"Not secure"?

[Alan W]

Recently a player wrote to me, worried about a message she had just noticed in the Google Chrome browser when she was at the Chihuahua site:



She hadn't noticed that phrase, "Not secure", before. She did a few things to try to get rid of the message, but in vain. So she was writing to ask me if using the Chihuahua site was still safe. This was my reply:

The appearance of this “Not secure” message is not due to any change on the Chihuahua site. It results from a recent change in Google Chrome, aiming to provide Web users with more warnings about potential vulnerabilities. These warnings are probably more relevant to a commercial site than something like Chihuahua which is essentially a hobby site.
 
If you click on the “Not secure” message, you will see this explanation: “You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.” In other words Chrome is NOT saying that visiting the site might infect your computer with some form of malware, but that there is a possibility someone could intercept the information you input on the site.
 
Of course there is no credit card information requested on the Chihuahua site, so the worst that could happen is that someone could find out your Chihuahua password. I don’t suppose this is likely to actually happen, but it is probably a good idea not to use the same password for banking, etc, and more “frivolous” sites like Chihuahua. Incidentally Chihuahua passwords are encrypted before being sent over the Internet, but perhaps not as securely as Chrome would prefer.
 
So to sum up on the “Not secure” message, I don’t believe it is anything you need to worry about. The site is as secure as it’s ever been, and I’m not aware of any security issues affecting users during the 11 years of the site’s existence.

I'll try to explain what's going on, but I'm not an expert on network security, so I'd be delighted to see any better explanations or other thoughts from forumites who know more than I do about the subject.

What triggers the appearance of this "Not secure" message is a site having input fields for either credit card details or a password, and that site not using something called the Secure Sockets Layer (SSL). When you see a link to a site preceded by HTTPS, it is using SSL, but if the prefix is just HTTP, the site is not using SSL. This distinction has been around for many years, and most browsers show a padlock icon in front of the web address of a site using SSL. In the past it was mainly e-commerce and banking sites and the like that used SSL.

It seems this "Not secure" message is just the first stage in a crusade by Google to coerce all web sites to start using SSL. Apparently they plan in the future to put a warning on all sites not using SSL, even those that have no sensitive input fields, or perhaps no input fields at all. Furthermore, the warning is eventually going to be made more alarming looking:



So far the "Not secure" message is only on the computer version of Chrome - at least I don't see it on the Android or iOS Chrome apps. But I daresay it will start appearing there before long. And other browser makers may feel they should follow Google's lead. Google is also penalising non-SSL sites with lower placement in Google search results.

So, you may be asking, what security does SSL provide, and does Chihuahua need it? As far as I can make out, there are two main things this technology achieves. Firstly, it prevents anyone reading or interfering with any data traveling between your computer and a website, and secondly, it gives you some assurance that the website you are connected to is really the site you think it is.

Realistically, such protection is only likely to be useful to someone using a public wi-fi network in a cafe, library, hotel, etc. It seems that a bad person signed in to the same wi-fi might be able to spy on the information people input to web pages and alter the data being transmitted in either direction. But not if the site is secured with SSL, because all data is securely encrypted. Obviously this is important for any e-commerce site where people are inputting credit card or Paypal details, but is it important for non-commercial word puzzle sites?

As I said to the player who raised the issue, there is a theoretical possibility that somebody could get hold of a hashed version of your Chihuahua password, from which they could, given enough processing time, re-create your actual password. But I can't see anyone ever bothering to do this, or what it would benefit them if they did.

The cases we read about where thousands of user profiles and passwords have been stolen involve a wrongdoer gaining unauthorised access to an organisation's computers and plundering their database. SSL provides no protection against such exploits.

But still - you may be asking - even if you feel this technology would be no real value to Chihuahua players, why not implement it anyway and make Papa Google happy? Well I probably will try it out on the www.chihuahua-puzzle.com site, where I can do it free of charge. To implement it on the chi.lexigame.com site would cost me an annual fee, which is not enormous but it would almost double my hosting costs for lexigame.com, which I would resent paying if it achieves nothing useful. If I wanted to avoid future warning messages on this forum site, that would cost more again.

There are other hazards associated with running an SSL site apparently. If a browser decides there is something not quite right about your SSL certificate, it will present users with a series of truly alarming and off-putting warnings. Also, if an SSL site incorporates some item, such as an image, from a non-SSL site, a warning can be generated. All these warnings of course are completely bewildering to the ordinary internet user. There are also some reports that SSL sites are slower to load because of all the data encryption and decryption going on.

Anyhow, if you see that message, you will know what's going on.

