Slashdot Mirror
Google Proposes To Warn People About Non-SSL Web Sites
mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Did slashdot just die and silently come back up? I was getting 503's and "offline mode", logged in and out for ages, then suddenly its just working again. Anybody else experience anything like that?
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This is a dumb idea. A very dumb idea.
-1 Uncomfortable Truth
The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.
seriously, fuck google
<----------------- You must be at least this intelligent to ride the internet.
Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.
Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...
It must have been something you assimilated. . . .
Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:
Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.
When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.
Then, you have total dominion and total control. For much profit!
Futurist Traditionalism
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
I applaud this move, but ONLY IF https websites are also flagged as being insecure (typical example follows).
https://www.whynopadlock.com/
If google starts their own CA and gives away DV SSL certs (all sorts, counting wildcard, multi-domain), then I'm on board more or less. SSL should be free.
The more traffic is encrypted, the more expensive it becomes for attackers to figure out what's worth their effort (either for decryption attempts or for targeting for more intrusive interception attempts) and what's white noise. When only Super Duper Secret traffic is encrypted, only encrypted traffic is worth a look, but when much or all traffic is encrypted, it becomes prohibitively expensive to spy on traffic in transit. The SSL push is to fuck up the signal-to-noise ratio.
*Warning, insecure content!* This website doesn't have a NSA backdoor, and hence we cannot verify the americanness of the content. Terrorists may be hatching a plot to blow up something here. Or even worse, normal people might be talking how we fucked the web up. >OMFG! Take me out of hereI understand the risks
Over half the web doesn't need SSL, and the way it is implemented is an overpriced scam
The more traffic is encrypted the more EXPENSIVE it is to host sites and dish out content, it screws up caching and makes everything harder to diagnose with technical issues . encryption comes at a cost and when the content has not real value it is a pointless cost.
Sweet! Now I'll need to get SSL keys for all of my web basic administration consoles on my already secured private LAN, or else management will yell at me. This sounds GREAT!
I see the value of the proposal: it is easy to inject malware inside a HTTP stream. Snowden documents taught us that the NSA and CGHQ do it over internet backbones. Infected machines also do it when it is easy (hint: WiFi). Pushing towards HTTP/SSL address that
However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.
I find it more than ironic that this article was posted on Slashdot, which in 2014..still doesn't support SSL. It'll even redirect HTTPS to plaintext HTTP!
While I think you should use HTTPS, it's also quite easy to strip away, anyone in the "man in the middle" position can do this, so no problem for the NSA, no problem for an ISP, no problem for a decent hacker (WiFi anyways), however it is "better than nothing".
Which seems to be what we have to settle for these days BTN "better than nothing".
"If any question why we died, Tell them because our fathers lied."
Firefox added a warning against all self signed certs
It makes sense: encryption without authentication is useless, as the browser gets a secure channel to talk with an unidentified peer. It can be your server, it can also be a man in the middle, there is no way to tell.
You can get a properly signed SSL certificate for free from STARTSSL, therefore there is no excuse for your broken setup.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
Some folks at Belgacom may disagree.
Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.
I was under the impression you could get signed certs for free or for as low as $5.99,
https://au.godaddy.com/offers/...
and have you looked into this:
http://tack.io/ (Moxie Marlinspike)
Not sure if that is useful for you.
"If any question why we died, Tell them because our fathers lied."
If 90%+ sites used SSL this would be a great idea.
If only 33% sites use SSL, then this warning will be popping up on the majority of websites that people visit.
Guess what happens when an ordinary user sees a warning pop up repeatedly? That's right, they start ignoring the warnings.
you are clueless, caching is a massive problem for SSL sites, it isn't about the site, it is about the consumption of the site. Encryption is great, but clueless people like yourself that push it for no valid reason without understanding the implications and costs just make things worse not better.
How many of you have tried " https://www.slashdot.org/ " ?
How many of you succeed ?
