3

Assuming the user realizes the connection is unsafe and doesn't send any secret data to the server, are there any risks of connecting to a website without a valid certificate using https? Does that open them up to any potential attacks?

Why do browsers use http instead of https if the connection is untrusted? As long as the browser displayed an error, wouldn't it be better to encrypt the connection anyway? At least then only one other party could read any data sent, instead of everything being sent in the clear. I mean, the average user won't notice that the connection is insecure in any case, so it seems like at least a small increase in security.

BombSite_A
  • 31
  • 1
  • I feel that this is a duplicate because the other question already deals with the question if untrusted https is worse than plain http. If you don't feel that this is a duplicate please try to update your question so that it gets clear what the difference to the other question is. – Steffen Ullrich Apr 25 '16 at 17:12
  • It looks like this is a duplicate of that, but those answers don't really satisfy me. What I don't understand is why untrusted https wouldn't be preferable to unencrypted http, as long as no additional security is assumed and the connection is treated as no better than unencrypted. Could just be a difference of opinions though. *shrugs* – BombSite_A Apr 25 '16 at 17:26
  • There are answers to this question and I can also understand why they don't satisfy you. But it will not be better if you ask the same question again. The topic is [asked a lot on various sites](https://www.google.com/search?q=why+untrusted+certificate+worse+than+http) and the basic response is that it is worse to claim security in case of bad security than to have obviously no security at all. And the trend actually goes to [explicitly show that http is insecure](https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/) and some newer features are only available with https. – Steffen Ullrich Apr 25 '16 at 17:37
  • Yep, I agree that this should be closed. Thanks for explanation and sorry for posting a duplicate question. – BombSite_A Apr 25 '16 at 17:56

0 Answers0