Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Disable HTTPS and Certificate warnings?
- Thread starter MacBH928
- Start date
- Sort by reaction score
Don't. If it isn't https, your connection is insecure, and can be hacked. It might actually be completely hacked, meaning you are not contacting whoever you wanted to contact, but someone totally else. Same if the browser reports a "self signed certificate". I can easily produce a "self signed certificate" for apple.com, google.com, or amazon.com.
An outdated certificate means at least that the website operator is careless and unprofessional, so you shouldn't trust the site. If the certificate is outdated by a day, you are _most likely_ safe. Not safe enough to trust it with $600,000 worth of bitcoin. Safe enough to read news on MacRumors. But that's your decision, and that should never be done automatically for you.
A company my university uses for some of their infrastructure, Blackboard, forgot to renew a certificate for one of their domains… It was just one day before it was fixed but yeah, not good on their part. I’ve never let that happen to my domain and I’m just me, not a company selling services like this.
Anyway, yeah - I would say as long as the website doesn’t take user input or has information about calling someone or emailing someone or something; Like if you’re just passively reading a manga or something, it’s not really a problem if it’s just HTTP and not secured, because if someone else injects their content into the page and you’re not sending anything back anyway it’s not really a worry.
But I would never ever advice visiting a non-HTTPS page with a login prompt
yes for sure, I always check the lock symbol and HTTPS before doing any of that but a lot of times I am facing this with just casually browsing the internet.
It's due to lazy or non-existent website upkeep and your browser is doing its job.
I don't know how much trouble it is to make all websites "compliant" but with a Wordpress site all it takes is a free plugin.
I don't know how much trouble it is to make all websites "compliant" but with a Wordpress site all it takes is a free plugin.
Usually it'd cost a bit of cash and you'd deal with getting renewals from your certificate authority and making your web server use said certificates.
But Let's Encrypt simplified everything for everyone. They're a free certificate authority (likely also the ones behind that WordPress plugin), I believe they're partially government and EU funded as well as various sponsors. They also make a program called certbot which you can use on your web server to basically entirely automate renewals and configuration updates.
I'm sure large businesses do this manually for greater control and responsibility-ownership if something was to go wrong with CertBot or Let's Encrypt, but it works really well and removes all the hassle from dealing with SSL/TLS even when you manage a "raw" web server. Mine is just a Raspberry Pi in my living room running nginx, and it's fully TLS/SSL/HTTPS operational
I have several sites and had to deal with this issue myself. They are hosted on a leased server that includes a WHM/cPanel feature called "auto-SSL" which automatically renews the certs annually. Now, these are "domain-validated certificates" which meet the minimum requirements and are probably similar to the free ones mentioned above.
The more secure certificates require that you provide documentation that you're a registered corporation - these are what a large business would have. I understand that the browser warnings are annoying, but they really are there for your protection. Many people use the same password on multiple websites and an insecure connection makes it too easy for a bad guy to access it. As @casperes1996 said, it's definitely a bad idea logging into an insecure site.
But as long as the site isn't selling anything and doesn't require you to enter any other personal information, the risk is probably not very high, especially if you don't need to login. But if you do have to login to such a site, just make sure that the same password is never used anywhere else.
The more secure certificates require that you provide documentation that you're a registered corporation - these are what a large business would have. I understand that the browser warnings are annoying, but they really are there for your protection. Many people use the same password on multiple websites and an insecure connection makes it too easy for a bad guy to access it. As @casperes1996 said, it's definitely a bad idea logging into an insecure site.
But as long as the site isn't selling anything and doesn't require you to enter any other personal information, the risk is probably not very high, especially if you don't need to login. But if you do have to login to such a site, just make sure that the same password is never used anywhere else.
I wish it was the other way around where non-secure is the standard. For most sites people do not login just reading the random article on Cnet. In the past you didn't need these locks except for e-commerce or email. Now you visit a university website or a newspaper and you have to click 3 buttons around the screen just to go on with your day. And the way the browsers words the warning is as if you will be nuked if you go on to the site, not just a mere expired certificate.
Sure, secure is better, but maybe they need to implement a better way for auto - renewal or something. I am thinking that they should make a new TLD that is secure only with registered companies(or turn .com into one) . Now there is no way the new TLD (or current .com) is not secure. They should also include all the similar TLD too just incase someone mis types like .con or .vom or .cim
Sure, secure is better, but maybe they need to implement a better way for auto - renewal or something. I am thinking that they should make a new TLD that is secure only with registered companies(or turn .com into one) . Now there is no way the new TLD (or current .com) is not secure. They should also include all the similar TLD too just incase someone mis types like .con or .vom or .cim
I’m curious… What newspaper do you read that doesn’t have their TLS/SSL figured out? And aside from that little one-off I mentioned, what university pages? And little tip; If you explicitly write “http://“ in your URL bar, it’ll open insecure pages without any complaints about it - at least in my limited testing it has.
You have to remember that while you may not be at any substantial risk of getting robbed or anything using HTTP without sending credit card details or logins, everything on the page is still sent as clear text, so in addition to modifying the page and the information you see, a man in the middle can see all the contents you look at. I’d say even if we ignore the login factor, newspapers should be encrypted in traffic; For one thing so man in the middle attacks can’t attach actual fake information to their articles giving the reader false information and hurting the newspaper’s reputation. And for the sake of privacy so people can’t sit there and see which articles interest you and which don’t.
Renewing certificates does already have automated procedures; As mentioned CertBot by Let’s Encrypt is one system that does it. Mistakes can happen, but I’ve only ever seen a valid website flag an HTTPS warning once, and it only lasted for a few hours before they fixed it. Well that, and my mate’s personal site which has both an HTTP and an HTTPS version up
Everything is surely headed in the opposite direction and the warnings about insecure sites are likely to get more aggressive in the future.
They don't come to mind now, but there is a lot of local stuff around the world. Think of places like Nigeria, Bangladesh, Colombia.
Hm. Wonder why they aren't SSL/TLS encrypted though. I mean when Let's Encrypt exists it's basically free and easy