Have they ever read "The boy who cried wolf"? You warn people that their local community bulletin board website isn't encrypted enough times and they will probably start to ignore all your warnings. All this would probably do is annoy people to the extent that they will automatically click away any warning window, including when certs are invalid, possibly forged etc. In other words, it will really annoy people and could even be detrimental to security. Maybe if they restricted it to POSTs not GETs, though that may just incentivize lazy developers to use GETs instead of POSTs.....
Monstar L
If a 3rd party already has control over your traffic flows where they can inject content then you are already fucked, encryption or not. The value of protecting from this attack method is non existent. It is the equivalent to napalming the worlds forests because a bad person could hide behind a tree.
OK, Mr AC, care to explain how you plan to cache SSL-encrypted objects? All your caching proxy sees is the "connect me securely to server X" request - after that, it's encrypted and your proxy cannot tell what's being loaded. Worse, since SSL inflates the data sizes of whatever you've requested, your images are up to 50% more data, and your (already compressed with gzip) HTML, CSS, JS etc is the same. So you've added 50% to your traffic for ... potentially nothing.
Seriously, what do you gain (actual, measurable improvements) from switching from http://www.comics.com/garfield... to https://www.comics.com/garfiel...? Nothing but overhead.
And that's leaving aside the fact that SSL no longer guarantees the source server (too many options for MITM server certificate hacks) or security (POODLE etc).
No, make no mistake, this is Google throwing its weight around, screw anybody who doesn't want or need a certificate for their site, or has made a conscious decision NOT to use SSL (not to mention all the corporates with proxies that inspect for malware - now you're mandating SSL MITM by the organisation, or you have a channel for malware into any system).
>"If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security"."
Arrogant, annoying, unnecessary, stupid, and inaccurate. There are a LOT of sites that have absolutely no need for https and labeling them "insecure" will annoy clue-full users and confuse clueless users all in one swoop. And by encrypting everything, it makes caching far less useful and slows down browsing some.
This type of attitude in design is one of many reasons I don't and will not use Chrome. It is bad enough some of the recent stuff being shoved into Firefox :(
Pros have certs and don't have caching problems. .
ROFL!
Really Why? what content on Slashdot justify's the need for encrypted content?
Mainly if you're worried about someone stealing your cookie and making posts with your account.
If that's not something that worries you, then there's no need.
"First they came for the slanderers and i said nothing."
People re-use passwords across sites.
I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.
I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.
Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.
There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.
Chrome also complains about self-signed https, so you lose. Sorry.
So much for the 'information superhighway'.
I have to have an adblocker running just to keep my browser from turning into a scene of Times Square on a bad acid trip, even on reputable sites which brings the page load to a crawl. Most browsers have some warning for this or that, little green or red padlocks, etc.. Everything might be unsafe, click at your own risk!
If I were a pilot and there were the same number of warnings and blinking lights flashing in the cockpit I probably would have bailed out long ago.
On one extreme you could lock your browser down so hard that there would be little point to attempting to connect to the internet, you'd never get anywhere. On the other you could strip away all of the protections and get pwned in a heartbeat (or maybe not).
I'm not an IT professional by any means, but the current state of the internet is a discordant mess of virtual business fronts and libraries all facing a street prowled by every type of criminal and depraved individual imaginable (and a few that you can't imagine). Have a nice walk down Main St., if you dare!
If we could at least have a secure Main Street, and leave everyone free to go to the seedier side of town if they wish, wouldn't that be great? I'm not sure whether this is technologically achievable. I have to say things are not working well and I sometimes think that the Internet has jumped the shark and it can't last in this state. It's becoming less safe and usable by the day.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
Make no mistake, Google doesn't do this because they have our best interest in mind, but because caching means they can't always tell exactly how many and who saw a particular page or ad. They hate caching unless it's them doing it. Going https instead of http defeats most caching, at the expense of the web sites easily having to serve twice as much data to serve the same number of visitors - some of that from the overhead of https, and some of that because of less caching.
