Browse only secure websites (https). Insecure websites (http) exposes you to hackers.

In our day-to-day life in social media, we come across numerous web links, which seem to be innocent but malicious. Entering these insecure http websites, made by hackers, or vulnerable to hacking, will be suicidal. By various methods like phishing, cookie stealing or sql injection, hackers target your personal details like your identity, bank details, phone numbers, email accounts, etc. Or else, by manipulating the website scripts (eg: javascript), they may inject viruses into your system. These criminals use your data, beyond your imagination.

As per the current standards, https is proven to be far more secure than a website offering only http or partial https connection. Initially, banking firms, defense organizations, etc were the primary beneficiaries of https. But now around 52% of all websites running worldwide is using full https connection (includes – Google, Facebook, Twitter, Youtube, etc). Any website that uses login credentials should use https network. But we can see many of the website owners are reluctant about this or else they might be unaware or intentionally doing it for hacking.

I’m proud to announce that, https://postboard.in – is fully secure. This article is written to make you understand the importance of using websites offering https over insecure http.

What is http and https?

Http – Hypertext Transfer Protocol
Https – Hypertext Transfer Protocol Secure

Https is an http connection with a TLS cerification.
‘https = http + TLS certificate’

Simply,
http = primitive + insecure
https = modern + secure + involves latest technology.

Https does an end-to-end encryption between the content provider (website server) and the end user (you). This encryption is based on the TLS certification.

Encryption and TLS certification (skip this, if boring)

Https encrypts http communication between you and website server using TLS protocol. TLS means Transport Level Security, which was previously known as SSL (Secure Sockets Layer).

Websites with TLS certifications has two keys,

  1. Private key – stored in website server (owner)
  2. Public key – stored in you web-browsers like Chrome, Firefox, Safari, Opera, etc

When you are browsing a website through https, your public key of your browser interacts with the private key of that website server, to decrypt the data for you (end-user). Anyone else using the same network will be seeing only the encrypted data as their browser lacks the public key you have. Even if they have the same browser version you have, the public key they are given will be different. In short, a middle man or a hacker will be unable to snoop your data.

Meanwhile, if you use http, this added advantage of security will be missing. Anyone with a free hacking software and little technical knowledge in the subject can attack your privacy.

How to use https?

Its very simple. When you see a website link with http,
for eg: https://postboard.in/join-us/

Edit the address to,
https://postboard.in/join-us/

ie, use https:// instead of http://

Its simple and free of cost.

What if the website doesn’t load with https?

If it doesn’t load or shows “secure connection failed”, do not enter such website. See below image for an example.

Tried to load https://sakshitimes.net on 19/02/2020 on firefox.

It is unacceptable that this website asks the user to login or signup, but it lacks TLS or SSL certification.

When loaded using http connection on 19/02/2020

Its always safe to avoid such websites. Or ask the web owners to get the security feature.

Partially secure websites – are dangerous too…

But just https, SSL / TLS does not provide you a secure website! There are some leading websites with partially secure content. Though these provide better security than a website with no SSL/TLS certification, you are still vulnerable to eavesdropping and man-in-the-middle-attacks (hacking).

Technically, an HTTPS page that includes content fetched using HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers. That leaves the pages unsafe.

ie, if a website page includes some parts of it not secure, is called mixed content.

There are two types of mixed contents, based on its likelihood to breech privacy.
1. Active mixed content –
2. Passive mixed content

Active mixed content –

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user.

The attacker can also rewrite the script on the page to include malicious JavaScript code or install malware on the user’s system (by leveraging vulnerabilities in the browser or its plugins, for example).

If your website delivers HTTPS pages, all active mixed content delivered via HTTP on this pages will be blocked by your browsers, by default. Consequently, your website may appear broken to users (if iframes or plugins don’t load, etc.). But the brocken pages are for a good cause. Also do not forget to update your browsers periodocally.

Eg for active mixed content: <script>, <link>, <iframe>, <url> in CSS, XMLHttpRequest, fetch() requests, etc.

Passive mixed content –

Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user.

Passive content is displayed by default, by your browser, but users can set a preference to block this type of content, as well.

Eg for passive mixed content: <img>, <audio>, <video>, <object>, etc.

How to identify the security level of a website?

By observing the left side of the address bar of your browser, you can identify that the website is seccure / insecure / partially secure.

The symbols denoting security level will vary from browser to browser. Also the symbols shown in pc and mobile variants of the same browser may be different. But if you click on that symbol, it will show what it means.

If secure –

‘Black Padlock’ symbol in Firefox PC version
‘Green padlock’ symbol in Chrome browser PC version

If insecure –

‘Crossed Black Padlock’ in Firefox browser PC version
‘Circled i’ in Chrome browser PC version

Please note that, an https connection will not be possible on such sites, as they lack a valid SSL / TLS certificate.

If partially secure – you will see a similar sign as that of insecure symbol.

Note: I have contacted the admin of SakshiTimes to corrrect the insecure connection.

___________________________________________________________________

References :
1) https://www.cloudflare.com/learning/ssl/what-is-https/
2) https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content
3) https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content#Mixed_active_content

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.