2634: Red Line Through HTTPS

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Red Line Through HTTPS
Some organization has been paying to keep this up and it hasn't been removed from search results. Seems like two votes of confidence to me.
Title text: Some organization has been paying to keep this up and it hasn't been removed from search results. Seems like two votes of confidence to me.

Explanation[edit]

Ambox notice.png This explanation may be incomplete or incorrect: Created by a SPY AGENCY THAT PRETENDS TO NOT BE DISCUSSED - Please change this comment when editing this page. Do NOT delete this tag too soon.
If you can address this issue, please edit the page! Thanks.

Some web browsers display https with a red line through it (https) to indicate that there is a problem with the HTTPS connection. The red line is supposed to be a clear warning to the user that the connection is not secure, and that anything about the site, or that you send to the site (like passwords) may be observed or modified in transit by anyone. This danger is true of HTTP connections as well, but HTTPS connections are used for secure communications such as banking and email.

In practice, some sites are misconfigured, or have not been updated to use newer security measures: this happens especially when security data called certificates expire before they are renewed, or when the user's clock is set to the wrong year. In these cases the red line through https is not from a malicious attack, but generally still indicate that the connection is vulnerable.

Before system and network compromise had become a means of international power, the primary concern around the HTTPS connection issue was whether or not the user was viewing the correct website, or one maliciously inserted by a blackhat neighbor or a virus. If there was a reasonable explanation for the problem, people would view the website anyway, and this habit became so normal that at times it became common for malicious actors to just rely on users to ignore the warning. Cueball takes this line of reasoning to the extreme, concluding that webpages with the red line are perhaps more likely to be safe than webpages that are more modern and supposed to be more secure.

Some may see the comic as sarcasm, that there are all these security measures in place, but people are not sure what to do when the flags are raised, maybe moreso when things become more established and complex.

When you see this red line, the proper thing to do is first to download the certificate and pin it in the system's store. This will raise a notice if it ever changes. For homemade certificates, called "self-signed", this is a normal situation. Nowadays self-signed certificates are no longer needed for normal public websites. The second thing to do is to contact the owner, and the community, via channels that are more secure, and engage the situation until it is properly addressed.

There are a wide variety of reasons why an HTTPS connection might not be secure. A list of reasons associated with dangerous misconfigurations can be found on badssl.com[1]. An HTTPS certificate (which offers reassurance that your information won't be stolen by a third party) is free to set up at for example https://letsencrypt.org, and takes only a few minutes, although note that this is not a barrier for someone building a site intentionally to steal your information. A phisher could set up a site with HTTPS and have it trick you into giving up your info for some time before being caught and brought down. You can do this to your neighbor using free man-in-the-middle software, and they will be shown the red line indicating that you did so. The outdated-ness of the red line through the https refers to the situation of people not renewing their certificates when a site is abandoned; the expression mocks a common mistake of coming up with any relevant excuse to avoid the confusing situation of not being able to rely on https to verify you are communicating with the real website you visited.

The title text uses two very circumstantial (and not really dependable) details as if they were factors reinforcing the misplaced trust. For the first, you may perhaps think that if someone is still paying domain/hosting fees that they are still confident about their site's content. For the second, the search engines/archives appear to have not lost their confidence in it for whatever reason. There are problems with both these assumptions , and it does little to restore sanity to the already shaky understanding being exhibited. It is misusing a norm of factors of trust, in sarcasm around poor security of the modern day.

Transcript[edit]

[White Hat is sitting in an office chair at his desk facing his laptop while Cueball is standing behind him looking over his shoulder.]
White Hat: What does the red line through https mean?
Cueball: Oh, just that the site hasn't been updated since 2015 or so.
Cueball: And since it's been around that long it means it's probably legit.


comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!

Discussion

HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available. With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired). Darrylnoakes (talk) 04:28, 18 June 2022 (UTC)

I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. 108.162.221.101 06:29, 18 June 2022 (UTC)
2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like mixed content. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. 172.69.69.250 08:30, 18 June 2022 (UTC)
Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. Jespertheend (talk) 10:49, 18 June 2022 (UTC)
Until about 2015 no-one complained if you didn't offer HTTPS as long as you didn't request anyone's credit card number or offered .exe files: An internet site offers nothing but inherently untrustable text. It might contain ads that can execute any piece of javascript. It even could contain flash - so why pay a substantial amount of money to make the transport of that data more secure? Nowadays most web browsers tell on you if you don't secure connections and allowing the telco to see what data you download from where is felt as a privacy intrusion. On the other side not every hoster offers https for multiple domains...--Gunterkoenigsmann (talk) 15:03, 19 June 2022 (UTC)
2015 is around when global information security and true news radically reduced. The Let's Encrypt answer sounds like the right one, though. Somebody released an app to spy on people who weren't using HTTPS, and then sites adopted HTTPS widely. 172.70.230.63 02:10, 21 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. 172.69.79.201 10:11, 18 June 2022 (UTC)

