Remember this lock means the "line is secure." It doesn't tell you anything about the website, how they use your data, how they store your passwords, your data, their privacy policy, none of that.
15
66
392
Conversation
It also only covers the first hop of the connection. For example, many sites use Cloudflare without authenticated encryption from Cloudflare to their origin server. I'm curious about the statics on origin server encryption. How many sites use their Strict SSL configuration?
1
1
6
They call encryption without authentication the "Full" encryption mode, but it doesn't defend against active attacks, only passive monitoring. There's also a mode for not encrypting the connection at all. Since so many sites use Cloudflare, % of sites using TLS is misleading.
1
1
Probably similar issues with other reverse proxy services. It gives users the impression that the connection to the site is secure when only the first hop is secure.
It's part of their business model for sites to use it for TLS without actually setting up TLS on their servers.
1
One more reason why browsers moving to marking insecure connections as insecure rather than marking seemingly secure connections as secure is a nice change. Especially now that TLS *for the first hop* is the norm (not convinced the situation is as good as it appears due to this).
I get what you're saying, but nope! "the first hop" would be between your device & the local network router.
Encryption exists between your device & the IP address of the destination as resolved by DNS. How the "internal" network is configured from that point on is out of scope.
1
I'm clearly not talking about packet routing but rather load balancers / reverse proxies terminating TLS connections. I'm not talking about it as the first hop in a packet routing context. I also don't need someone to repeat what I wrote to me as if they're explaining something.
1
Show replies