If a website is unsecure, what does that really mean?

[BananaBandit]

In case it's unclear ... What I mean by "unsecure" is that the website doesn't have that little lock logo at the beginning of the url address bar.

 

So, what are the possible consequences here?

 

Can I get hacked easily just by visiting an unsecure website?

 

I assume that conducting financial transactions on such a website would be a bad idea. 

 

On a side note ...  My understanding is that it costs like a few dollars to make a website "secure" ... So why in the world would anyone at this point undertake to build a website and NOT make it secure?

[plus7]

Hi,

Insecure site can't hack you directly. It only means that the information provided to this site may be easily stolen.

If you just browse it, it is ok.

Some site not secured because it does not bring money and the owner doesn't care.

Edited July 14, 2022 by plus7

[RedBackman]

The little lock shows that you're connecting via ssl (https) and the public key provided by the site is "trusted". Now just because both of those things are true doesn't necessarily mean that the site is safe, you could still be setting up a "secure" connection with a bad actor.

 

A site with just http isn't necessarily a major risk. If I set up a site full of cat facts that doesn't collect any information from the user it's not especially risky for the user. Still it's best practice to use ssl for everything these days.

 

A site with https that shows a broken lock means the certificate isn't "trusted". A certificate authority verifies that such-and-such website owns such-and-such public key to prevent attacks. There are half a dozen other reasons for ssl certificate errors too though so the site might still be safe even if the lock shows broken.

[Pib]

Some descriptions of the differences between HTTPS and HTTP

 

https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/#:~:text=HTTPS is HTTP with encryption,uses HTTPS has https%3A%2F%2F.

 

https://www.venafi.com/blog/what-are-differences-between-http-https-0

 

[OneMoreFarang]

You can use it like any other site.

But if it is not secure that means some bad middleman could have manipulated what you see and/or download.

I.e. if you want to download an update for a software then you should do this only from a trusted source like i.e. Microsoft with https.

Sometimes sites are temporarily "unsafe" because some certificate expired. Maybe the page is exactly like a few days earlier but it could be manipulated by some bad guy in between.

 

And just to be clear: If a website uses https that doesn't mean everything on that site is good and trustworthy. It's not.

[sometimewoodworker]

On 7/14/2022 at 11:32 AM, BananaBandit said:

On a side note ...  My understanding is that it costs like a few dollars to make a website "secure" ... So why in the world would anyone at this point undertake to build a website and NOT make it secure?

Many web servers are in a closet and may not be running a current version of Apache (other SW is available) the majority of servers do not need to be secure and it requires some degree of expertise to install even a free certificate. There are sights decades old still providing useful information so they may never be upgraded.

 

However any website that is being built today will probably be https.

 

I have a website that I may restart it will be http as the hardware will almost certainly not run the current https version & I would not bother to update it to newer hardware nor recode it.