It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. Jespertheend (talk) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I do occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. 172.70.90.173 11:21, 18 June 2022 (UTC)

You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url. And as can be seen here [2], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. Jespertheend (talk) 11:32, 18 June 2022 (UTC)
Ugh, I'd hate that. I have a little webpage of my own, and I'm not in a position to be able to go https, :( That "badssl" site has several example issues, which ones go red/strikethrough? I want to confirm no browser I have does that. NiceGuy1 (talk) 04:56, 19 June 2022 (UTC)
I browse XKCD (and this site) on my iPad, I had thought Safari couldn't get past the "Bad site" warning page but I just found out how and can confirm, no red strikethrough. Though I only tried Expired Cert, since I can't get anybody to tell me which errors do it. NiceGuy1 (talk) 04:33, 25 June 2022 (UTC)
I was about to remark the same thing, :) NEVER seen a strikethrough. I'm rather assuming it's something Chrome does, because I about exclusively use Firefox, and Chrome likes to be weird and non-standard (main reason I generally don't use it), and too many people act like there's no other browser than Chrome. Likewise, most I get is "Security Risk!", then find out it's a Bad Certificate, then it turns out it expired and they just haven't updated it yet. Stop being so dramatic, LOL! NiceGuy1 (talk) 04:28, 19 June 2022 (UTC)
I'm a Chrome user (part of the time, being the "handful of lesser flavours" contributor, above, but using it this very second) and I don't see it. But then I turned off its look-ahead (downloading of pages it thinks I'll go to next) because I'd rather it not, and as some sort of pre-emptiveness seems necessary to know a link should be red-struckthrough, I probably (hopefully?) neutered that stupid potential exploit too... So don't take my experience as gospel. (But still sounds like an Edge thing, to me, the way that's the new IE in the current browser ecosystem.) 172.70.162.5 11:32, 19 June 2022 (UTC)
It's not links (to other pages) that get the strikethrough. It's the protocol/scheme name in the current page's address bar. See, for example, the picture in https://superuser.com/a/369839/93954. This is far less intrusive than any of the warning pages you've mentioned seeing; maybe you just haven't noticed when it does that? For a current live example, in Edge, I'm seeing the (not red) strikethrough e. g. on https://self-signed.badssl.com/ both on the warning page and after clicking through it to accept the bad certificate. And as it happens, I could swear that just within the last few days I've been on a mixed-content website that displayed the strikethrough, but I'm not certain what website it was and I can't reproduce this now, so I'm probably misremembering. Chortos-2 (talk) 23:44, 20 June 2022 (UTC)
"maybe you just haven't noticed when it does that?" - yes, apparently. See below, comment timestamped 09:42, 21 June 2022, having not seen the above comment because it happened just before the daily Recent Changes new-date boundary. But just wanted to acknowledge that you were actually spot on and clearly understand the thinking processes of all these others like me better than those who were tasked to create the UX of the UI! 141.101.99.32 10:35, 21 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'http://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. Jespertheend (talk) 11:23, 18 June 2022 (UTC)

While it's true that some browser security warnings are false alarms, I think that paragraph is missing the point of the comic. Cueball is assuming that any site that's been around for years must be operated well. But often the maintainers of the site get complacent and don't update to newer standards. And even if the real site is legit, the security warning can mean that traffic has been intercepted, so you're not actually going to the real site. Barmar (talk) 13:40, 18 June 2022 (UTC)

Also, someone who hasn't taken the trouble to keep their security certificates up to date is probably more likely to have neglected their server security generally, so it's more likely that someone could have hacked them and be serving you up all kinds of crap. 172.70.85.177 08:22, 20 June 2022 (UTC)

I presumed this was about using outdated protocols like TLS 1.0 or weak ciphers. 172.70.110.121 00:28, 19 June 2022 (UTC)

You'd almost think Randall didn't live in the Boston metropolitan area. I was disappointed. JohnHawkinson (talk) 04:30, 19 June 2022 (UTC)

Okay, at least two of us don't see this behaviour, so this is NOT as universal as Randall seems to think, could somebody figure out why and put it in the explanation? (I reject the possibility that we just haven't visited the right (wrong) sites. I, for one, go to WAY too many sites, LOL!). My leading theory is that instead of being universal, this behaviour is actually unique to Chrome (as I don't use it much and can easily have never visited an insecure website on it), since I use Firefox primarily, and many people seem to forget that there are other browsers than Chrome, and Google goes out of it's way to be as weird as possible, including being fancy for the sake of fancy (like the colour-coding and strikethrough). NiceGuy1 (talk) 04:49, 19 June 2022 (UTC)

Where is Cueball saying that websites with a red line through HTTPS are more secure than modern websites? In the comic he merely says that the red line means that the website is legit, he doesn't make any comparison at all. Kzkzb (talk) 22:12, 19 June 2022 (UTC)