[Les303]

G'day, Alan & sorry , once again for the stuff up with the whole " clue " saga... It will not happen again.

This morning , for some reason ,  my chi settings were not behaving as they should.
I have encountered this once before & found by changing my password , everything restored to normal.

That worked again today but just letting you know that when I received the verification link in my email & clicked on it , I was greeted with the "site not secure " message.

So I responded in my normal calm & calculated manner , actually I totally panicked & hit the little red cross to opt out.
I then received a second email & clicked on that link & the same " not secure " message popped up again so I just proceeded as normal without experiencing any problems at all.

This is the third time that I have had to change both my forum & chi passwords to restore my normal settings , aside from the obvious answer " operator error " could you possibly offer an explanation as to why at random times , I am losing my chi settings?

[anona]

Alan: apologies for following Les's more important question with a trivial one, but why is Google trying to coerce all web sites to start using SSL? I mean, is there some pecuniary advantage to them?

[2dognight]

ssl [secure socket layer] is meaningless to me.

As usual I will take the easy way out and ignore it until it goes away

If all else fails I will grab the nearest 13 year old and 'usually' they will put it right

[mkenuk]

Following a number of high-profile hackings. companies such as Yahoo! and Google are starting to realise how vulnerable they are, and such devices are probably just a way of trying to reassure their users that their data is safe - 'as long as you do what we tell you, but don't blame us if you don't and something goes wrong.'

Yahoo! recently bullied me into changing my password - I posted about that on this forum a few weeks ago. Everything seems ok now.

MK

[yelnats]

but it is probably a good idea not to use the same password for banking, etc, and more “frivolous” sites like Chihuahua.

Chihuahua is not "FRIVOLOUS"!

[Alan W]

Anona, I think it might be largely as MK says, that there has been a lot of talk recently about computer security failings, and Google want to be seen to be doing something about it. It may be that there is value in encouraging a lot of sites to introduce SSL. All I know is that in the articles I have read, nobody has mentioned a single example of any harm that occurred to anyone that could have been avoided if SSL was used more widely.

I just did a check of my home town newspaper, the Melbourne Age. Its main website does not have SSL, but if you click on the LOGIN button you are taken to a different domain, that does have the little padlock. So at present Chrome would show no warnings. Maybe Google people think the whole site of any media outlet should be protected by SSL in case the Russians start intercepting transmissions and feeding fake news to everyone!

It seems to me that Google's approach is overkill and could result in a lot of amateur and non-commercial websites being somewhat marginalised. Some people may give up altogether if their traffic declines drastically. This wouldn't really be in Google's interests because the more diverse and interesting sites there are online, the more people will be searching for such sites, and mainly searching with you-know-who.

Perhaps Google people are such technology aficionados that they can't imagine there would be anyone running a website who wouldn't relish the challenge of continually upgrading their site to follow Google's evolving requirements.

[anona]

Thank you, Alan.

[TRex]

Google's campaign (and it isn't just Google, there are many others pushing to get all websites to use HTTPS instead of HTTP) was initiated by the Snowden revelations (that the 'Five Eyes' [Australia, Canada, New Zealand, USA, & UK] were basically spying on everything anyone did on a web browser). When a user connects to a website using HTTPS, it is much, much more difficult for anyone to spy on what is being transmitted between the web browser and the website (some would say impossible, but I wouldn't go that far).

HTTP = HyperText Transport Protocol
HTTPS = HyperText Transport Protocol Secure

When a web browser goes to a website using HTTPS, the website presents a digital certificate proving they are who they claim to be. (There are a bunch of companies which provide digital certificates; certificates have an expiration date and are normally renewed by the website with the certificate authority regularly.) The web browser can check with the certificate-issuing authority to find if it is a legitimate certificate. If it is, then the web browser and the website set up encryption keys where anything sent by either to the other is first encrypted and then the receiver decrypts the information (this all happens in milliseconds, 'behind the scenes'). If a third party (eavesdropping) copies any information being transmitted between the web browser and website, it is gibberish without a decryption key.

ssl [secure socket layer] is meaningless to me.

SSL is technical jargon for how HTTPS works. When teaching classes to library patrons, I avoid talking about SSL; I just focus on HTTP and HTTPS, focusing on the 'S' for secure. If one does network admin work (as I do), one will be familiar with SSL; if not it is just (IMO) meaningless technical jargon.

(I had directions for how one can see certificate-issuing authorities in a web browser, but lost everything I had typed — I'm skipping it this time.

I hope this helps someone a little bit.

