Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Chrome Google Privacy Security The Internet

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com) 67

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
This discussion has been archived. No new comments can be posted.

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October

Comments Filter:
  • by Anonymous Coward

    The entire internet is 'non-secure', by design. Your silly https is a fucking joke, worse it's a lie.

    • by Anonymous Coward

      Can you elaborate?
      Millions of online banking transactions happen a day over https. Is each connection susceptible to unwanted examination?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I assume you haven't heard the old joke about how fast you have to run to outrun a lion? The answer is: faster than the other guy. Think about it.

    • Security is not an absolute, or a single point target.

      HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days. It will not protect against a targeted attack by the CIA, but it will challenge the NSA dragnet programs and Phorm ad injections.

      Security is always a cat and mouse game ad infinitum. The attacker comes up with a better weapon, so you raise your fence, so he brings a trebuchet...

  • by WaffleMonster ( 969671 ) on Thursday April 27, 2017 @04:04PM (#54315601)

    "Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. "

    How they know this?

  • by Anonymous Coward on Thursday April 27, 2017 @04:05PM (#54315605)

    Is "Krystalo", the submitter of this submission, actually Emil Protalinski? All three of the articles linked to by this submission are on this "VentureBeat" site, and all three list "Emil Protalinski" as the author.

    A cursory glance at the submission history for this "Krystalo" Slashdot user shows other submissions linking to this "VentureBeat" site.

    So perhaps this is a case of self-promotion, where this "Emil Protalinski" fellow is submitting his own articles to Slashdot as "Krystalo"? Or perhaps it's a colleague doing it?

    Emil Protalinski, can you please confirm what is happening in this case?

    This "VentureBeat" situation is starting to look a lot like the "BetaNews" situation. There appears to be about one "VentureBeat" submission that gets on the Slashdot front page each week [slashdot.org].

    Now this isn't as bad as the "BetaNews" submissions, which end up on the Slashdot front page almost daily [slashdot.org]. Sometimes there are even multiple submissions in a single day linking to "BetaNews" articles!

    The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted. It starts to make Slashdot look sketchy when there's a submission from "BetaNews" on the Slashdot front page almost every day, and one from "VentureBeat" almost every week.

    We should get a variety of news here, and it should not come from the same sources again and again and again and again, especially if it may be the sources themselves that are submitting submissions that link back to their own sites.

    • The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted.

      Why? Slashdot has constantly been used for self promotion almost back to its inception. The only thing that anyone is interested in is:
      a) is the story relevant and interesting to the site
      b) is the story true
      c) what are the story's biases

      Who it comes from is secondary to all this.

  • "Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop."

    Ok, but is that because the users started using https pages, or because the businesses in question switched to https,

    ...or because the user switched to Firefox?

    I mean, we've been trained for the last 20 years that if you get an error, Switch Browsers.

  • Sure, maybe for banking sites and anything where money changes hands.

    I can understand that.

    But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?

    Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?

    But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?

    It's the whole fucking popup verification debacle all over again!

    "Are you sure?" Yes.
    "Are you sure?" Yes.
    "Are you sure?" Yes.
    "Nuke your hard drive

    • > But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
      > Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
      > But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?

      Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall i

      • by tepples ( 727027 )

        The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS

        If a site has a comment section, you are providing at least some personal information every time you post a comment.

      • HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days.
        Relying on a firewall to do virus / malware scanning (as opposed to IP / site blocking) also seems terribly inefficient. And even if the firewall does the scanning, you'd have to re-do it on the local device anyway, since there's always a way to get around the firewall.

        • > HTTPS everywhere protects against the mass surveillance

          To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:

          A) The NSA can tell that someone in your company viewed catvideos.com.
          B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.

          It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.

          > there's always a way to

    • WordPress, Joomla and pretty well every CMS out there have a login page for at least the site administrator (if not for other non-admin users that have been created) - at least that login page needs to be in https otherwise the creds go across the network in the clear. If you've installed an https cert just for the login page, you may as well extend it to the entire site for no real extra effort.

"Marriage is like a cage; one sees the birds outside desperate to get in, and those inside desperate to get out." -- Montaigne

Working...