Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com) 94
In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand:
Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."
"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."
"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."
HTTPS is stupid (Score:1)
Let's separate authentication of websites from encryption for privacy. Then there's no reason not to encrypt everything.
Manage your devices (Score:2)
Install device configuration management software on your clients, and deploy the proxy's root certificate through that.
Re: (Score:3)
The problem is that many sites serving over http only will be listed as insecure even if they aren't serving anything that would need encryption, and may not even have a login - or a login only for the webmaster. That covers many hobbyist sites.
This essentially makes it more cumbersome to run a small website for hobbyist purposes.
https only protects the data channel between server and client, it doesn't make a site more trustworthy today.
Re: Manage your devices (Score:1)
Until you're not given that option.
"Oh, I'm sorry. Snapd won't support that because that might compromise security."
"Chromebooks only support changing the cert store at the user level. It won't work with your federally mandated content filter because we protect our users."
Apparently the people in charge of this crap have confused "trusted" with "authority". I.e. It's their authority that is to be trusted, NOT the system administrator's authority. Which defeats the entire p
Re: (Score:2)
That's because the person to whom you later sell on your phone doesn't trust the CA you added.
Re: (Score:2)
The issue is the current owner of the device does not have the final say as to what is trusted and what isn't. It's the current owner's trust that is important, not the device manufacturer's.
Then the current owner does have the final say. The interstitial mentioned by Anonymous Coward (#55051981) reminds the user that the current owner has exercised his final say.
Playing chicken with national censors works (Score:2)
"Oh, I'm sorry. Snapd won't support that because that might compromise security."
Use the --dangerous [snapcraft.io] flag, or use the SNAPPY_FORCE_CPI_URL root environment variable to switch the machine to a different store [github.com]. Or what am I missing?
"Chromebooks only support changing the cert store at the user level. It won't work with your federally mandated content filter because we protect our users."
Then perhaps Google should be playing chicken with a national government as a means of showing that said government's communications policy is harmful to its citizens' well-being by weakening security [slashdot.org]. When Wikipedia played chicken in June 2015, censorship dropped [slashdot.org].
It seems like, if anything, the developers don't trust the users
Given how prevalent PEBKAC is, it saves the support department money not to have to trust the us
Re: (Score:2)
Recompiling snaps everytime an update comes out just to change the CA bundle, renders snaps utterly pointless. I may as well just run a bunch of VMs
If you have determined that snaps fail Debian's desert island test [debian.org] by making internal deployment of private applications unnecessarily difficult, then use --dangerous, or don't use snaps in your organization and write a blog post about why you chose to use something other than snaps in your organization.
Because we all want to whitelist a search engine in a setting where content filtering is federally mandated, and any "objectionable" content is our liability.
If you have determined that your country's laws prohibit use of a Chromebook, have you opened a support case with each Chromebook manufacturer to make them aware of this prohibition? If so, what was their re
Comment removed (Score:4, Informative)
Re: (Score:2)
And why do you give a shit about that. XP is an EOL, insecure operating system. There's litterally no reason to support it any more.
And no - don't give my bullshit about "but my company runs critical systems on it" - THEY FUCKING SHOULDN'T BE RUNNING CRITICAL SYSTEMS ON AN OPERATING SYSTEM THAT'S KNOWN TO BE INSECURE.
Re: (Score:2)
And if you absolutely MUST run XP for something super critical, why the hell are you allowign that machine to browse the internet?
Re: (Score:2)
Good. Your XP system should be forced off the internet. You're a threat to yourself and everyone else.
Re: HTTPS is stupid (Score:1)
SNI - server name indication - fixes this problem for HTTPS. We host multiple SSL-enabled sites with different certs on single IP addresses.
Chrome copies Firefox ... Again (Score:5, Informative)
Firefox added a warning a while ago. It's no surprise Google would follow suit.
Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.
Re: Chrome copies Firefox ... Again (Score:1)
This isn't a story about cell phones, change your knickers and take a deep breath, lady!
Re:Chrome copies Firefox ... Again (Score:5, Informative)
Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.
Yeah, just like that time Chrome copied the Firefox layout and then dropped support for it's own extensions in favor Firefox extensions. Oh wait. ;)
Re: (Score:2)
I think the parent should habve been modded +5 funny, instead of +5 Informative...
Re: (Score:2)
How many, realistically, are willing to carry a second computer or second phone just to run Safari?
Re: (Score:3)
You spelled Lynx wrong.
False sense of security (Score:2)
Self signed means false sense of security. The HTTP scheme without S means a true sense of insecurity. True sense is better than false sense.
MITM has to intercept more connections for DV (Score:2)
Self-signed means the man in the middle (MITM) who intercepted the connection is decrypting what the server sends, storing it and/or altering it, and re-encrypting it to send to the client. CA-signed means the same MITM also had to intercept the CA's connection to the DNS when the server operator obtained the certificate, which is a bit harder to do for actors smaller than a nation-state. And it's even harder if the server operator regularly checks Certificate Transparency and/or Convergence.
I don't see how
Re: (Score:2)
Wow those people who modded you Informative are humourless or clueless.
I laughed though :-)
Re: They should be (Score:1)
There is a lot that doesn't need encryption.. (Score:4, Insightful)
Re: (Score:1)
Re: (Score:3)
I think the problem here is that while you can easily identify a password field in a form (type=password), it's not so easy to identify other form fields that might contain personal information (you don't have to call the e-mail field "email" for example). Google is probably right at blanket-covering http forms with a warning that that they aren't https.
The warning in Incognito Mode is on a bit less of a justifiable footing though, but it's the next logical step to warning about all http sites regardless of
Re: (Score:2)
It's an annoying pain the butt.
I mean, internal web applications don't need HTTPS, and yes, we can self-sign and force CA root to be distributed, but it's really just a pain in what is perfectly functioning software.