Again, follow the money trail, and you'll get the answer for why Google wants to push everyone to https.
The guys over at squid-cache.org are not amused.
How is caching an issue? People rarely use proxies. CDNs work just fine with SSL and my web client caches just fine.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
since you have a slashdot account, I'm sure you don't mind your ISP, their transit provider, and slashdot's CDN seeing your password going over their network in cleartext when you log in.
Even if you use a throwaway password for sites like this (and I hope you do), don't you think it would be better to make a small change that has no effect on how end users interact with the site but somewhat increases their security?
It's not nuts. It's sly. What they're trying to do here is force increased purchasing of SSL certificates from third parties. It's about profit and the wealthy and powerful scratching each other's backs. Sure, you can put in your own, but the the browsers will all put up scare dialogs about how they don't know who issued the cert, and away go your visitors / customers.
Do you NEED to have SSL for your blog? For your comic strip? For your aquarium how-to pages? For your archive of 50's pinups? For your CGI that calculates pixels-per-planet for specific lens magnifications and sensor densities? Doubtful. Well, they're looking to change that. It'll be SSL or no visitors, and the web gets hooked even further into the pockets of commercial interests, while the cost of entry slowly inches away from the poor.
Coincidence? Hardly.
Google's pissing directly on your heads here and trying to tell you it's rain.
It makes sense: encryption without authentication is useless, as the browser gets a secure channel to talk with an unidentified peer. It can be your server, it can also be a man in the middle, there is no way to tell.
You mean other than manually comparing the certificate against a known-good copy you previously obtained through a trusted channel then telling your web browser to memorize it as a known-good certificate?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You know you can get free SSL certificates, right?
Really Why? what content on Slashdot justify's the need for encrypted content?
Content coming from Slashdot? Very little. It's a public website that is served in a similar way to everyone. But what about content going to Slashdot?
We are living in a world where the west is increasingly persecuting people for ideas. People are being charged over opinions, leakers of information are being persecuted as enemies of the state, and I'm wondering just how many people are logging what it is I said right here right now.
Delivery of open content shouldn't be encrypted unless it's sensitive. That should be optional to the user as well. What is sensitive? That I am browsing an online gun store in a country where firearms are illegal? That I can't look up information about fertilizer online without ending up on some blacklist?
At the very least we should have an option for SSL on any transaction that involves posting information or using credentials. More so for anonymous postings. The option should be there for private browsing as well.
How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.
You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.
Just use a free TLS cert from StartSSL
People rarely use proxies??? wow I am sure the millions of enterprises out their will be amazed to hear that what they are doing is rare. FFS if you don't know anything about technology and its applications why not just refrain from commenting rather than posting absolute shit.
We are living in a world where the west is increasingly persecuting people for ideas.
There's nothing new about this. If you look at history, you'll see things like this happening over and over. Look at how Rome treated Christians, look at the Spanish Inquisition and their expulsion of Jews, look at the Holocaust, look at Stalin's Great Purge. For that matter, remember that the Pilgrims weren't interested in letting everybody worship they way they wanted, they were interested in creating a colony where everybody had to worship the way the Pilgrims said they should. Up until recently, the US has been an exception to the general trend of mankind to punish anybody who doesn't think the same way as the ruler does, but I'm afraid that this is coming to an end. That doesn't mean that we shouldn't fight the trend, just that we shouldn't fool ourselves by thinking that this is something new in the world, because it isn't.
Good, inexpensive web hosting
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL"
posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.
Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.
Caching only works with static content anyway, and a good chunk of the web has largely moved onto dynamic, real time or near-real time content.
Also, note that caching methods like Google Cache and Coral Cache have no issues with encryption, as they can access a site via HTTPS separately, store the page's contents, and then serve the information back to whoever requests it. It's not as convenient as automatically caching at an intermediate hop, but it still works for situations where there's a sudden localized spike in traffic to a particular page.
