Summary | Update | https: | Vulnerable Sites | Insecure Connection | TLS |
References: General | Apple | Certificates | Firefox |
Google/Chrome | OpenSSL, Freak, Heartbleed
Summary
- [1] Update System/Browser Software
- [1] Use https: (HyperText Transport Protocol Secure) instead of regular http: whenever a site supports it
- [2] Check for Vulnerable sites
- [2] Use VPN and 2FA to Compensate for an Insecure Connection
- [3] Test Your Browser's TLS; Use sftp:; Install a Certificate
- References
[1] Update System/Browser Software
- Check that your system, browser and application software have latest security updates -- see section: Software Updates
- Otherwise, content could be exposed if security vulnerabilities have not been patched on both ends.
[1] Use https: (HyperText Transport Protocol Secure) instead of regular http:
- More and more sites default/redirect to HTTPS:, e.g.
- wider availability of free certificates for sites, e.g., Let's Encrypt
- automatically from http: paypal.com
- via browser extension, e.g., HTTPS Everywhere for Chrome, Firefox; not avail for IE, Safari -- maybe not needed
- via preference, e.g., linkedin.com:
Account > Security
- Some password managers, e.g., 1Password, can check for non-https and vulnerable sites
- Check browser Address Bar: lock icon and/or URL beginning with "https://"
- Be especially aware on login pages and shopping and finance sites.
- Some browsers, e.g., Chrome, will flag 'insecure' sites: any http: page in "incognito" (private browsing) mode, or any http: page with an input field
- Client-server connection with HTTPS: {Figure 6. TCYOP-4: 67; TCYOP-3: 55}.
[2] Check for Vulnerable sites
- Although you can't update the security software on sites, you can minimize your exposure
- Change passwords on any sites with unpatched security vulnerabilities, e.g., Heartbleed; use a password manager to monitor, e.g., 1Password: Watchtower; also PM can flag any non-https: logins
- Otherwise, content could be exposed if security vulnerabilities have not been patched on both ends.
[2] Use VPN and 2FA to Compensate for an Insecure http: Connection
- If insecure site requires login over insecure http:, esp. over WiFi -- see VPN section and Passwords section (2FA)
[3] Test Your Browser's TLS; Use sftp:; Install a Certificate
- Test Your Browser's TLS(SSL): How's My SSL?
- Safari(macOS,iOS) may include some fallback older 'insecure cipher suites' I'm checking if this is serious and/or being fixed; Firefox, Chrome better?
- File transfer: use sftp: instead of ftp:
- Web site admin: free certificate: letsencrypt.org; possible installation cost, configuration issues depending on web host
References
- {TCYOP-4: 66-68; TCYOP-3: 54-56}
- sections: Refs: Apple; Certificates; Firefox; Google/Chrome; OpenSSL, Freak, Heartbleed
- Wikipedia: Uniform Resource Locator (URL): Hyperlink; network location (address) plus access method, e.g., http:
- Wikipedia: hypertext; HyperText Transfer Protocol (HTTP)
- HowStuffWorks: Internet Infrastructure: URL; Ports and HTTP
- Wikipedia: Secure Sockets Layer (SSL), aka Transport Layer Security (TLS)
- Wikipedia: HyperText Transfer Protocol Secure (HTTPS) protocol for secure communication
- Wikipedia: HTTPS Everywhere browser extension
- Wikipedia: File Transfer Protocol (FTP) standard network protocol used to transfer files from one host to another
- Wikipedia: Secure Shell (SSH); SSH FTP (SFTP)
- Wikipedia: SHA-2 (Secure Hash Algorithm 2) used in certificates
- Wikipedia: RC4 (Rivest Cipher 4) stream cipher
- [3] SSL Cipher Suite Details of Your Browser test page
- EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous 9/25/2021
- Hackers can mess with HTTPS connections by sending data to your email server Ars; 6/9/2021
- Security Researchers Take Advantage of Insecure HTTP to Display Fake Videos on TikTok iOS, Android; 4/18/2020
Apple
- How to Fix Safari 'This Connection Is Not Private' Warnings OSXD; 3/17/2021
Certificates
- Wikipedia: certificate authority
- Let's Encrypt comes up with workaround for abandonware Android devices Ars; 12/22/2020
- Kazakhstan spies on citizens’ HTTPS traffic; browser-makers fight back Google, Mozilla, Apple, and Microsoft block Kazakhstan's self-signed root certificate; Ars; 12/21/2020
- Kazakhstan government is intercepting HTTPS traffic in its capital third time since 2015 that the Kazakh government is mandating the installation of a root certificate on its citizens' devices; ZD; 12/6/2020
- On Older Versions of Android, Many Let's Encrypt-Secured Sites May Stop Working in 2021 < 7.1.1; 11/6/2020
- Let's Encrypt discovers CAA bug, must revoke customer certificates Ars; 3/3/2020
- HTTPS for all: Let's Encrypt reaches one billion certificates issued Ars; 2/27/2020
- Safari to snub new security certs valid for more than 13 months Reg; 2/20/2020
Firefox
- Firefox 83 will automatically switch you to secure HTTPS sites HTTPS-Only Mode will display a warning if a website doesn't have an HTTPS version the browser can load; Eng; 11/18/2020
Google / Chrome
Microsoft
OpenSSL, Freak, Heartbleed
- Wikipedia: OpenSSL; Heartbleed; FREAK