Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com) 67
Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
Re: (Score:3, Informative)
The cert expires after 3 months, not the key. I use Let's Encrypt with key pinning and have had the same key pinned for over a year. The verification of domains by Let's Encrypt is similar to that of other CAs. A cert means control over a domain, nothing more.
Re: (Score:2)
I will never accept a 3 month expiration. Never. I manually renew my certs and I am not putting some shitty software on my box to do it. Let's Encrypt can fuck off with their short expiries, I'd rather go with COMODO.
Re: (Score:2)
actually I truly understand trust chains! Let's encrypt has a valid root and yes, they have short life time server trust keys - that's a good thing and ACME isn't hard to deal with.
PKI and X.509 is still a turd no matter how hard you polish it.
Re: (Score:1)
Unless you host multiple information-only web sites (e.g., read only, no CMS or forms) on a hosting plan that lets you host dozens or hundreds of small sites cheaply. The jump to move each site from http to https typically increases annual hosting fees from a dollar or two to a hundred bucks or so (since ISPs will often charge dedicated IP and/or certificate maintenance fees, even it (or especially if) you bring in a cert from a
SNI (TLS virtual hosting) works in all browsers (Score:3)
ISPs will often charge dedicated IP and/or certificate maintenance fees
That hasn't been the case since April 2014, when extended support for Internet Explorer on Windows XP ended. Since then, all supported web browsers in wide use have supported Server Name Indication (SNI), which allows the TLS client to specify for which hostname the server should try to present a certificate. WebFaction, for instance, has offered TLS+SNI hosting at no additional charge.
"But I want to support 3-year-old unpatched IE/XP!"
I don't recommend this, because a browser that neither receives security
Re: (Score:2)
Another example is DreamHost, a sponsor of Let's Encrypt [dreamhost.com]. Or any VPS provider such as Amazon EC2. I'd be interested to see which popular shared hosting services don't offer HTTPS at no extra charge by now.
Re: (Score:2)
Thanks for the referral. Perhaps it's time I ditched my ISP then...
Let's Encrypt is for domain owners (Score:3)
The one weakness of Let's Encrypt is sites on a home LAN that don't have a fully qualified domain. To pass the DNS challenge of Let's Encrypt, you first have to buy a domain. Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?
Re: (Score:2)
Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?
You're griping about $15 annually? Seriously?
Re: (Score:2)
Billion dollar windfall (Score:3)
If there are 67 million home LANs in a country, activating TLS on all of them would represent a $1 billion windfall for the domain registrar industry just for that country.
Oh Please! Let's stop pretending here (Score:2, Insightful)
The entire internet is 'non-secure', by design. Your silly https is a fucking joke, worse it's a lie.
Re: (Score:1)
Can you elaborate?
Millions of online banking transactions happen a day over https. Is each connection susceptible to unwanted examination?
Re: (Score:2, Interesting)
I assume you haven't heard the old joke about how fast you have to run to outrun a lion? The answer is: faster than the other guy. Think about it.
Re: (Score:3)
Security is not an absolute, or a single point target.
HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days. It will not protect against a targeted attack by the CIA, but it will challenge the NSA dragnet programs and Phorm ad injections.
Security is always a cat and mouse game ad infinitum. The attacker comes up with a better weapon, so you raise your fence, so he brings a trebuchet...
Re: (Score:3)
Re: (Score:3, Insightful)
Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop.
Just ask yourself how Google can possibly know that and you can get a pretty good idea of where it really stands on the spyware/privacy issue.
Re: (Score:1)
Telemetry is off by default in Firefox. Don't like it, don't ENABLE IT!
Re: (Score:3)
Telemetry in pre-release builds of Firefox defaults on.
Telemetry in release builds of Firefox defaults off.
I imagine that most users of web browsers are not developers.
I imagine that most non-developer end users of web browsers use release builds.
Re: (Score:3)
Why would Google have any control or visibility of anyone's connections, unless either that person also independently uses Google services in some sort of ISP capacity or the sites they are visiting independently use Google services in some sort of hosting capacity?
A lot of sites use Google services (Score:2)
the sites they are visiting independently use Google services in some sort of hosting capacity
This is in fact the case. One possible reason for this is that Google's AdSense was the one of the first major ad networks (if not the first) to support HTTPS, beginning in September 2013. Other sites are hosted on Blogspot or Google App Engine, or they include YouTube embeds, Google "+1" buttons, jQuery from Google's CDN, Google Fonts, reCAPTCHA, or Google Analytics.
Re: (Score:2)
Sure, but how would any of that give rise to the original statistic?
Re: (Score:1)
People know Https by now, most users call it "the key icon thing" and give it exactly 0.2 seconds of thought. You think one more tiny indicator will change behavior significantly? Maybe a little, but it sure doesn't address either problem directly.
