why does one say "not secure"

[Inverted18650]

Chrome recently updates and I have noticed a few changes but this one stumps me. Why does the same browser see these two tabs differently? One is secure, the other is not.

edit: when I view the "inspection" option link in Chrome, I can see the plain test version of the coding and wonder if I post it, can you all help me out. Wonder if I have been comprised in some way.

Cheers,

Chris

[amyk]

I suspect the "not secure" one is just http://www.eevblog.com/... while the other one (which should really say "secure" if they were being consistent...) is https://www.eevblog.com/...

The idiots continue to dumb-down browsers by hiding stuff, at the expense of confusing everyone except those who already don't know anything

[Brumby]

The https URL defines the use of an SSL in the data communication.  The other one does not - implying a http connection.

As I understand it https: provides two things:
1. You are assured that the server you think you are connected to is the server you are connected to
and
2. Your data is encrypted so that if it is intercepted, it's unreadable.

http offers neither of these.

[helius]

In practice, neither of those is a total guarantee. Because certificate authorities have been compromised in the past (and could be again), it is possible to have forged certificates. Machines can also be compromised with locally-installed trusted certs.

However, neither is particularly relevant anyway on a publically-viewable web forum. About the only thing TLS (SSL was the old standard) does here is to prevent your ISP from injecting ads or tracking.

[Mr. Scram]

The insecure page likely has third party pictures showing on them which are served without SSL.

[Inverted18650]

I disconnected and ran my anti-virus programs to be sure, nothing came back hot.

After Chrome did its thing, I went back to my home page, which is just Google.com, and had none of the favs saved like usual. (Typically my most frequented sites populate in two rows of five underneath the "search bar" icon). So I typed EEVBlog.com and went o the forum via the main page and saved that as a fav...that ended up as the "non secure link". Here right now, I went through and typed, https://eevblog.com/forum/ and get the "locked" icon.

Suppose its nothing to worry about...but Ill clean my systems just to be sure.

[Brumby]

No, nothing to really worry about - but there will be those who can throw out some scenarios.  Not impossible, but unlikely.

If you want to do a system check, then by all means.  I don't believe it is necessary from this experience - but it is always good to maintain vigilance.

[Mr. Scram]

It's unlikely a compromised system would lead to intermittent SSL connections.

[ajb]

The idiots continue to dumb-down browsers by hiding stuff, at the expense of confusing everyone except those who already don't know anything

The vast majority of people who use web browsers don't know anything about the importance of SSL or web security in general, nor should they have to.  You call it "dumbing down", I call it tailoring the user experience to the audience by hiding information that is unclear/usually unimportant and emphasizing the information that actually is important.  Even if you DO know about SSL and https vs http, it's super easy to miss that little 's' (or more importantly, its absence), so it absolutely makes sense to call attention to the fact that a particular website isn't using SSL.  It probably doesn't really matter for EEVBlog*, but it sure as shit matters on any site where you do things like banking, or entering other personally identifying information.



* as long as you're not using the same user/pass here as you do on, say, your bank or your email

[Kilrah]

Because eevblog.com lacks a redirection of http traffic to https.

If you go to an https://eevblog.... URL it will be secure, if you go to http://eevblog.... it isn't. You probably have old bookmarks to http addresses.

Normally sites with SSL enabled should automatically redirect any http:// URL to https:// to ensure you're using the secured version, but this doesn't seem to be correctly configured on this site so you can still access unsecured.