I think the current explanation is missing a key aspect of the humor. The fact is, it takes minutes to add HTTPS to your site for free (see e.g., https://www.freecodecamp.org/news/free-https-c051ca570324/). A phisher could set up a site with https and have it trick you into giving up your info for a while before being caught and brought down. I think the outdated-ness of the red line through the https indicates that the site has been around for a long time, and therefore is less likely to be a scam. I'll add something small to this effect, but let me know if you disagree, I'm not 100% sure about this. Jrfarah (talk) 23:04, 19 June 2022 (UTC)

While you can set up HTTPS certificate for free in minutes, you need to have control over the domain to be able to. This is key aspect in the security - only I can control my domain, therefore if you see green HTTPS on my website, you can be sure it is a genuine one, whereas if you see anything else, it might not be 89.177.163.36 16:43, 20 June 2022 (UTC)
Aside from the issue of a previously controlled+certificated domain being hijacked... As far as I'm concerned a style="text-color: green" sort of thing would suffice to produce the exact same effect.
Nobody has yet satisfactorily explained which browsers do this, and under which circumstances... No Chrome doesn't do this. (Not my Chrome, anyway, but maybe I'm just using the wrong one?)
But, for when it does happen, does it not override inline/CSS styles, in which case the link 'warning' is entirely disguisable by the link-author. Even in the most incapable and hobbled version of newb-servicing CMS, and definitely with direct markup-editing capability.
Or they do, in which case (not that I have much sympathy for the absolutist type) I hear the wailings of a thousand web-designers, unable to control every last visual element to their utter and complete desire because the browser spoils their desired pallette, even if they overlook the mythical strikethrough rendering.
(The amateur web designer I knew who set up a pixel-perfect site by making the page he desired an image with image-mapped hotspot-links on the blue-underlined fully rasterised words... It sounds like he would have neutered the HTTPS warning. But in the most annoying and frustrating way.)
I assume it's a common sight for Randall, to have inspired him so (and write about it as if we should similarly have a good idea about it). For me, though, I assumed it was a broken-link thing, i.e. a non-available web resource, but then of course a page/site that is entirely offline cannot be so easily hacked. But I take it on trust that the current explanation (as far as it goes) is the real one. 172.70.91.58 22:37, 20 June 2022 (UTC)
No, this isn't rendered on the page. Go to https://badssl.com/ yourself and you'll see you can't use CSS to change how the https is rendered red with strikethrough in the address bar. But I see Chrome use the red strikethrough display while Firefox doesn't, instead showing "Not Secure" next to the security icon.
Oh, on the adress bar. That was never clear (and still isn't, in my view) as all I was seeing on baddssl was red (not-struckthrough) links that I could attempt to visit normally enough (but get the warning page) but the address-bar automatically goes and hides itself far too quickly, until I go and look for it specifically (which I often won't, unless I need to copy/edit it at all, perhaps).
It also 'only' marks the "https", where honestly I was expecting the entire URL, so on the very few prior occasions that I've had Chrome intervene with the "Your connection is not secure" whole-page pre-intervention I've mostly been trying to back-page away anyway and so my eyes have been aiming completely away from the bit concerned (the back-page is accessed either from bottom-left OS "back" or the browser's "back" on the menu toggle at the top-right - the https://blah.blah.net/whatever/page/it?is=that&didnt=load has its visual cue set far away to the top left) and thus this idea of highlighting the problem has somehow managed to completely evade my notice for however long it has actually been a thing... Even when I specifically went looking for it, a few days ago, in response to this comic!
(If the 'page'-level warning weren't so overriding, maybe the address-bar one would have been more noticable, but then the question is which of these indicators is the most informative/prophylactive... I reckon the entire page stopping you from progressing is the clincher, here.)
Mystery solved, but shows how blind one can be, to something apparently everyone else has noticed... Might ponder an edit of the Explanation, if I don't find that I misread that as well and it's actually explicit and correct about it had I not just assumed it said otherwise... 172.70.86.64 09:42, 21 June 2022 (UTC)
Actually, I understood this was talking about the address bar right away, from the comic itself. "https" generally doesn't appear IN pages, unless it's somewhere like Facebook where someone pasted the address. Most links have friendly text to explain the link, that would be a highly ineffective thing to do. Also, web designers DO have control over the colours of links, even if they/we don't usually stray from the default blue/red/purple. Making a link partially red and strikethrough would be to ignore the designer's wishes, would be displaying the page inaccurately. NiceGuy1 (talk) 04:15, 25 June 2022 (UTC)

Removed unnecessary line. The NSA is mentioned absolutely nowhere in the comic, nor any other intelligence agency, and it comes off as nothing more than an unnecessary conspiracy theory.

What if Randall decides to delve into the mysteries of the unlocked padlock? WE NEED A CONTINGENCY PLAN! 172.68.133.65 01:27, 21 June 2022 (UTC)