https and https addon

By way of intro, I am NOT an IT professional, just a small business owner who recently learned that my information online is terribly compromised and trying to do what I can to create better protection and security for my private information.

In the course of doing research I learned that using https vs. http is a better way to insure that the pages I am searching are not visible to others. By someones recommendation, I downloaded the httpsfinder program (or add-on, I'm new to all this) and I THINK its working, but I am finding the menu for set up terribly confusing to my non-techie brain.

This morning I noticed that my sign on to this site came through http and not https. I manually typed in https and got a notice that there was an invalid certificate.

Maybe I don't understand all this, as I would think that if https provides some kind of added privacy it would indeed be used here. Can someone help me understand the "https story" and what it means to me?

Thanks so much.

 

see on the subject of https on this site
https://www.wilderssecurity.com/showthread.php?t=297208

 

Thanks for the link: I read everything.

I would have posted there but the thread is closed. I am wondering if my PMs are also private without using the https. I changed some setting on my computer the other day and now I get messages when I send a PM here that its not encrypted and it can easily be read by others others.

Is there anyone who can clarify in the simplest of terms what using https actually does?

Thanks

 

How SSL Works

 

https means the HTTP protocol over SSL on port 443

 

Practicably speaking what it means is data transmitted to the website is encrypted. For instance when you go to your bank's website you can safely enter your user name and password because the transmission of that data is encrypted. Not all websites support HTTPS (including wilderssecurity.com) and when you enter data on those sites it is transmitted "in the clear". That means if someone successfully engaged in a "man in the middle" attack (MITM) they could see the information you entered. Some accounts are a lot more important than others. It's not likely that anyone will bother hacking my wilders account so they can impersonate me here - that would be a ridiculous waste of time. On the other hand email, bank sites and e-commerce need protection. Any site that accepts credit card information is going to use HTTPS. Email sites support HTTPS at least during the actual login to protect the credentials. Gmail supports continuous HTTPS.

The danger of MITM attacks is much greater over unencrypted wireless networks, ie "open wifi" in cafes, restaurants,etc, but it's good to be careful on a wired network too.

 

lovelymaiden: Your post is about https. Hopefully, in doing your research, you have learned that it is only 1 part of many that helps in keeping your web surfing more private.

I didn't want you (or anyone reading this) to assume that using https solves most or all privacy protection issues. It does not.

 

@Vic,

Wilders does support HTTPS.

I'd also like to say that HTTPS doesn't just prevent someone reading your data it also prevents them from changing it. If you use HTTP and someone is in the middle they can change data on the fly going either way. This means they could reroute bank information, emails, anything or even send information to you like a malicious webpage or phishing page.

 

They use a self signed certificate though. A novice user would probably skip it since most browsers advise against using them and try to direct you away from it like your browser is going to spontaneously combust if you continue.

 

You're right and I stand corrected. Firefox says the certificate is untrusted/self signed and Calomel shows the security as extremely weak though. Under those circumstances I wonder if it's a good idea to use https?

 

I started a thread on the same subject several months ago and the general consensus was that if everyone connected to the site with SSL it would slow the site down considerably and would provide no measurable benefits.

 

Anyone can spoof it a self-signed cert. It's pretty much as good as not being there at all. Not that Wilders needs it.

I was just clarifying that Wilders does support it it just doesn't have a certificate.

It's worth using as long as whoever uses it understand that if someone wants to look it's a matter of just looking, really.

 

This is true - I was working on the assumption that users were using default settings.

 

Apart from the issue of self-signing Vs a cert issued by a CA, what about the implemented security level? I'm not well versed in SSL so I don't know how to evaluate the numbers when the Calomel plugin describes what I think are various aspects of encryption as weak. I imagine it's appropriate for the strength of the cyphers, etc, to be in proportion to the site's function - we're not engaged in financial transactions here - but I'm interested to hear how you think about it.

 

Have a look at these. I included Gmail and Lastpass for comparison.

 

Yes, the only difference is that the Google cert is verified.

Self signed certificates aren't trusted by default because
1) If it's your first time visiting a page it's impossible to verify the cert.

2) If you don't save the cert it's the same issue as above.

 

Thanks I'll checkout uploading attachments. By the way, I added a Calomel screenshot for LastPass.com, which apparently has the strongest settings.

 

Here's an interesting article regarding self-signed certs:

https://www.networkworld.com/news/tech/2012/021512-ssl-certificates-256189.html?page=1