Besides which, now that everybody has easy access to data centers all over the world, caching can (and arguably should) be done by the site administrators rather than by a server admin in between.
So your concerns aren't really valid. If you want to cache on your server and then serve the cached pages from your server as if the client was hitting the real site, well, tough shit. That was only feasible during the innocent days of the internet. Now, it's called MITM and frowned upon.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
How about the fact that some analyst over at the NSA may take note of the fact that you might like to read articles critical of said three-letter agency and make a note to flag it for future analysis? By knowing what kinds of articles you like to read on Slash, various intelligence and law-enforcement agencies can compile a lot of blackmail material if you were ever to prove a nuisance down the line.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
You really don't understand how TLS works if you think it doesn't protect you from someone injecting data into a stream, or from redirecting one to an unexpected endpoint.
Yes, and you just wasted $9 of your own power bitching on /. I wonder how often you do that.
Not to mention $8986 of everyone's time and internet traffic. You can get it for FREE.. read FREE!
You can also pay, but you can get it for FREE - get it FREE?
Every HTTP request I send to Slashdot contains my cookie, which contains my login credentials. When I do this over a public WiFi network, it's trivial for any passive member of the network to sniff it, as it is for any intermediary. Worse, because it uses AJAX stuff in the background, if I briefly connect to a malicious access point by accident, there's a good chance that it will immediately send that AP's proxy my credentials. I've been using this account for a decade or so. I don't want some random person to be able to hijack it so trivially.
I am TheRaven on Soylent News
Google may be shooting themselves in the foot when it comes to things like Google Analytics. Finding out what pages people come from is very useful
If a 3rd party already has control over your traffic flows where they can inject content then you are already fucked, encryption or not.
That is not true.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
I already moderated in this discussion but I thought this was important enough to reply to.
SSL everywhere defeats fishing expeditions. Your argument is roughly equivalent to, "I did not do anything wrong; therefore, I have nothing to hide".
People express opinions here. Sometimes, ideas are explored. It is very easy to imagine a scenario where you have somehow come to the attention of some government functionary and they decide to examine your communications history.
Your perfectly innocent comments on Slashdot could come back to haunt you. Isn't it better to not let it all get collected in the first place?
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Please at least wait until distributing certificates through DNS takes off (DANE).
CA-based TLS is not going to work for everyone. Of course, people in the corporate world couldn't care less - but many of the best parts of the web don't come from the corporate world.
The choice about whether or not to encrypt traffic should be left to each website's administrator. Many sites--shock!--use the web to disseminate information they wish to be public, and the site's users have no problem with their access to it being public either. So get out of their faces! Using the browser to deprecate admin's particular choices is contrary to the spirit of the web, which should always do its damndest to serve something, and degrade gracefully when it's in difficulty, not pop annoying dialog boxes in the user's way.
Self-certificates are already a fairly effective denial of service attack when Firefox is used to access many independent sites that try to implement https, but who fail to do so in a way that offers a smooth user experience to J. Random User (I'm thinking particularly of IndyMedia).
Please note: in China, the censorship does not rely on blocking everything; just on blocking enough that all but the very motivated fail to access it. This troublesome minority can presumably be picked off at leisure later.
Keep it simple, stupid!
You can never eat too much, only cycle too little.
Generally when I try to set up HTTP/SSL in Apache, I get warnings that I can't do virtual hosts for SSL. In fact, I was able to force this through in the past. But I think there's supposed to be some issue with it. I think it's something along the lines that if a connection is encrypted, the server doesn't know what the URL is until it's decrypted, and it can't really decrypt until it knows what the virtual host is. Something like that....
So does it mean that adoptions of HTTP/SSL everywhere will be the end of virtual hosting, and then force each web domain to have a different IP address?
No - this problem is solved with SNI (Server Name Indication) which is part of all the current browsers, and has been for a while now. The client tells the server which certificate to return (which hostname it's going to ask for) in plaintext. There's probably a module you need for Apache to support this - IIS finally does it natively, so I'm sure it was already there in Apache/nginx.
