Secure sites: Are you secure? (fall 2020)

Post your tutorials for using Pale Moon or performing related tasks here.
Note: Not for "how do I...?" Questions!
Forum rules
Tutorials and Howtos should only relate to Pale Moon, and not to third party applications. e.g.: Don't post a Howto for configuring your firewall.
If you have a question how to do something, you should use one of the support boards, not this board. It is meant for people to document and post instructions.
Locked
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28144
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Secure sites: Are you secure? (fall 2020)

Post by Moonchild » 2020-09-27, 09:49

Since 28.14.0 will have an update to how secure sites are displayed in Pale Moon, an updated version of this guide:

Pale Moon displays secure sites slightly differently than other browsers, so here is a short explanation about the different statuses you may see, and what exactly they mean:
  1. Normal site:
    normalsite.png
    normalsite.png (2.15 KiB) Viewed 1285 times
    The connection to the site is not encrypted, and anything you post to or get from the website is transferred normally. This is the normal state for a lot of public web pages you will visit, and is normal for regular browsing.
  2. Secure site:
    https.png
    https.png (3.99 KiB) Viewed 1285 times
    The connection to the site is encrypted, all parts are transferred over a secure connection, and anything you post to or get from the website is securely transferred to prevent eavesdropping. This is a common state for on-line shopping, most e-mail providers who supply webmail, and for login pages, etc.
    Unlike Firefox, Pale Moon will display the verified domain name for these types of connections by default, and will display the raw IDN code (punycode, starting with "xn--") for internationalized domain names in this case to prevent spoofing dangers.
  3. Secure site with extended validation:
    https-ev.png
    https-ev.png (4.33 KiB) Viewed 1285 times
    The connection is encrypted like in (2), but the certificate owner has also been verified through an extended validation process. This is a common state for higher-security sites like on-line banking, eMoney providers, and secure governmental sites dealing with highly personal information. Pale Moon will display the verified organization name. Because these kinds of certificates are much more expensive, most smaller businesses will not use extended validation for their encrypted pages and you will see a "domain verified" encrypted connection instead (as in (2)).
  4. Mixed content:
    mixedcontent.png
    mixedcontent.png (2.53 KiB) Viewed 1285 times
    New in 28.14.0
    The connection to the site is encrypted, but some parts of the site were transferred over non-encrypted connections. This specific mode indicates that the connection to the site is not as secure as it could be, but the content that isn't sent over an encrypted connection is passive content (display content like images) which is relatively low risk and fairly common on e.g. bulletin boards or social media where users can post embedded images from external sources.
    Please note: This should never happen on highly secure sites, and for this reason mixed content on extended validated domains will not be displayed this way, but will be displayed as broken (see below)
  5. Low-grade encrypted:
    weakencryption.png
    weakencryption.png (2.31 KiB) Viewed 1285 times
    New in 28.14.0
    Although the protocol used is https, the connection is weak indicated with the a yellow/orange padlock. This can be caused by the server only supporting an old TLS protocol (TLS 1.0 or 1.1) or a known-weak cipher (e.g. 3DES or RC4). Be careful when you see this indicator. If it is a legitimate site, the webmaster probably needs to be informed their site security is weak and needs to be addressed.
  6. Broken encryption:
    https-broken.png
    https-broken.png (4.24 KiB) Viewed 1285 times
    Do not enter any login, financial or personal information when you see this icon displayed. If it was a cached/restored page, completely refresh the page (Ctrl+F5) and check for proper encryption.
    This status is displayed when there is a serious problem with the security of the connection. This happens in the following situations:
    • The site is Extended Validated, but there is any sort of unencrypted content. Typical EV sites should never have mixed content so this is considered broken.
    • There is unencrypted content on the site that isn't passive, e.g. scripting or embeds. This is by default blocked to keep the site secure but if you manually allow it, the connection state is degraded to not secure, with the indicator matching that state.
    • The certificate is self-signed or not trusted, but you have allowed the connection anyway.
At all times, you can click the displayed website icon or domain name/organization name for basic details about the encrypted state, or you can click the padlock itself to open a more detailed window with information about your connection.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Locked