What does the https lock mean to you

[lemming]

I'm complaining about Turbotax "help" Q&A . When Turbotax is closed or you do not choose the phone connection you are routed to their answer exchange website. It is an open internet forum; anyone can read and if you register you can post answers or questions.
That format doesn't seem like the criteria for secure to me.
and it is the worst type of information that you don't want out on the net.

 

[RE2Boys]

.
and it is the worst type of information that you don't want out on the net.

Curious, why do you say that? Of course, one should never post personal information on that website.

The lock just indicates that you have end-to-end encryption being utilized.

 

[nphx]

Yes - the data traffic from your browser to the server is encrypted for the transactions. Hackers have a tough time reading your data between point a and b.

 

[MRG]

Here's a link to the RFC for https, in case you are bored.

https://www.w3.org/Protocols/rfc2616/rfc2616.txt

 

[RE2Boys]

Isn't it defined in RFC 2660?

https://tools.ietf.org/html/rfc2660

 

[GrayHare]

Use of https is puzzling. For financial and similar private info, https of course, but for public content it merely adds more overhead and reduces compatibility with various software.

 

[MRG]

Isn't it defined in RFC 2660?

https://tools.ietf.org/html/rfc2660

Those things replace each other. Looks like 2660 is a later version. That's the fun, digest one to find a newer version. I understand the one quicker.

 

[Car-Guy]

People often say HTTPS means a secure web site. That's not correct. A web site can be very insecure (or not) and still use HTTPS.

As others have already said correctly, it just means secure (well really just encrypted) communications over a network (like the Internet) typically between a client (your PC's web browser) and a host server.

Once on a server, HTTPS has nothing to do with the security of the information on that server.

 

[lemming]

That's their explanation too. sigh

 

[donheff]

Can't see a reason to encrypt postings on their way to a public forum intended for anyone to see.

 

[RE2Boys]

Can't see a reason to encrypt postings on their way to a public forum intended for anyone to see.

Seems to be becoming more common, especially to site that have a log-in capability or can identify the user and pulls user specific info.

Even my news.google.com uses the https service.

 

[mpeirce]

It's getting more common for a number of reasons. Two big ones are: letsencrypt.org offers free certs to allow anyone to offer an encrypted server for free; google.com is penalizing sites in their ranking if they are not encrypted.

One of the most compelling reasons to use https for even non critical sites is that it prevents ISP and "others" from inserting html into a web page. I was very annoyed the first time I encountered an ISP inserting a "message" or and ad into web pages I was viewing.

Finally, the overhead for https isn't noticeable on modern computers and servers.

Within a couple of years I expect most browsers will switch from simply showing a lock for encrypted sites to assuming that a site should be encrypted and warning users when they encounter an unencrypted site. Expect Chrome to blaze this trail.

I added https to a couple of sites I maintain using letsencrypt.org and it was simple and painless. Even for wordpress based sites.

Here's Googles page explaining their take on it:

Why you should always use HTTPS

 

[Tadpole]

Maybe it discourages man-in-the-loop prankstering.

 

[Car-Guy]

HTTPS, as I remember it in the early days, was originally intended to address issues such as network eavesdropping and man-in the-middle attacks/threats.

 

[Car-Guy]

Can't see a reason to encrypt postings on their way to a public forum intended for anyone to see.

Here's one for an example. Depends, if you have an account on that site. You probably don't want your logon ID, PW credentials passed in the clear. That transmission could be intercepted/read and used to log back on to that site by someone masquerading as you and adding, deleting or editing post under your name. Would you care if someone posted "stuff" on this site under your user ID? Okay, maybe it doesn't matter to much on this site but I still would rather not have someone masquerade as me here. Also, some sites have public and private areas that can be accessed with the same ID and PW that might have info in the private areas that you would not want available to just anyone.