There is no need for SSL everywhere and punishing sites without it by ranking them lower is just plain wrong. Why on earth would a brochure style site for a business need SSL? Why does Wikipedia need SSL (for readers, not for editing)? Why do blogs need SSL for readers? Why does the BBC News website need SSL?
There are a vast number of sites that have no need for SSL and it's simply unnecessary overhead.
Sigs are so 1990s. No way would I be seen dead with one.
I see serveral reasons for a site like /. to use ssl.
1: protecting logins, with password reuse being so common every unenrypted site that allows logins is a potential way for someone with a packet sniffer to gather valuable username/password combinations. I suspect this is the main reason behind chromes proposal.
2: protecting integrity, especially on a tech news site someone could inject fake stories as a means of social engineering to get people to install malware. A similar agrument may apply to using browser vulnerabilities to push malware (though on a machine used for general web browsing https would only help there if nearly the whole web was using it). Yet another possibilty is that an attacker rewrites urls so that when people follow links from an unencrypted site to a site that is supposed to be https they get diverted either to a plain http url or to a https url the attacker controls.
3: protecting privacy, a government with oppresive plans may want to know who is active on stories related to government oppression.
Yes there is a price to be paid in terms of reduced ability for service providers to cache, in terms of more admin effort and in terms of CPU time.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Or at least, makes more sense than throwing up a giant red "WARNING: THIS SITE IS INSECURE!" page for HTTPS self-signed, but *not* for every other HTTP-only site.
-- 'The' Lord and Master Bitman On High, Master Of All
Most non-SSL sites use a single IP address for multiple sites and the actual hostname portion of the URL is not known until the GET request.
Assuming that we want IPv4 to continue to work, a mechanism to permit an SSL certificate to secure a group of sites would be needed before more widespread use of SSL for non-commerce/non-login sites would be practical.
Essentially, if a server hosts 30 domains, the server's certificate would need to have a certificate of its own and that certificate would have to be signed by EACH of the 30 domains. That is tricky and would require revision of HTTPS. You would probably have to have the server initially use its OWN unsigned/self-signed certificate to establish an SSL connection, have the browser specify the hostname, then have the server return a signature record that uses that hostname's certificate to sign the fingerprint of the server's SSL certificate. Once the browser confirms that the appropriate CA signed for the hostname and the hostname signed for the server, then it could continue the request (and cache the server's fingerprint).
Google should get cracking on this new HTTPS handshake first.
Reflexive paranoia like yours is one reason why we can't have nice things.
Reflexive paranoia is a trained response to constantly dealing with selfish shitheads. It's the only way to hold onto the nice things we still have.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This is a dumb idea. A very dumb idea.
https://www.httpvshttps.com/
You do need HTTPS to protect mundane content: Saying otherwise is very short sighted...
You might not care about the content, but the way someone, somewhere, is accessing it, does offer a lot of "value".
It can allow a watchful eye to either accuse the reader of being outside the norm, criminal, not respectful and whatnot (reason why librarians fought hard for the right to lend books without giving the list to the state!) or allow them to caracterise, profile, target a person over time for many different reasons.
Thus everyone should have the to right to read anonymously and willingly.
Witholding this right from others is being complicit with opressors.
I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
The untrusted certificate warning page offers a button to view and add a certificate. If and only if you have verified the key fingerprint of a particular site's self-signed certificate out of band, it's secure to click that button. Just don't expect the general public to add your own site's self-signed certificate without giving them a secure way to verify that they're not behind a MITM.
Why must any site be unencrypted?
Because it may not be worth it for every operator of a small web site to pay extra per month to a hosting provider and certificate provider to enable encryption. In the case of StartSSL, this payment is not in money but in the labor to renew every year. And though modern browsers support Server Name Indication (SNI) to allow name-based virtual hosting over HTTPS, HTTPS shuts out those remaining users of Internet Explorer on Windows XP unless you pay your hosting provider extra for a dedicated IPv4 address.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
I think this double standard relates to the difference in end users' expectations when they see "http" or "https" in the address bar. People have been conditioned to think it's OK to put in a password or a credit card number just because the URI scheme is "https".
