Talk:2634: Red Line Through HTTPS

Explain xkcd: It's 'cause you're dumb.
Revision as of 23:55, 20 June 2022 by Orion205 (talk | contribs)
Jump to: navigation, search


HTTPS was standardized in 2000 or so, so 2015 is quite a stretch for a site to not use it because the site was last updated before HTTPS was widely available. With pretty much any browser now, a red line through HTTPS means that the site _is using HTTPS_, but it is _not trusted by the browser_ (due to e.g. the certificate being self-signed or expired). Darrylnoakes (talk) 04:28, 18 June 2022 (UTC)

I think the intended joke is that the site's certificate expired in 2015, instead of the site is not using HTTPS. 108.162.221.101 06:29, 18 June 2022 (UTC)
2015 is when the first Let's Encrypt certs were issued, and 2016 is when LE became generally available to the public and thus when free SSL/TLS became very very easy for just about anyone setting up a web server, hence the comic citing 2015. However even with a valid cert you might have a number of issues, like mixed content. At least in Firefox, an expired cert gives a big warning screen that gives you an option to add a security exception; I don't care enough to install Chrom{e,ium} to test its UI. 172.69.69.250 08:30, 18 June 2022 (UTC)
Chrome has this warning screen including an option to bypass the warning as well. I believe all browsers do. I think the only exception to this is when a site has strict transport security enabled. Jespertheend (talk) 10:49, 18 June 2022 (UTC)
Until about 2015 no-one complained if you didn't offer HTTPS as long as you didn't request anyone's credit card number or offered .exe files: An internet site offers nothing but inherently untrustable text. It might contain ads that can execute any piece of javascript. It even could contain flash - so why pay a substantial amount of money to make the transport of that data more secure? Nowadays most web browsers tell on you if you don't secure connections and allowing the telco to see what data you download from where is felt as a privacy intrusion. On the other side not every hoster offers https for multiple domains...--Gunterkoenigsmann (talk) 15:03, 19 June 2022 (UTC)

Not sure it's true that if there is a problem with HTTPS like an expired cert that the connection is made with HTTP instead. 172.69.79.201 10:11, 18 June 2022 (UTC)

It's not, it still uses the https connection. It only indicates that the connection might not be secure anymore and anyone could be listening in at that point. Jespertheend (talk) 10:49, 18 June 2022 (UTC)

I actually am bemused by this. Not sure if I only visit the wrong (or right?) websites with the wrong (or right?) browsers, but I don't recall ever notably having seen struck-red links. (Perhaps I have, and assumed it was a site informing me that they were dead links, not now followable?) I do occasionally follow a normal-looking link (maybe locally CSSed in a over-riding manner of format?) and I get the browser load up a whole-screen "Problem with certificate (Are you sure? Jump through hoops for me to progress.)" which I may then take under considered advisement but mostly has me checking I'm not being spoofed as to the destination or something. Is this where the red strikethrough appears for others?
I also have at least one site that is steadfastly still HTTP-only, and neither I nor my various browsers have any problem with it as I know what I'm doing, whilst the browsers just go there without particular complaint or anything more than usual addressbar clues... I might have "added to exception from warning" once or twice in the distant past, but not in every case. So I'm learning something here, but I don't know what. Sounds like something Edge would do, but I don't use Edge... I'm generally on Chrome, Firefox and a handful of 'lesser' flavours, all definitely updated. 172.70.90.173 11:21, 18 June 2022 (UTC)

You can find some examples of the red line on https://badssl.com/, but pretty much in all cases you get a full page warning first that something is amiss. You can also try out the http connection at http://http.badssl.com/, http connections are a bit more complicated. Some browsers don't show a warning at all, while others only show a gray 'insecure' label in front of the url. And as can be seen here [1], the plan is to eventually show similar warnings for HTTP sites as what is currently shown for HTTPS sites with a failed certificate. Jespertheend (talk) 11:32, 18 June 2022 (UTC)
Ugh, I'd hate that. I have a little webpage of my own, and I'm not in a position to be able to go https, :( That "badssl" site has several example issues, which ones go red/strikethrough? I want to confirm no browser I have does that. NiceGuy1 (talk) 04:56, 19 June 2022 (UTC)
I was about to remark the same thing, :) NEVER seen a strikethrough. I'm rather assuming it's something Chrome does, because I about exclusively use Firefox, and Chrome likes to be weird and non-standard (main reason I generally don't use it), and too many people act like there's no other browser than Chrome. Likewise, most I get is "Security Risk!", then find out it's a Bad Certificate, then it turns out it expired and they just haven't updated it yet. Stop being so dramatic, LOL! NiceGuy1 (talk) 04:28, 19 June 2022 (UTC)
I'm a Chrome user (part of the time, being the "handful of lesser flavours" contributor, above, but using it this very second) and I don't see it. But then I turned off its look-ahead (downloading of pages it thinks I'll go to next) because I'd rather it not, and as some sort of pre-emptiveness seems necessary to know a link should be red-struckthrough, I probably (hopefully?) neutered that stupid potential exploit too... So don't take my experience as gospel. (But still sounds like an Edge thing, to me, the way that's the new IE in the current browser ecosystem.) 172.70.162.5 11:32, 19 June 2022 (UTC)
It's not links (to other pages) that get the strikethrough. It's the protocol/scheme name in the current page's address bar. See, for example, the picture in https://superuser.com/a/369839/93954. This is far less intrusive than any of the warning pages you've mentioned seeing; maybe you just haven't noticed when it does that? For a current live example, in Edge, I'm seeing the (not red) strikethrough e. g. on https://self-signed.badssl.com/ both on the warning page and after clicking through it to accept the bad certificate. And as it happens, I could swear that just within the last few days I've been on a mixed-content website that displayed the strikethrough, but I'm not certain what website it was and I can't reproduce this now, so I'm probably misremembering. Chortos-2 (talk) 23:44, 20 June 2022 (UTC)

