Quote:
Originally Posted by PeterM
Thanks for this Al,
The site is Not Secure, so I am left wondering does this make it more attractive to hackers? I don't know so maybe someone in the know can explain to members just exactly what the potential issues might be?
If IceMan has no intention of making it secure then what does that mean for IIS long term? Well someone had to ask the question.....
|
Hi Peter,
When you see the "Not Secure" message and an open padlock icon
next to the URL field on your browser, it means you accessed it
via a URL of the form
http://www.iceinspace.com.au
If you have an existing bookmark, you might want to edit it to
be of the form
https://www.iceinspace.com.au
As TrevorW pointed out, HTTPS stands for HTTP Secure.
So, what, you may ask, does accessing the site using https do?
Unfortunately, not all the magic you may have been hoping.
The browser's use of the term "Not Secure" and its implied opposite,
"Secure", are somewhat of a misnomer.
And this applies to all web sites, not just IceInSpace.
Back at the server there is a digital certificate that has been signed by a
"trusted" certification authority (CA).
In a nutshell, when you enter
https://www.iceinspace.com, your browser
requests the certificate and it checks that, indeed, the certificate
corresponds to
https://www.iceinspace.com and not some other web site.
In a similar vain, if you intentionally go to a hypothetical web site called
https://nastywebsite.com that exploits a security flaw in the browser,
if that web site also has a valid certificate for
https://nastywebsite.com
that is signed by a "trusted" CA, then your browser will show it too
is "Secure".
So beware.
When running the https protocol, the communications between you
and the web site are encrypted to try and prevent a "man-in-the-middle"
attack.
However, if, for example, someone has installed a key logger on your
computer through some other piece of malware, encryption isn't
going to do you much good, because they are logging the key presses
before they are encrypted.
Additionally, if a web site itself has a security flaw, for example some
way to access the member database and edit the passwords, then
whether you run http or https matters not.
I like to think of those browser padlock icons like the "Sanitised For
Your Protection" paper bands they leave on hotel toilet seats.
From a professional computer science perspective, they don't mean s**t.