HTTPS sites showing as insecure?

Discussion in 'malware problems & news' started by Carbonyl, Jun 14, 2011.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I've noticed this problem for quite some time, and I was hoping that some of the experts here at Wilders might be able to help me understand it a little better. My apologies if this is a simplistic problem I'm misunderstanding, and a waste of everyone's time!

    Essentially the long and short of it is this: I navigate to HTTPS sites assuming they will be secure, and I wind up getting a page that's explicitly labeled by my browsers as being insecure.

    For example, a while back when I was trying to access amazon, I saw the following:

    http://i.imgur.com/wcXwP.jpg

    http://i.imgur.com/sLon3.png

    Note that the address was typed in, and is listed, as an HTTPS site. Opera, in this case, identifies the site as being insecure, and recommends against logging in.

    Recently other sites have done the same thing (GMail, Livejournal, to name a few). In these cases, not only does the latest version of Opera give this issue, but checking in other browsers (Firefox, Safari, Chrome), give insecure pages as well, despite being the HTTPS version of the page.

    To be clear, these are the specifically secure pages of the sites in question: They have, in the past, been secure with valid certificates. They can be navigated to as explicitly secure sites, as promised via their domains. I can even navigate to them in a number of ways (Google links, navigating through the main domain, explicitly typing in the link to the address bar, using a bookmark), and I always see the same insecure result.

    Oddly, sometimes the secure 'padlock' icon will be present during the duration of the page load, only to disappear and give the insecure warning after the page finishes loading.

    I'm wary of domain hijacking or DNS poisioning, but don't know how to check that. Does anyone have any advice as to how I might be able to once again establish a secure connection to these various sites before submitting credentials? Thanks much in advance.
     
  2. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    is your date / time wrong?
     
  3. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    There seem to be more sites today that separate encryption and degree of authentication and do it in some cases multiple times. If you go to https://www.wilderssecurity.com, you will get encryption but the site will be marked as not safe because the SSL certificate is self signed by Wilders. https ONLY gets you encryption, not trust; thus the flaps over rogue certificates. Anybody can get an encryption certificate, often for free. A site is not trusted unless it has a valid (class 3) certificate signed by a trusted certificate authority and the proper authentication has taken place. In the Amazon case, Amazon requires you to validate your credentials before it authenticates you for access to your account, even though the page is https. Opera is not telling you not to send your credentials, just that you are not authenticated for account access yet. Page is really just the logon page to the secure site. The others are probably something similar, but I am not an SSL expert.
     
    Last edited: Jun 15, 2011
  4. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Date and time are correct - Set via internet for my timezone.

    As for the trust/encryption dichotomy - Thanks for the information sded! I didn't realize the distinction. I suppose I ought to learn more about signed certs.

    The odd thing is that some of these sites (Amazon, Livejournal) were just fine and trusted a few weeks ago. Only now are they considered untrusted (again, regardless of browser). In fact, if I load the page for Livejournal and kill the load halfway through, the blank page is considered trusted by Opera. When it loads the last elements of the page, though, the trust icon is removed and the page becomes untrusted all over again - as if something loading on the page revokes the trust in question.
     
  5. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Please update your opera. Issue has been fixed in Opera 9.52 already. Its dangerous to run with a outdated browser.
     
  6. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Occurs in 11.11
     
  7. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I appreciate your concern, but I'm running Opera 11.11 already.

    I tend to upgrade it as quickly as I can, for the reasons you've alluded to.
     
  8. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    BTW, in Opera do you have the security (padlock) button from browser view added to a toolbar? What I look for is the padlock to sport a 3 in the center to insure the site is really secure. In the case of Amazon, the first page is actually shown with an open padlock (unencrypted) even though it says "https" at the top. And the text shows what encryption is available. Some of the links are https, some are http. I think this is very confusing, but believe the padlock is right. Firefox describes the paqe as "partially encrypted". :) Other sites will show the padlock closed with a 1 or exclamation point in it, and the text will say not secure also, but I think these are encrypted like the Wilders example.
     
    Last edited: Jun 15, 2011
  9. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    The padlock tool that's a part of the address bar by default is what I've been using in Opera. It doesn't seem to give much more information other than being present when a page is trusted, or turning into a 'Globe' (not an open padlock) if a site is insecure. If I click the globe, and the page is HTTP, it will list as 'unecrypted'. If the page is HTTPS, it will list as 'insecure'. Am I missing the tool you're referring to, or is this the same one?

    I certainly don't see any ranked numbers, or 'partial' encryption.

    And again, the padlock appears to be present and fine until the page fully loads, whereupon it vanishes to be replaced by the globe.
     
  10. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    I was referring to an optional Opera tool that might be useful. Under appearance/buttons/browser view there is usually a "security" button that you can drag or drop to one of your toolbars as shown in the attachment. May be skin dependent in terms of actual features and readibility. It shows a summary of the security status of the page: open lock for unencrypted, closed lock with the class of certificate in the center: a ! (not signed by cert authority) or 1 (minimal cert domain validation, not trusted), or 3 (enhanced cert validation, trusted). If you push the button, you get the usual dialog about the site. The "partially encrypted" was how FF described the Amazon page you showed; Opera showed an open padlock for the mixed encrypted/unencrypted links page.
     

    Attached Files:

  11. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    uninstall it completely and reinstall it. Its a bug in opera was suppose to be fixed. If its not ill advise you to go to opera site and submit the bug to them as its a possible security risk.
     
  12. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I think the padlock tool must be dependent upon the Opera skin used. I can add that tool to the toolbar as you directed, sded, but all I receive is a duplicate of the security component of the address bar. It only shows two states: The 'Globe' or the padlock.

    I suppose I could try uninstalling and reinstalling Opera, but what a pain! All my settings are just as I like them.
     
  13. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Sorry your skin doesn't support it. I wonder what the bug is? As far as I can tell Opera is reporting status correctly, is consistent with Firefox for the mixed encrypted/decrypted links page. see attachments from FF & Opera. FF HTTPS without the green "secure" in the header looks a lot like Opera HTTPS with just the globe, no padlock.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.