The Lemon Fool

I have followed a link from this post viewtopic.php?p=375663#p375663 in the Drinks forum to https://rochester-drinks.com/products/rochester-ginger-dickensian/
This site is shown as Not Secure even though it has a https:// url, which I thought meant that it was secure.

What am I missing?

Adrian

AJC5001 wrote:What am I missing?

Did you click on the exclamation mark triangle & read the warning?

My versions says, ... isn't fully secure etc.

AJC5001 wrote:This site is shown as Not Secure even though it has a https:// url, which I thought meant that it was secure.
What am I missing?

Firefox says that parts of the page are not secure, and directs you here for more infomation:

Mozilla Support wrote: if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

https://support.mozilla.org/en-US/kb/mi ... cale=en-US

PinkDalek wrote:

AJC5001 wrote:What am I missing?

Did you click on the exclamation mark triangle & read the warning?

My versions says, ... isn't fully secure etc.

Yes, I did click on the exclamation mark triangle & read the warning, and it said :-
"Your connection to this site isn't fully secure
Attackers may be able to see the images you're looking at on this site and trick you by modifying them"
plus some other stuff about popups, certification, cookies, site permissions, tracking prevention etc (Using MS Edge)

There was nothing else to explain what "trick you by modifying them" might mean.

I asked because I don't recall seeing an https page that showed this "Not Secure" message before.

Breelander wrote:Firefox says that parts of the page are not secure, and directs you here for more infomation:

Mozilla Support wrote: if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

https://support.mozilla.org/en-US/kb/mi ... cale=en-US

So the page contains images that are only HTTP as well as the rest of the content that is encrypted.
As the images don't seem to be clickable, and there doesn't seem to be any forms to collect any data, do I assume that viewing it causes no harm?

Thanks,

Adrian

Generally if it isn't an e-commerce site collecting data then it not being fully HTTPS is less of an issue, although still not ideal.
Google will penalise SEO though, so it's not a good idea for commercial sites if they want to maintain decent rankings.
I would imagine Google and the other big players will slowly increase the pressure on site owners via penalties to upgrade them fully to HTTPS.

I thought I would have a look at this page in Chrome and Chrome now automatically upgrades http to https. Quite a lot of the page is done properly, but bits of it do insecure image requests, not all of the images though.

A quick look at the site's source code shows it has numerous references to hardcoded http:// links.

That's why its showing a warning etc.

Its a very poorly coded page basically.

didds

If I put the url into Securi https://sitecheck.sucuri.net/results/ht ... ickensian/ it comes up Medium Security risk, but could not be fully scanned, returns error 403.

Malwarebytes has no problem with it.

But yes, I always assumed https was 'safe'.

V8

88V8 wrote:But yes, I always assumed https was 'safe'.
V8

There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link, but not against a malicious or compromised site, including in some cirumstances the possibility of one that isn't what you think it is (issues like plausible misspellings, I for l or 1, etc - and nowadays that includes lots of non-ascii characters).

Neither does it protect against risks coming from third-party sites that embed contents such as images or scripts - which is what the browser is warning you of.

UncleEbenezer wrote:There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link,

Interestingly there were some ISPs in I think the Far East which were requiring email that was supposed to use SSL/TLS to go through their own servers enabling them to monitor the email. If you are worried about this you need to check that your email clients (and all relays) properly check the certificates being used for SMTP.

johnhemming wrote:

UncleEbenezer wrote:There's nothing inherently safe about https. It protects against the risk of data being read or altered "on the wire" between you and the far end of the link,

Interestingly there were some ISPs in I think the Far East which were requiring email that was supposed to use SSL/TLS to go through their own servers enabling them to monitor the email. If you are worried about this you need to check that your email clients (and all relays) properly check the certificates being used for SMTP.

If you want secure email, use PGP. That's a long-solved problem.

UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress

RC

ReformedCharacter wrote:

UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress

The issue AIUI is that it has not reached critical mass.

Some systems check whether the relay servers are using TLS beit STARTTLS or port 465 and won't send emails unless that is the case. Gmail handles this reasonably well so you can find out if that is the issue by using a Gmail account.

ReformedCharacter wrote:

UncleEbenezer wrote:If you want secure email, use PGP. That's a long-solved problem.

Yes, I used to use it with the one other person I knew who did also. I used to think that it would be widely adopted but that doesn't seem to have happened, I'm not sure why. OH has to communicate confidentially with councils, NHS etc. all of whom seem to have their own non-compatible systems. That's the price of progress

RC

PGP never went mainstream because it's a PITA to set up for a non technical user.

Email services like ProtonMail use it, it still depends on the other end having a PM account though for painless use.
https://protonmail.com/support/knowledg ... %20address.

Thunderbird mail client has streamlined the PGP process somewhat in recent years from what I have read. I'm not a regular enough user of TB to comment from experience.