Author Topic: Just when you think you're safe...  (Read 412 times)

0 Members and 1 Guest are viewing this topic.

Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 14517
Just when you think you're safe...
« on: Monday, 12 February, 2018 @ 15:55:21 »
Quote
All HTTP websites to soon be marked as “not secure” by Google Chrome

If you’re still running a website that is still using insecure HTTP then it’s time to wake up and drink the coffee.

Because unless you take action soon, you’re going to find many of your visitors are going to distrust your website.

The reason? Google is pushing ahead with its plan for the Chrome browser to start labelling all sites that continue to use unencrypted HTTP as “not secure” from July 2018.

HTTPS is a marked improvement over HTTP as it provides end-to-end encryption between the website’s server and your computer, preventing snoopers from seeing what messages you might be sending to a site, or the information you may be downloading.

Remember, just because a website is using HTTPS does not mean that it can necessarily be 100% trusted – and similarly, a website that is still using HTTP just might be doing a decent job in how it handles the rest of its security or your personal information (although its lack of HTTPS in such a situation would be a surprising omission).
https://www.welivesecurity.com/2018/02/12/http-websites-marked-google-chrome/


So, if a website is on http:// it isn't secure. That rather suggests that if a website address starts https:// it is secure.

Quote
But here’s the thing: Just because a site has an SSL certificate (and, thus, that little green padlock in your browser bar) doesn’t mean it’s a legit site, or that it’s actually the site it’s claiming to be. Vincent Lynch, senior security analyst for the SSL Store, thinks Let’s Encrypt’s mission to issue as many SSL certificates as possible has created a dangerous situation. Because Let’s Encrypt is easy and free to use, phishing and malware sites seem to have taken a liking to it.

Let’s Encrypt has issued, by Lynch’s count, 988 SSL certificates to sites with the word “PayPal” in them. Here’s a quick sample of just a few of the sites (all of which are now inactive) that had a Let’s Encrypt SSL certificate. All of these sites would have showed that comforting, little green padlock on the top of your screen if you had logged on, but judging purely by the URLs, you may have been in for a bad time if you had actually entered your PayPal username and password:

    activity-paypal-account.tk
    login-paypal-inc.com
    paypal-co.com
    paypal-verification-zone.com
    verifyed-your-paypal-account.com
    www-paypal-com-confirmation-limited.customers-area.tk

...just because you see that green padlock at the top of your browser, don’t assume you’re completely safe.
http://nymag.com/selectall/2017/03/phishing-and-malware-sites-can-use-https-and-ssl-against-you.html


You might have read that a number of government websites have been 'infected' with a cryptocurrency miner that uses the PCs of visitors to the website to mine cryptocurrency (story here). Here's some of the websites affected:
 
https://www.gmc-uk.org/ : General Medical Council
https://www.slc.co.uk/ : Student Loans Company
https://www.nmc.org.uk/ : Nursing & Midwifery Council
https://www.york.gov.uk/ : City of York Council
https://www.brent.gov.uk/ : Brent Council (London)
https://www.pensionsadvisoryservice.org.uk/ : Pensions Advisory Service
https://www.ukpowernetworks.co.uk/ : UK Power Networks
https://www.extracare.org.uk/ : ExtraCare Charitable Trust
https://ico.org.uk/

ICO.org.uk:

Quote
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
https://ico.org.uk/

 :iroll:


https:// is an improvement on http:// but don't believe https:// guarantees a website is safe
(or that http:// means a website isn't safe).