I've made a rather large change to the page to better explain the meaning of a red line through https. I removed any mentioning of using the HTTP protocol as that is incorrect. If a browser uses the HTTP protocol it is shown in the url using 'http://'. Since the comic was talking about a red line through 'https' I'm assuming the usage of the HTTP protocol is unrelated here. Though it's possible I removed some more information from the page that might still be desired. Such as the mentioning of AI-generated spam sites and man in the middle attacks. These seemed redundant to me for explaining the joke. I also put some more emphasis on the red line usually meaning that something bad is going on. Browser venders put a lot of effort in security, and having everyone think that a red line is not that big of a problem is the last thing they'd want. Jespertheend (talk) 11:23, 18 June 2022 (UTC)

While it's true that some browser security warnings are false alarms, I think that paragraph is missing the point of the comic. Cueball is assuming that any site that's been around for years must be operated well. But often the maintainers of the site get complacent and don't update to newer standards. And even if the real site is legit, the security warning can mean that traffic has been intercepted, so you're not actually going to the real site. Barmar (talk) 13:40, 18 June 2022 (UTC)

Also, someone who hasn't taken the trouble to keep their security certificates up to date is probably more likely to have neglected their server security generally, so it's more likely that someone could have hacked them and be serving you up all kinds of crap. 172.70.85.177 08:22, 20 June 2022 (UTC)

I presumed this was about using outdated protocols like TLS 1.0 or weak ciphers. 172.70.110.121 00:28, 19 June 2022 (UTC)

You'd almost think Randall didn't live in the Boston metropolitan area. I was disappointed. JohnHawkinson (talk) 04:30, 19 June 2022 (UTC)

Okay, at least two of us don't see this behaviour, so this is NOT as universal as Randall seems to think, could somebody figure out why and put it in the explanation? (I reject the possibility that we just haven't visited the right (wrong) sites. I, for one, go to WAY too many sites, LOL!). My leading theory is that instead of being universal, this behaviour is actually unique to Chrome (as I don't use it much and can easily have never visited an insecure website on it), since I use Firefox primarily, and many people seem to forget that there are other browsers than Chrome, and Google goes out of it's way to be as weird as possible, including being fancy for the sake of fancy (like the colour-coding and strikethrough). NiceGuy1 (talk) 04:49, 19 June 2022 (UTC)

Where is Cueball saying that websites with a red line through HTTPS are more secure than modern websites? In the comic he merely says that the red line means that the website is legit, he doesn't make any comparison at all. Kzkzb (talk) 22:12, 19 June 2022 (UTC)

I think the current explanation is missing a key aspect of the humor. The fact is, it takes minutes to add HTTPS to your site for free (see e.g., https://www.freecodecamp.org/news/free-https-c051ca570324/). A phisher could set up a site with https and have it trick you into giving up your info for a while before being caught and brought down. I think the outdated-ness of the red line through the https indicates that the site has been around for a long time, and therefore is less likely to be a scam. I'll add something small to this effect, but let me know if you disagree, I'm not 100% sure about this. Jrfarah (talk) 23:04, 19 June 2022 (UTC)

While you can set up HTTPS certificate for free in minutes, you need to have control over the domain to be able to. This is key aspect in the security - only I can control my domain, therefore if you see green HTTPS on my website, you can be sure it is a genuine one, whereas if you see anything else, it might not be 89.177.163.36 16:43, 20 June 2022 (UTC)
Aside from the issue of a previously controlled+certificated domain being hijacked... As far as I'm concerned a style="text-color: green" sort of thing would suffice to produce the exact same effect.
Nobody has yet satisfactorily explained which browsers do this, and under which circumstances... No Chrome doesn't do this. (Not my Chrome, anyway, but maybe I'm just using the wrong one?)
But, for when it does happen, does it not override inline/CSS styles, in which case the link 'warning' is entirely disguisable by the link-author. Even in the most incapable and hobbled version of newb-servicing CMS, and definitely with direct markup-editing capability.
Or they do, in which case (not that I have much sympathy for the absolutist type) I hear the wailings of a thousand web-designers, unable to control every last visual element to their utter and complete desire because the browser spoils their desired pallette, even if they overlook the mythical strikethrough rendering.
(The amateur web designer I knew who set up a pixel-perfect site by making the page he desired an image with image-mapped hotspot-links on the blue-underlined fully rasterised words... It sounds like he would have neutered the HTTPS warning. But in the most annoying and frustrating way.)
I assume it's a common sight for Randall, to have inspired him so (and write about it as if we should similarly have a good idea about it). For me, though, I assumed it was a broken-link thing, i.e. a non-available web resource, but then of course a page/site that is entirely offline cannot be so easily hacked. But I take it on trust that the current explanation (as far as it goes) is the real one. 172.70.91.58 22:37, 20 June 2022 (UTC)
No, this isn't rendered on the page. Go to https://badssl.com/ yourself and you'll see you can't use CSS to change how the https is rendered red with strikethrough in the address bar. But I see Chrome use the red strikethrough display while Firefox doesn't, instead showing "Not Secure" next to the security icon.

Removed unnecessary line. The NSA is mentioned absolutely nowhere in the comic, nor any other intelligence agency, and it comes off as nothing more than an unnecessary conspiracy theory.