to the user that the connection is not guaranteed to be secure, and that anything about the site might have been modified. But more importantly, that anything you send back (like passwords) might be observable by anyone.

However, in practice some sites simply are misconfigured or have never been updated to use newer security measures. In these cases the red line through https are nothing to be concerned about, and as stated in the comic probably just means the site hasn't been maintained for a long time. This is especially true for websites that are simple documents that don't ask for any sensitive information from the user.

There is a wide variety of reasons why a HTTPS connection might not be secure. A comprehensive list of reasons with examples can be found on badssl.com[https://badssl.com/].

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}
:[White Hat sits at a desk facing his laptop with Cueball standing behind him looking over his shoulder.]
:White Hat: What does the red line through https mean?
:Cueball: Oh, just that the site hasn't been updated since 2015 or so.
:Cueball: And since it's been around that long it means it's probably legit.

{{comic discussion}}
[[Category:Internet]]
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]

Talk:2634: Red Line Through HTTPS

2022-06-18T10:49:28Z

Jespertheend: