Mastodon

SSL

A 49-post collection

How Everything We're Told About Website Identity Assurance is Wrong

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful: > Why are you still claiming this @digicert [https://twitter.com/digicert?ref_src=twsrc%5Etfw]? This is extremely misleading, anyone feel like reporting this to the relevant advertising standards authority in their jurisdiction? https://t.co/enzJUodhdG pic...

Why No HTTPS? The 2021 Version

More than 3 years ago now, Scott Helme [https://scotthelme.co.uk/] and I launched a little project called Why No HTTPS? [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] It listed the world's largest websites that didn't properly redirect insecure requests to secure ones. We updated it December before last [https://www.troyhunt.com/still-why-no-https/] and pleasingly, noted that more websites than ever were doing the right thing and for...

Still Why No HTTPS?

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] . We called it Why No HTTPS? [https://whynohttps.com/] and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means o...

HSTS From Top to Bottom or GTFO

We're pretty much at a "secure by default" internet these days, at least that's the assumption with most websites, particularly so in the financial sector. About 80% of all web pages are loaded over an HTTPS connection [https://letsencrypt.org/stats/], browsers are increasingly naggy when anything isn't HTTPS [https://www.wired.com/story/google-chrome-https-not-secure-label/] and it's never been cheaper nor easier to HTTPS all your things [https://httpsiseasy.com/]. Which meant that this rathe...

Extended Validation Certificates are (Really, Really) Dead

Almost one year ago now, I declared extended validation certificates dead [https://www.troyhunt.com/extended-validation-certificates-are-dead/]. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the...

PayPal's Beautiful Demonstration of Extended Validation FUD

Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead [https://www.troyhunt.com/extended-validation-certificates-are-dead/] for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again as it did following this recent tweet of mine: > Always find comments like this amusing: “The...

Extended Validation Certificates are Dead

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave w...

Why No HTTPS? Questions Answered, New Data, Path Forward

So that little project Scott Helme [https://scotthelme.co.uk/] and I took on - WhyNoHTTPS.com [https://whynohttps.com/] - seems to have garnered quite a bit of attention. We had about 81k visitors drop by on the first day and for the most part, the feedback has been overwhelmingly positive. Most people have said it's great to have the data surfaced publicly and they've used that list to put some pressure on sites to up their game. We're already seeing some sites on the Day 1 list go HTTPS (alth...

Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure" [https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html]. This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizabl...

Here's Why Your Static Website Needs HTTPS

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point" [https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/], that is, it had passed the moment of critical mass [https://en.wikipedia.org/wiki/The_Tipping_Point] and as I said at the time, "will very shortly become the norm". Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% [https://letsencrypt.org/stats/] whilst the proportion of the world's t...