Difference between revisions of "Talk:2634: Red Line Through HTTPS"
Jespertheend (talk | contribs) |
|||
Line 17: | Line 17: | ||
I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I ''do'' occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others? | I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I ''do'' occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others? | ||
<br/>I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. [[Special:Contributions/172.70.90.173|172.70.90.173]] 11:21, 18 June 2022 (UTC) | <br/>I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. [[Special:Contributions/172.70.90.173|172.70.90.173]] 11:21, 18 June 2022 (UTC) | ||
+ | |||
+ | :You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url. | ||
+ | As can be seen here [https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:32, 18 June 2022 (UTC) | ||
I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. | I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. | ||
Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. | Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. | ||
I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:23, 18 June 2022 (UTC) | I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. [[User:Jespertheend|Jespertheend]] ([[User talk:Jespertheend|talk]]) 11:23, 18 June 2022 (UTC) |
Revision as of 11:32, 18 June 2022
HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available.
With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired).
Darrylnoakes (talk) 04:28, 18 June 2022 (UTC)
- I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. 108.162.221.101 06:29, 18 June 2022 (UTC)
- 2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like mixed content. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. 172.69.69.250 08:30, 18 June 2022 (UTC)
- Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. Jespertheend (talk) 10:49, 18 June 2022 (UTC)
Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. 172.69.79.201 10:11, 18 June 2022 (UTC)
- It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. Jespertheend (talk) 10:49, 18 June 2022 (UTC)
I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I do occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. 172.70.90.173 11:21, 18 June 2022 (UTC)
- You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url.
As can be seen here [1], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. Jespertheend (talk) 11:32, 18 June 2022 (UTC)
I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'https://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. Jespertheend (talk) 11:23, 18 June 2022 (UTC)