Leo, when using Firefox 22.0 to navigate to https://secure.pugetsoundsoftware.com, the padlock icon doesn’t show up in green color – instead, it is gray color. Surprisingly, the same is true for a few of the major financial institutions I checked out (Wells Fargo and Chase Bank). The “https” is present but the padlock icon is gray color at those websites. Is this something users should be concerned about? Thanks…
Remember, if you don’t have the green padlock on your site, your visitors will know the site is not secure and browsers will even display a warning that this site is not secure, and that looks scary to most visitors. This will cost you revenue in the long run.
The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy.
Physical address and phone number – If the company lists a physical address and phone number there is a higher chance that they are a real business. Reputable companies will list their information so you can contact them if there is a problem.
You definitely aren’t silly to mistrust a site like that. That message normally means that the stuff that is supposed to be secure is encrypted and there is other unencrypted information on the page. I said “supposed to be” because you can never be 100% sure that they got it right. Personally, I wouldn’t enter my credit card information on this kind of page.
CAs should not be certifying content. Personally I disagree with this argument as I think an EV certificate merely states this is genuinely from a real company and says nothing about the content they put on that site, but it’s a fine line.
If you click on the circle i icon, it will give you information about that site. In the case of Adobe it says “Connection is not secure” (and some information about special permissions). This means it’s not an encrypted connection. It has nothing to do with the site being legitimate or trusted. Many legitimate website don’t opt for secure (encrypted) connections. Some experts believe they should, and there is a good argument for it, but it is not required.
It’s a busy time of year (isn’t it always?) and you’re keen to get your hands on the latest gizmo, those hard-to-find gig tickets or a holiday in the sun … anything you buy online. Back to the gizmo, so you google, say, notonthehighstreet.com Click on the link, and up pops notonhehighstreet.com – and there’s your gizmo right on the home page. Click ‘buy’, click ‘pay’ … job done, and it’s next-day delivery.
The green address bar gives assurance to visitors of the web site that the website they are visiting is actually run by the organization they want to be dealing with, rather than a fraudulent site posing as that organization.
Network Security Services (NSS), the cryptography library developed by Mozilla and used by its web browser Firefox, enabled TLS 1.3 by default in February 2017. TLS 1.3 was added to Firefox 52.0, which was released in March 2017, but is disabled by default due to compatibility issues for some users.
The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one is nearly zero – unless you have network assets of truly great value.