Remember this lock means the "line is secure." It doesn't tell you anything about the website, how they use your data, how they store your passwords, your data, their privacy policy, none of that.
15
66
392
Conversation
It also only covers the first hop of the connection. For example, many sites use Cloudflare without authenticated encryption from Cloudflare to their origin server. I'm curious about the statics on origin server encryption. How many sites use their Strict SSL configuration?
1
1
6
They call encryption without authentication the "Full" encryption mode, but it doesn't defend against active attacks, only passive monitoring. There's also a mode for not encrypting the connection at all. Since so many sites use Cloudflare, % of sites using TLS is misleading.
Probably similar issues with other reverse proxy services. It gives users the impression that the connection to the site is secure when only the first hop is secure.
It's part of their business model for sites to use it for TLS without actually setting up TLS on their servers.
1
One more reason why browsers moving to marking insecure connections as insecure rather than marking seemingly secure connections as secure is a nice change. Especially now that TLS *for the first hop* is the norm (not convinced the situation is as good as it appears due to this).
1
Show replies