The entire point of computers is to automate things. Requiring humans to do something that is trivial to automate is just wrong.
Dear Chrome (and Firefox):
- add a setting "block all insecure http: connections"
- default the setting to on
- now both the people who don't want to be bothered in checking AND the people that don't understand security are protected
- luddites that still want http: transport can enable it
Re: (Score:1)
I have a couple of websites about games I made. There's some text info, some screenshots, and a link to the App Store. No information entry boxes, no cookies, no tracking, no ads, nothing.
Why exactly should I be forced to "upgrade" those sites to https?
Do I really want to know (Score:3)
"Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. "
How they know this?
Re:Do I really want to know (Score:5, Informative)
From all the browsing activity conducted through Google Chrome by people who have agreed to let them use anonymised browsing data for statistical purposes.
Re: (Score:2)
How they know this?
Wait. Are you telling me you didn't read the EULA?
Is "Krystalo" actually Emil Protalinski? (Score:4, Interesting)
Is "Krystalo", the submitter of this submission, actually Emil Protalinski? All three of the articles linked to by this submission are on this "VentureBeat" site, and all three list "Emil Protalinski" as the author.
A cursory glance at the submission history for this "Krystalo" Slashdot user shows other submissions linking to this "VentureBeat" site.
So perhaps this is a case of self-promotion, where this "Emil Protalinski" fellow is submitting his own articles to Slashdot as "Krystalo"? Or perhaps it's a colleague doing it?
Emil Protalinski, can you please confirm what is happening in this case?
This "VentureBeat" situation is starting to look a lot like the "BetaNews" situation. There appears to be about one "VentureBeat" submission that gets on the Slashdot front page each week [slashdot.org].
Now this isn't as bad as the "BetaNews" submissions, which end up on the Slashdot front page almost daily [slashdot.org]. Sometimes there are even multiple submissions in a single day linking to "BetaNews" articles!
The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted. It starts to make Slashdot look sketchy when there's a submission from "BetaNews" on the Slashdot front page almost every day, and one from "VentureBeat" almost every week.
We should get a variety of news here, and it should not come from the same sources again and again and again and again, especially if it may be the sources themselves that are submitting submissions that link back to their own sites.
Re: (Score:2)
The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted.
Why? Slashdot has constantly been used for self promotion almost back to its inception. The only thing that anyone is interested in is:
a) is the story relevant and interesting to the site
b) is the story true
c) what are the story's biases
Who it comes from is secondary to all this.
Re: (Score:2)
Re: (Score:2)
Thanks! Now I know I can trust ftp:// [ftp] and gopher:// [gopher] links to be safe!
"23 percent reduction" (Score:2)
"Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop."
Ok, but is that because the users started using https pages, or because the businesses in question switched to https,
I mean, we've been trained for the last 20 years that if you get an error, Switch Browsers.
Giant fucking waste of time is what it is. (Score:1)
Sure, maybe for banking sites and anything where money changes hands.
I can understand that.
But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
It's the whole fucking popup verification debacle all over again!
"Are you sure?" Yes.
"Are you sure?" Yes.
"Are you sure?" Yes.
"Nuke your hard drive
Worse than that, it hides the malware on WordPress (Score:2)
> But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
> Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
> But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall i
Not a native English speaker I guess? (Score:2)
> > of course it can't see and block the malware encrypted via https
> your company's firewall is MITM-ing all https traffic
I see you're still working on your English language skills. "Can't" means "can not". Much like "isn't", for "is not".
Re: (Score:2)
The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS
If a site has a comment section, you are providing at least some personal information every time you post a comment.
Re: (Score:3)
Shirley anyone posting in a forum uses a thow away email and fake name.
That's not my name, and more and more sites are using blacklist services to identify and reject throw-away e-mail domains, such as Block Disposable Email [block-disp...-email.com].
Re: (Score:2)
HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days.
Relying on a firewall to do virus / malware scanning (as opposed to IP / site blocking) also seems terribly inefficient. And even if the firewall does the scanning, you'd have to re-do it on the local device anyway, since there's always a way to get around the firewall.
A tradeoff. Million $ SOC vs data entry clerk (Score:1)
> HTTPS everywhere protects against the mass surveillance
To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:
A) The NSA can tell that someone in your company viewed catvideos.com.
B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.
It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.
> there's always a way to
Re:Giant waste of time is what it is. (Score:2)
WordPress, Joomla and pretty well every CMS out there have a login page for at least the site administrator (if not for other non-admin users that have been created) - at least that login page needs to be in https otherwise the creds go across the network in the clear. If you've installed an https cert just for the login page, you may as well extend it to the entire site for no real extra effort.