When entering this blog a small icon appears on your browser bar showing the warning that this blog is not secure. What does this mean and why does your browser shows this message?
Currently the message showing that a website is not secure appears in almost all browsers when the website does not consists of an SSL/TLS certificate and uses HTTPS to connect to the website. The internet started as simple HTTP requests send over between a client and user, but over time people started noticing that this practice is not really safe. HTTP request data that was transmitted is not encrypted or secured in any way. When somebody has the possibility to tap in between your router and laptop, transmitted data can be captured and read. This is why the last 10 years you were always warned to not connect to public Wi-Fi hotspots. If somebody fakes a McDonalds Wi-Fi hotspot and you connect to this hotspot to start serving the web, all unencrypted data can be captured by the attacker and read out in simple excel like format.
To demonstrate the ease of this action, I captured my own Wi-Fi router at home and recorded my login action. In the table below you see the output of the program and that my password and email are captured really easily by this software (of course I skipped out parts). It isn’t a big problem if the attacker has access to this blog and can write articles or comments, but the problem becomes more prominent if I would use the same password for this blog as for my ERNA account for example, then the attacker would have access to more personal information.
There is the possibility to setup websites with a SSL/TLS certificate, resulting in your mail and password being send encrypted over the network which eliminates the possibility of snooping on your personal information. Another advantage of these certificates is that you can be sure that the domain you are on is really provided by the creator and is not a fake version that is spoofed by an attacker in order to steal your credentials.
In order to reduce the chance of your password getting compromised there are a few easy practical tips to follow. Never login to an unsecured website on public or shared hotspot, use password managers so you can create randomized passwords and never use the same password twice.
Sources:
https://ahrefs.com/blog/what-is-https/#how-tls-works
https://www.namecheap.com/support/knowledgebase/article.aspx/786/33/what-is-an-ssl-certificate-and-what-is-it-used-for
https://doesmysiteneedhttps.com/