[TRex]

One thing I stress in classes to library patrons:
NEVER REUSE PASSWORDS

My recommendation is to not waste a good password on a site with no personally identifiable information and (especially!) no financial information. On a site like Chihuahua, if someone guesses your password what is the worst that can happen — they make your score worse?

On a site with access to your credit card or bank account, you better have a really good password: upper AND lower case letters AND numbers AND special characters and at least 20 characters long. If you can't remember that, I suggest a password manager. (Personally, I use KeePass because I have too many passwords to remember between IT jobs at two different locations plus my personal passwords — remember one password to access the password list and the rest is handled by the manager which can generate really good passwords [example: 4^6m;!4<-m_3(aw9H;%mQikT)FuWX\ — try to remember that!)

Recently, it was discovered that miscreants were using Yahoo! e-mail accounts with their passwords to access Netflix accounts and download films. Yahoo! in the past several months admitted to a breach of ½ billion accounts and then to another breach of 2 billion accounts (which is why Yahoo! finally began to force password resets on their accounts). People who used the same password for Yahoo! and for Netflix were easy targets.

[Tom44]

I changed my password to "incorrect" so when I forget the site will tell me "Your password in incorrect."   

[Alan W]

Les:

These "not secure" messages you were getting - were they up at the top of the screen, like the image I included at the start of this post? Or were they something else? Do you use the Google Chrome browser?

From what I can see in the log files, it looks like you would have got a couple of error messages saying, "Activation link invalid. Please check." These might have been caused by you inadvertently clicking on the link in an old email.

The Chihuahua and forum registration systems are completely separate, so if you have had problems with both at the same time, it would seem that something is going wrong at your end.

How do you normally sign in to Chihuahua? Do you type in your player name and password every time, or are they automatically filled in for you? If the latter, have you ticked the box on the Chihuahua site for automatically signing in? If not, I would recommend that you do that - once you are successfully signed in - because otherwise you are relying on user details stored by the browser, which may not be so reliable, especially if you are changing your password from time to time. Again, looking at the log files for yesterday, it seems that there were a few attempts to sign in with the wrong password.

[Les303]

When I received the registration email & clicked on the link , a quite large window appeared in the middle of the screen telling me the site was not secure and gave me the option to proceed or go back.
I found the remaining email in my bin & clicked on it again so that I could copy & paste ( yes , I know, my computer skills are outstanding ) to show you exactly what it said but to my surprise this time it was a different message as follows ;

Suspicious link

This link leads to an untrusted site. Are you sure that you want to proceed to chi.lexigame.com?
BackProceed

I also typed in lexigame.com on chrome & it went directly to the site without any warnings.

By counting the little asterisks , it seems that chi was remembering my old password.
Any way I have now got the same new password for both forum & chi with auto & having no problem , just have to wait & see how long it lasts.
If I am away from home for a day or two then I am in the habit of turning everything off , this includes shutting down the computer & turning off the power at the wall , probably a stupid question but would that have anything to do with chi becoming forgetful?

By the way , I am one word short of a rosette in todays standard game any chance of ....I'M KIDDING , I'M KIDDING

[Calilasseia]

When the Internet was first rolled out as a publicly accessible medium, the HTTP protocol was designed to allow each point on the Internet, to communicate with every other point thereupon, by sending what are known as "HTTP headers". These are blocks of information, that tell the recipient what web page you're requesting, what character set it uses what browser you're using, and a raft of other administrative items that allow the communication to take place smoothly.

Because you don't have a direct connection to every server on the planet (which would see the planet covered in cables if you did!), what happens is that this information is used by "backbone servers", to route your request to the proper destination. This means that your HTTP headers need to be readable by those backbone servers, so that they can perform this task. Likewise, the HTTP headers your destination creates, to send the information you want back to you, need to be readable by those backbone servers, so that they can send the information to you after a successful request. Without those backbone servers, the Internet would be LOT slower, and possibly not even exist at all - they're handling billions of transactions every day.

Now comes the fun part.

Whenever content is sent from one point on the Internet to the other, it's attached to an HTTP header. In the past, that content was not encrypted, because when the Internet was first launched, very few people had both the technical knowledge and the malicious intent to wreak havoc. Back in that more innocent era, there were far fewer opportunities for mischief, and it wasn't difficult to find out who was indulging in mischief, courtesy of that rarity of the requisite skills.

That time has long since passed into history, however.

Now, there are millions of people who know how to write JavaScript and PHP code, to mention two possible sources of mischief. Likewise, with database accesses using SQL, there are millions of people with SQL programming knowledge around the globe. That's even before you start to count the people who have acquired skills using the Microsoft development stack, using ASP.NET and the C# programming language, which provides even more opportunities for mayhem in malicious hands.

