You should never be on a regular http site though and every browser has a scare page or a red alert icon in the URL space telling you not to. Simply listen to it and don’t go there.
Tor with JavaScript disabled is one of the most secure and private tools we have, since it protects against browser fingerprinting.
Don’t go to sites without https under any circumstances.
And I agree with the other part you said about not using clearnet accounts on your Tor browser. That’s arguably more important than Tor vs Mullvad vs tor + vpn distinction.
Any sensitive data you submit or get served on that site can be intercepted, read, or possibly changed on the way to you (called a “man in the middle” attack). Including your location data, credit card info, username, password, etc.
A vpn could mitigate this somewhat, but it would still be unencrypted between their network out point and the site’s server.
I’d also call it a red flag in terms of their security. If they aren’t competent/diligent enough to implement SSL encryption, I’d be a bit worried that they may be vulnerable to a hacker replacing their safe file downloads with a malicious one.
This would be even worse on a public wireless network where somebody could catch your packets on the way to the router.
Thanks! I don’t use any identifying information and always use VPN. I don’t care if they get the username/password for that account anyway. So, I hope that helps. Haha But, yeah, not great for security and always try to avoid http.
In addition to everything already suggested, here’s another really small one: retype the url for the site but manually make it https instead of http
Most browsers, most web hosts and whatever else now days automatically force everything into https, but if the site is older, not well maintained, or whatever reason the person has, they might be utilizing this type of stuff. There’s basically no reason that a publicly hosted website should not have https that I can think of. Locally hosted stuff, sure, but we’re talking just random ass webpage perhaps found on google or something? It should go to a https url otherwise something funky is going on.
But yeah, add an s and see. Especially if you’ve (against the advice of your browser and OS screaming) turned off the forced automatic https redirect. I’ve turned it off before while messing with stuff and found there are websites still that don’t automatically redirect to https if you mistakenly type http. Seems wild now days but it happens
So like, unless youre really digging into wireshark or something over a long time, you really dont know what connections are encrypted or unencrypted coming from your OS. Thats more what I’m referring to. Certain OSes like whonix have safeguards for this, and linux in general is much better about this. Its hypothetically possible a malicious actor could hijack an operation that isnt encrypted coming from your OS to bork you.
And yeah tor browser on its own without JS and high tracking prevention is the way to go if you dont want a big hassle dealing with your OS. I was more referring to TORing all of your computer traffic, which should only be done with specific OSes. Mullvad browser with vpn is fine for the vast majority of people and it doesnt reduce speed a lot like TOR does.
You should never be on a regular http site though and every browser has a scare page or a red alert icon in the URL space telling you not to. Simply listen to it and don’t go there.
Tor with JavaScript disabled is one of the most secure and private tools we have, since it protects against browser fingerprinting.
Don’t go to sites without https under any circumstances.
Edit: you can enable https only mode on Firefox or Tor browser using these instructions: https://support.mozilla.org/en-US/kb/https-only-prefs#w_enabledisable-https-only-mode
And I agree with the other part you said about not using clearnet accounts on your Tor browser. That’s arguably more important than Tor vs Mullvad vs tor + vpn distinction.
So, without details, there is a site I visit that is a regular http site. What should I be worried about?
Any sensitive data you submit or get served on that site can be intercepted, read, or possibly changed on the way to you (called a “man in the middle” attack). Including your location data, credit card info, username, password, etc.
A vpn could mitigate this somewhat, but it would still be unencrypted between their network out point and the site’s server.
I’d also call it a red flag in terms of their security. If they aren’t competent/diligent enough to implement SSL encryption, I’d be a bit worried that they may be vulnerable to a hacker replacing their safe file downloads with a malicious one.
This would be even worse on a public wireless network where somebody could catch your packets on the way to the router.
Thanks! I don’t use any identifying information and always use VPN. I don’t care if they get the username/password for that account anyway. So, I hope that helps. Haha But, yeah, not great for security and always try to avoid http.
In addition to everything already suggested, here’s another really small one: retype the url for the site but manually make it https instead of http
Most browsers, most web hosts and whatever else now days automatically force everything into https, but if the site is older, not well maintained, or whatever reason the person has, they might be utilizing this type of stuff. There’s basically no reason that a publicly hosted website should not have https that I can think of. Locally hosted stuff, sure, but we’re talking just random ass webpage perhaps found on google or something? It should go to a https url otherwise something funky is going on.
But yeah, add an s and see. Especially if you’ve (against the advice of your browser and OS screaming) turned off the forced automatic https redirect. I’ve turned it off before while messing with stuff and found there are websites still that don’t automatically redirect to https if you mistakenly type http. Seems wild now days but it happens
So like, unless youre really digging into wireshark or something over a long time, you really dont know what connections are encrypted or unencrypted coming from your OS. Thats more what I’m referring to. Certain OSes like whonix have safeguards for this, and linux in general is much better about this. Its hypothetically possible a malicious actor could hijack an operation that isnt encrypted coming from your OS to bork you.
And yeah tor browser on its own without JS and high tracking prevention is the way to go if you dont want a big hassle dealing with your OS. I was more referring to TORing all of your computer traffic, which should only be done with specific OSes. Mullvad browser with vpn is fine for the vast majority of people and it doesnt reduce speed a lot like TOR does.