Talk:2634: Red Line Through HTTPS

Explain xkcd: It's 'cause you're dumb.
Revision as of 00:28, 19 June 2022 by 172.70.110.121 (talk) (c)
Jump to: navigation, search


HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available. With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired). Darrylnoakes (talk) 04:28, 18 June 2022 (UTC)

I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. 108.162.221.101 06:29, 18 June 2022 (UTC)
2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like mixed content. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. 172.69.69.250 08:30, 18 June 2022 (UTC)
Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. Jespertheend (talk) 10:49, 18 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. 172.69.79.201 10:11, 18 June 2022 (UTC)

It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. Jespertheend (talk) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I do occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. 172.70.90.173 11:21, 18 June 2022 (UTC)

You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url. And as can be seen here [1], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. Jespertheend (talk) 11:32, 18 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'http://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. Jespertheend (talk) 11:23, 18 June 2022 (UTC)

While it's true that some browser security warnings are false alarms, I think that paragraph is missing the point of the comic. Cueball is assuming that any site that's been around for years must be operated well. But often the maintainers of the site get complacent and don't update to newer standards. And even if the real site is legit, the security warning can mean that traffic has been intercepted, so you're not actually going to the real site. Barmar (talk) 13:40, 18 June 2022 (UTC)

I presumed this was about using outdated protocols like TLS 1.0 or weak ciphers. 172.70.110.121 00:28, 19 June 2022 (UTC)