@BleepingComputer : when using untrustworthy networks, use a browser that supports "warn for insecure connections" - and enable it (my advice: do both anyway).

Note that it is near-impossible to redirect an https connection without a certificate error - until said connection has been successfully set up. After that happens, only the target website can redirect the browser.

• Firefox uses a stupid name: "HTTPS-only". That's misleading because it only means that you'll be warned for insecure http connections (which can be enforced and hijacked by an evil twin, when not demanding https).

• Chrome on Android is stupid too: "Always use secure connections" (default: off). Also we'll have to wait one more year for this to become the default: https://security.googleblog.com/2025/10/https-by-default.html.

• Safari on iOS/iPadOS: "Not Secure Connection Warning" (also off by default).

To test: open http://http.badssl.com - your browser should warn you (instead of showing the web page), but allow you to use http.

Important: most browsers will *remember* your choice to allow an insecure connection to a specific website (based on the domain name). The criteria to "forget" such an exception vary per browser.

#AitM #MitM #EvilTwin #HTTPSonly #InsecureConnectionWarning #Firefox #Chrome #Safari

@PerlPlayer : unless it was an extremely boring meeting, that's probably one of the dumbest moments to ask people to change their password.

Regardless, tell your local BOFH's to change their stupid policy which has never improved security.

EXTREMELY long overdue (bad advice from day 1): point 6 in https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver.

P.S.
1️⃣ Use a strong and reliable password manager
2️⃣ Make it use Autofill (offer creds based on domain name)
3️⃣ Let it create a long, complex, UNIQUE pw for EACH account
4️⃣ Make a backup of the database after each change
5️⃣ Make multiple backups, at least one offline
6️⃣ Use a STRONG master password (and never forget it)
7️⃣ Compromised device or account: game over
8️⃣ Enable "warn for insecure connections" in browser(s)
9️⃣ Stay vigilant (oops: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/).

@sundogplanets

#Passwords #PasswordManager #Phishing #TroyHunt #AitM #MitM