Safer Internet: Browsing: Use https

Why?

  • computer off+ Encrypts content between your device and destination server
  • + More and more sites support https:, esp. due to availability of free certificates
  • - Some sites (ironically, this one) do not yet support https: due to other cost or configuration issues
  • - IP addresses (yours, site's) not encrypted
  • - Content could be cracked if vulnerabilities aren't patched by system updates

Basic

  • how https worksUse https: (HyperText Transport Protocol Secure) instead of regular http: at least to encrypt logins, financial transactions and other sensitive information; if a site offers it, use it; some sites default/redirect automatically to https:, e.g., paypal.com
  • Check browser Address Bar, lock icon / URL
  • Some browsers, e.g., Chrome, will flag 'insecure' sites: any http: page in "incognito" (private browsing) mode, or any http: page with an input field, e.g., (here) Search and Contact
  • [Refs]: "Yes, Switching To HTTPS Is Important, And No It's Not A Bad Thing"
  • Client-server connection -- with https: -- {Figure 6. TCYOP-3: 55; TCYOP-2: 47; TCYOP-1: 47}
  • Firefox, Chrome: install HTTPS Everywhere Extension; IE, Safari: not avail
  • [Refs]: "HTTPS Everywhere Keeps Your Personal Information Safe on Over 1,400 Sites, Available for Firefox and Chrome"
  • Use a password manager to login and check vulnerabilities -- see Passwords section
  • Use an updated, supported browser
  • Test Your Browser's TLS(SSL): How's My SSL?
  • Safari(macOS,iOS) still includes some fallback older 'insecure cipher suites' I'm checking if this is serious and/or being fixed; Firefox, Chrome better?
  • bleedUpdate system & application software to fix vulnerabilities
  • [Refs:OpenSSL]: "Heartbleed a Year Later: How the Security Conversation Changed"
  • [Refs:OpenSSL]: "Hundreds of Android and iOS apps are still vulnerable to FREAK attacks"
  • [Refs:OpenSSL]: "Windows, Blackberry also susceptible to HTTPS-breaking FREAK attack"
  • [Refs]: Google, Mozilla, Microsoft to Sever RC4 Support in Early 2016"

Intermediate

  • If insecure site requires login over insecure http:, esp. over WiFi -- see VPN section and Passwords section (2FA)
  • [Refs]: "Match.com's HTTP-only login page puts millions of passwords at risk"
  • Enable site's preference to use https: if offered, e.g., linkedin.com > Account > Security

Advanced

  • File transfer: use sftp: instead of ftp:
  • Web site admin: free certificate: letsencrypt.org, configuration issues/li>

References

Apple

Certificates

Google

Microsoft

OpenSSL, Freak, Heartbleed