Safer Internet: Browsing: Use https

Why?

  • computer off+ Encrypts content between your device and destination server
  • - Addresses (yours, site's) not encrypted
  • - Not all sites support https: due to cost or configuration issues
  • - Content could be cracked if vulnerabilities aren't patched by system updates

Basic

  • how https worksUse https: (HyperText Transport Protocol Secure) instead of regular http: at least to encrypt logins, financial transactions and other sensitive information; if a site offers it, use it; some sites default/redirect to https:, e.g., paypal.com
  • Check browser Address Bar, lock icon / URL
  • Some browsers, e.g., Chrome, will flag insecure sites
  • [Refs]: "Yes, Switching To HTTPS Is Important, And No It's Not A Bad Thing"
  • Client-server connection -- with https: -- {Figure 6. TCYOP-2: 47; TCYOP-1: 47}
  • Firefox, Chrome: install HTTPS Everywhere Extension; IE, Safari: not avail
  • [Refs]: "HTTPS Everywhere Keeps Your Personal Information Safe on Over 1,400 Sites, Available for Firefox and Chrome"
  • Use a password manager to login and check vulnerabilities -- see Passwords section
  • Use an updated, supported browser
  • Test Your Browser's TLS(SSL): How's My SSL?
  • Safari(macOS,iOS) still includes some fallback older 'insecure cipher suites' I'm checking if this is serious and/or being fixed; Firefox, Chrome better?
  • bleedUpdate system & application software to fix vulnerabilities
  • [Refs:OpenSSL]: "Heartbleed a Year Later: How the Security Conversation Changed"
  • [Refs:OpenSSL]: "Hundreds of Android and iOS apps are still vulnerable to FREAK attacks"
  • [Refs:OpenSSL]: "Windows, Blackberry also susceptible to HTTPS-breaking FREAK attack"
  • [Refs]: Google, Mozilla, Microsoft to Sever RC4 Support in Early 2016"

Intermediate

  • If insecure site requires login over insecure http:, esp. over WiFi -- see VPN section and Passwords section (2FA)
  • [Refs]: "Match.com’s HTTP-only login page puts millions of passwords at risk"
  • Enable site's preference to use https: if offered, e.g., linkedin.com > Account > Security

Advanced

  • File transfer: use sftp: instead of ftp:
  • Web site admin: support https:, e.g., free certificate: letsencrypt.org

References

Apple

Certificates

Google

OpenSSL, Freak, Heartbleed