Is an https:// connection always secure?

General discussion about the NoScript extension for Firefox
Post Reply
User avatar
phule
Junior Member
Posts: 35
Joined: Sun Jun 07, 2009 6:45 pm
Location: Missouri, USA

Is an https:// connection always secure?

Post by phule » Mon Feb 22, 2010 1:40 am

Can a website direct you to a webpage that has a https:// connection and still be unsecure? I've noticed that NS will not force such a website to be secure.

An example is Grandtea.com at http://www.grandtea.com/
Phule
FireFox 56.0,NoScript 5.1.2, BetterPrivacy-1.77
Adblock Plus 2.9.1. Mac OS X 10.12.5
Apple iMac 2.7 GHz Intel Core i5
8 GB 1066 MHz DDR3 RAM
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Is an https:// connection always secure?

Post by Alan Baxter » Mon Feb 22, 2010 2:19 am

Once you see https://www.grandtea.com in the url bar, your connection is encrypted and secure from eavesdropping.
Grandtea.com looks safe enough to me. It switches itself to https as soon as I select Checkout. That said, I was also able to successfully force https by adding the following to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure connections:

Code: Select all

www.grandtea.com

Edit: https as soon as I select Checkout
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Is an https:// connection always secure?

Post by Alan Baxter » Mon Feb 22, 2010 3:12 am

Alan Baxter wrote:Once you see https://www.grandtea.com in the url bar, your connection is encrypted and secure from eavesdropping.

Followup:
Apparently that's true only if the favicon turns blue or green too.
The Checkout page had an https connection and the blue favicon in the url bar. I think the blue favicon with grandtea.com in it indicates that all the content on the page was encrypted. But if I enter https://www.grandtea.com/ into the url bar, then the favicon doesn't change to blue. I clicked on the favicon and then clicked More Information to bring up the Page Info > Security information. Its technical details say that parts of the page I'm viewing are not encrypted. I think that's OK; they weren't sending me any information that needed to be encrypted.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

User avatar
phule
Junior Member
Posts: 35
Joined: Sun Jun 07, 2009 6:45 pm
Location: Missouri, USA

Re: Is an https:// connection always secure?

Post by phule » Tue Feb 23, 2010 1:11 am

Alan Baxter wrote:Apparently that's true only if the favicon turns blue or green too.
The Checkout page had an https connection and the blue favicon in the url bar. I think the blue favicon with grandtea.com in it indicates that all the content on the page was encrypted. But if I enter https://www.grandtea.com/ into the url bar, then the favicon doesn't change to blue. I clicked on the favicon and then clicked More Information to bring up the Page Info > Security information. Its technical details say that parts of the page I'm viewing are not encrypted. I think that's OK; they weren't sending me any information that needed to be encrypted.


The favicon not changing color plus the padlock icon at the bottom of the window not "locking" is what made me suspicious. Thanks for clearing things up!
Phule
FireFox 56.0,NoScript 5.1.2, BetterPrivacy-1.77
Adblock Plus 2.9.1. Mac OS X 10.12.5
Apple iMac 2.7 GHz Intel Core i5
8 GB 1066 MHz DDR3 RAM
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Is an https:// connection always secure?

Post by Alan Baxter » Tue Feb 23, 2010 3:57 am

You're welcome. Happy shopping!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Is an https:// connection always secure?

Post by dhouwn » Tue Feb 23, 2010 6:54 am

Alan Baxter wrote:I think that's OK; they weren't sending me any information that needed to be encrypted.
But you should be aware of the fact that these unencrypted information can be manipulated. HTTPS is not only about encryption.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Chrome/5.0.322.2 Safari/533.1

Post Reply