Internet for Beginners/Security Padlock Cancelled
QUESTION: Hi again, Kevin
Recently I've noted a possible "problem" with security. When I log in to Yahoo mail, the URL changes from http// to https//, the white URL background goes to yellow, and the security padlock icon appears. But then - at different times during my session there, the background goes white again, and the padlock, though still there, now has a "cancellation bar" through it. The https// remains, however. So, what is going on? How serious a loss of security is actually involved here? And who or what is responsible for it's apparent compromise? Also, is there any convenient web site where I can get a quick tutorial on the https// and padlock system - a sort of "How Things Work" kind of site?
ANSWER: Hi Dave,
Did you enable https? To verify this, login to Yahoo Mail and click on the "gear" icon on the far upper right corner. Then click on Settings and go to Security. The first box there should say "Always use HTTPS". Please check that box and save the change. Your page should refresh now and going forward, you should be logged in using https for a more secured method of viewing and composing your emails.
To find out more on how SSL and certificates work (which is basically encryption), check out:
It's a brief read but if you want to find out more about this, you can just type in "SSL encryption" and you should find more details. The golden pad lock is there so you can view information about the certificate used by the site. This should usually be up-to-date. If it expires, it doesn't mean it's a bad site, but the website should keep it updated.
Hope that explains things a little more.
---------- FOLLOW-UP ----------
Happy New Year!
A brief reminder about my system: Landline/Modem IBM Aptiva Desktop Computer Windows 98 Internet Explorer 4.72.3110.0 Firefox 220.127.116.11 Acrobat 5.0
Following your first paragraph's instructions:
After entering my name, password, and clicking "sign in", a new window says
"Yahoo recommends you upgrade your browser to enjoy all the features in the new Yahoo Mail"
with "buttons" (links) to latest Explorer and Firefox, plus a "Continue Without Upgrading" button, AND a "Gear" in the upper right corner. Clicking on it gives a dropdown with links to: Help, Send Feedback/ Privacy, Terms, About Our Ads/ Account Info.
Nothing about "Settings" or "Security". Clicking on "Privacy" and all subsequent privacy related links fails to turn up any mention of HTTPS, and only a passing reference to SSL. Going to <start> <Settings><control panel> <Internet> <security> I get 4 radio buttons to set "level of security". I note too, all of this seem to be associated with the Explorer Icon. I find nothing about Firefox - which is now my default browser as my WIN98 Explorer no longer supports many of the sites I visit. I suspect, considering it's age the WIN98 Explorer is probably at best 40-bit SSL encryption anyhow.
I note with interest that one site I turned up:
says, under Tips and Warnings: "All versions of Firefox have 128-bit encryption capability." So if I'm on Firefox, can I assume I'm getting 128-bit encryption, even with WIN98? Clicking on the padlock - see below - does seem to confirm it's so.
Just where does the encryption/decryption take place? In my computer? In my ISP's server? In Firefox's Server? In Yahoo's Server? Who is responsible for installing the encrypting/decrypting "App"?
I've discovered some improvement in "retaining" the full hppts//. When I first click on my Firefox shortcut, a sub-window appears with buttons to "Restore Session" or "Start New Session". If I closed my last session with my Inbox on the screen and did not explicitely "Sign Out", but just hit <start> <shut down> <shut down>, then by hitting "Restore - ", I go directly to my Inbox, without all the fuss of logging in. This is very handy, but on the other hand, it is this procedure that leads to the initial full https// with the padlock and yellow eddress background, which then quickly changes to the white background and "cancelled" padlock. Clicking on the padlock then gives:
Connection Partially Encrypted
Parts of the page you are viewing were not encrypted before being transmitted over the Internet.
Information sent over the Internet without encryption can be seen by other people while it is in transit.
On the other hand, if I first go to the regular log in site, and enter name and password and click on "Sign In", I can ultimately get again to my Inbox, but this time the yellow background and padlock "sticks". Clicking on the padlock now gives:
Connection Encrypted: High-grade Encryption [RC4 128 bit]
The page you are viewing was encrypted before being transmitted over the Internet.
Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
So I think my problem is solved, except I don't quite know what - or "who" - triggers the initially OK padlock to become a "partial padlock". Since I AM getting https//, is there any need to still try to find the "Always Use HTPPS" box?
The connection is between the server and your web browser. The certificate exists on the server but you should be able to install it on your browser to recognize it next time.
I think what that meant is that Firefox can support 128-bit encryption. This means that sites that use that type of encryption or lower will be supported on the browser.
I'm not too familiar with encryption but is there a reason why you are asking these questions? Is there some kind of security concern?
My suggestion is to keep a bookmark of the sites you trust and make sure they have SSL encryption (if supported) followed by having an up-to-date antivirus/anti-spyware and firewall program along with updated Windows security patches.