The only way to hit them requires you to either be on the the local network, or VPN in.
Firefox's warning is less than useful - the only way to disable it disables it for all sites, not just intranet ones. Chrome is probably going to be the same - disable it for all, or none, with no option to de
Re: (Score:3)
The real danger here is that people are going to be so used to seeing "not secure" in their browser and being told "oh just go ahead and use it, this isn't important" that soon enough they'll start typing their credit cards into insecure forms again.
Re: (Score:2, Interesting)
This seems like overkill to me.
Are you unaware that some ISPs and "public" wireless hotspots tamper with packets in-transit in order to inject ads?
I want zero percent of my packets to be tampered with in-transit. We prevent that with encryption.
Re: (Score:2)
Google is supping all their data to the government. No change in privacy.
Re: (Score:2)
Who decides if someone needs encryption or not? Do you know what all your visitors are being persecuted for? You're privileged enough to not need encryption for your specific data in your specific geo-political area. The same can not be applied universally.
Re: (Score:3)
This seems like overkill to me.
I'd say it's insufficient. Everything should be encrypted and authenticated end to end, not just forms and form responses. Actually, it's really more important that data coming to your browser be authenticated than that data you send be encrypted. Why? Because unless your browser and OS are perfectly secure (they're not) then you have to trust every network hop between the server and you not to inject malware. With authentication, you only have to trust the server.
And as long as you're authenticating all
Re: (Score:2)
By "hate", you mean non-SJW.
Shut up you WUS (Score:2)
Warrior promoting Unjust Society (or is that, Warrior for Unequal Statuses).
Not worth the extra cost to buy a certificate (Score:1)
My site has a contact page. I'm not going to spend the extra money to get a certificate just so Chrome won't kvetch about my site. I'll put verbage on the site explaining the error message in Chrome and if people don't want to contact me, I can live with that. Worst comes to worst, I can code the site to complain that Chrome isn't supported. I already do that with Internet Exploder.
Re: (Score:2)
Actually, it's free to set up HTTPS if you use letsencrypt.org. It takes roughly an hour of research to get it working, give or take depending on your current server setup. There are only a couple of gotchas: one, you have to make a certificate signing request file, .csr, which is easier on Linux than Windows. IIRC you can do it with Docker on a Windows machine. The second catch is, there are actually two files you have to put on your webserver, one is the private key, but the other is some "security key hi
Re: (Score:1)
You can get a free certificate from letsencrypt [letsencrypt.org].
Re: (Score:2)
That or if Google supported CERT records in DNS properly. Then sites could publish their own issuing certs and, as long as they use DNSSEC, you could at least verify that the certificates belong to the entity that owns the domain (which is all that's needed for most purposes).
Re: (Score:2)
We could also work on getting some of the registrars to actually support DNSSEC.... it's been "coming soon" to my registrar for several years now and I'm considering switching just because of it.
Re: (Score:2)
end the end a self signed cert means that the traffic between your browser and the web server has been encrypted.
And decrypted and reencrypted by a man in the middle.
SSH warns that no fingerprint is stored (Score:2)
Https could have been designed to work the same way as ssh, store a fingerprint, if it changes then throw up alarms.
It does work that way. The warning you see when visiting an HTTPS site whose certificate has an unknown issuer, such as a self-signed certificate, is analogous to SSH's warning that no fingerprint is stored for that hostname. A domain-validating CA is just a way to skip that warning. If you think that's a racket, then answer me this: How do you verify that no MITM is altering the fingerprint the first time you connect to an SSH server?
Sites could have stored their current fingerprint as a record in their DNS entry to automate validation
That's called DANE [wikipedia.org]. It's not implemented in browsers because until less t
Re: (Score:2)
The possibility that a man in the middle is intercepting an HTTP request whose URL specifically requested encryption should scare users. That's why OpenSSH's SSH and SFTP clients require the exact 3-character string yes when a fingerprint isn't stored instead of just letting the user press Enter. I'd prefer to go further, requiring the user to retype the first two and last two characters of the fingerprint.
So let me repeat the question: How do you verify that no MITM is altering the fingerprint the first ti
Re: (Score:2)
SSH doesn't use certificates as far as I know.
Re: (Score:2)
It isn't a certificate, it is a public key that you accept. Again, ssh doesn't use certificates.
Re: (Score:2)
again, my sshd doesn't use certificates, only public/private key pairs:
# ls
moduli ssh_host_ecdsa_key ssh_host_rsa_key sshd_config~
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub
ssh_host_dsa_key ssh_host_ed25519_key sshd_config
ssh_host_dsa_key.pub ssh_host_ed25519_key.pub sshd_config.new
# grep -i cer *
#
I have a form on my site. (Score:2)
They flagged my public wiki as falling under the new policy. So someone who posts something on this wiki runs the risk of having their contribution changed by a man-in-the middle. (besides running the risk of someone just going to the wiki and changing their contribution the proper way).
Let's Encrypt issue on Playstation browser (Score:1)
I got this warning from Google about my site. A couple years ago, I got https working using Let's Encrypt. So, you'd think I could switch over 100% to https as Google is pushing me to do. But, what I've found is that there are a few odd browser/devices that don't work. A notable one is the PS3/4 web browser (my site is video-game related, so this is not entirely rare). Sony hasn't updated their root certs to include the one used by Let's Encrypt. So, my https does not work on a PS3 or PS4. Thus, I'd
Slightly misguided (Score:2)
A page which was served by unencrypted HTTP but which posts its form data to an https url is secure.
It just doesn't look secure to non-technical users.
Of course if the site then sends the form data back up unencrypted (e.g. after server side value validation fails) that is then insecure, but no one with a brain sends the password value back up anyway.