HTTPS is a means of stopping certain brands of mischief in its tracks, specifically, those brands of mischief that involve intercepting your communications, and using the data to impersonate you for devious or even criminal ends. Whilst parts of the HTTP headers have to remain readable to those backbone servers, they ignore content, and so, content can be encrypted, to prevent such details as your credit card numbers being intercepted and misused by everyone from 13 year olds in basements to Bulgarian organised criminals.

Quite simply, when your requests (and the content in the responses) are sent via HTTPS, the content is converted into what looks like gibberish or line noise to the uninitiated. Even seasoned cryptanalysts will have trouble working out what that content is, unless they have access to the sort of resources that are normally the remit of government intelligence agencies. Of course, the content is converted back to its original form once it arrives at your browser, so that you see your desired web page instead of gibberish.

The piece of software that performs this trick is called SSL - Secure Sockets Layer. It operates alongside the usual HTTP software, and its task is to encrypt content before the HTTP layer sends it out to the world at large. It does so transparently and seamlessly, meaning all you have to do, is let it perform its task, and your web browsing continues uninterrupted. Malicious interceptors of your messages, however, are left with nothing but some basic information about which website you requested, along with a pile of garbage data that is no use to them, because they don't know what keys were used to encrypt it.

The way this works is actually quite ingenious, and uses something called "public key cryptography". This is a system in which two keys are required to transport a message. You, the recipient, have a private key, known only to you (or more correctly, your web browser), and a public key, which can be sent out to anyone. Your browser sends the public key to the server using HTTPS and the SSL, and the server then encrypts the data using your public key. But, because of the clever mathematics used to implement the system, that public key cannot be used to decrypt the message. Only you (or your browser) can do that using the private key, which is never disseminated publicly.

Likewise, a banking system asking you to authorise financial transactions, can send you its public key, which can then be used by software at your end to scramble your bank details, but only the bank at the other end, using its private key, can unscramble the data and verify that you've sent valid account details and transaction authorisations.

Now, the question that many will be asking, is this. Why is Google pushing for HTTPS to become the default means of transmitting information between Internet users?

Quite simply, unsecured websites, including supposedly harmless or even frivolous ones, can be hijacked to perform malicious actions, by someone with the requisite knowledge and criminal intent. If that website accesses a database using SQL queries, for example, a technique called "SQL injection" can be used to insert malicious code into the website, which can then do everything from harvest the data and send it back to the attacker, or destroy the database altogether. Anyone with a reasonable level of understanding of PHP programming and MySQL database transactions can quickly produce malicious code if they are so minded, and attack websites using those technologies. Likewise, a proficient .NET and C# programmer can insert malicious code into a website using that technology stack as its underlying support, unless security measures have been implemented to prevent this.

Implementing your website as an HTTPS website, makes the job of malicious attackers that much harder. Because if there are vulnerabilities on your website, the code containing those vulnerabilities is encrypted before it's sent to the end user, and an attacker has nothing but encrypted gibberish to work with.

There are, of course, ways for the sophisticated programmer to wreak havoc even in the presence of HTTPS, but sites likely to come under attack by that demographic usually have additional militarisation built in, along with ways and means of detecting intrusion attempts. Anyone trying to hack their way into an intelligence service or military website is going to find the Special Branch boys knocking on their door very quickly (or their equivalents in locations other than the UK), and I'm also not in the business of revealing the details of some of the nastier tricks that can be deployed by the malicious, because I don't want to find myself bundled into a van at 3am and whisked off to a secret interrogation centre. So anyone wanting to find out if there are alien spaceships hidden in the hangars of Area 51 will have to go elsewhere.

Suffice it to say that HTTPS keeps all but the seriously determined and expert miscreants at bay. If you have reason to suspect that some of those expert miscreants are targeting you, then you'll have already hired the people with the tools to keep them out, and spent a lot of money militarising your system. Indeed, some of those expert miscreants end up being recruited to switch sides, and put their knowledge to use keeping other miscreants frustrated - "it takes a thief to catch a thief" and all that.

And with that, it's time to return to something more relaxing.

[Les303]

Cal ,

You beat me to it , I was just about to make a similar post in which the wording would have been almost identical.
But just for the benefit of the poor souls out there who are not quite as computer literate as we are , could you please clarify that at the end of the day we don't have to much to worry about?

But seriously , when I purchased this computer , it came with Norton security , is that all I need as I keep getting suggestions from other companies that my computer is at risk.

Thanks Les.