I fail to see how going to my local newsite to read about the new antics of our clown politicians needs to be encrypted [...] I will encrypt what I deem to be sensitive in nature.
Your session cookie, which represents your privilege to read the news site, is "sensitive in nature".
and load slower because the proxy can't cache it when a fellow work colleague visited the site earlier in the day.
Just because your "fellow work colleague" paid for a subscription to your local news site doesn't mean you did as well. Even if the site isn't paywalled, you could install the root certificate of your office's HTTPS proxy and surf through that.
Why do we need security to view academic articles
The site needs SSL's confidentiality to protect your session cookie, which represents your subscription to the journal that includes the academic article, from getting Firesheeped by an eavesdropper. And you need SSL's integrity and authenticity to ensure that the data tables in the article aren't modified in transit.
The passive observer can see which IP you're going to, and in everything but Internet Explorer on Windows XP, the passive observer can see which hostname on that IP (the SNI field in the ClientHello message).
Perhaps operators of a read-only web site with a premium section are afraid that someone will read the premium section by Firesheeping your subscribed user account.
Startssl.com offers free certs
Unlike web hosting, StartSSL does not auto-renew.
contact your hosting provider, and they should be able to do this for free or a very small charge; if they want an arm and a leg, it's time for you to find a better host.
For a small site, WebFaction will probably work unless much of your audience uses Internet Explorer on Windows XP.
This "non-trivial number of users" is already compromised or very close to it. Because Microsoft is no longer issuing security updates for Internet Explorer on Windows XP, you can probably assume that Internet Explorer on Windows XP is insecure in other ways that could compromise your users' confidentiality.
Bing and Yahoo's web crawlers do not support SNI
When was that? Apparently Bingbot supports SNI as of three months ago.
let you track what certificates other people are seeing for a site
The Perspectives plug-in for Firefox uses the same route diversity technique to expose a man in the middle that attacks some routes to the server but not others. But the Perspectives white paper discloses that this approach is vulnerable to what it calls the "Lserver attack": a man in the middle between the server and its only connection to the Internet.
its a free forum, why the fuck would they waste processor resources to encrypt the content? Their is nothing to secure
Other than the session cookies of its users. Am I the person who created the "tepples" account or someone who Firesheeped his session cookie?
UTF must stand for Unpossible Terrifying Fuckery
For a while, Slashdot did support Unicode. This allowed vandals to not only evade the ASCII art lameness filter with foreign characters but also use bidirectional override characters to impose Unpossible Terrifying Fuckery on the site's layout.
Basically any time you are using public wifi, you are vulnerable to a MITM attack. Properly secured HTTPS is safe, but an HTTP website can be modified in any way the attacker desires.
When MITM is possible worrying about self-signed certificates is last of your concerns. Unless you go beyond google proposal and completely disallow http attacker would use zero-day exploit on first http page you load or modify first .exe you download(of course signed by sony.)
As now you have keylogger on you computer you do not have to worry how much https protects you.
Your fertilizer page is 14674 bytes in length.
Plus 1-500 bytes of randomized padding added to the HTTP headers and the HTML comments that the server inserts to foil BREACH attacks.
DANE, Perspectives, and other CA-free approaches are equivalent in assurance level to a domain-validated certificate from a CA. The difference between a domain-validated certificate and an organization-validated certificate is that it's a lot harder for a typo squatter to get an organization-validated certificate for, say, "bankofamerrica.com". This is why the Comodo Dragon browser warns for domain-validated certificates.
Caching in the browser works as well with HTTPS as it does with HTTP. A caching proxy works too so long as each user of the caching proxy imports the caching proxy's certificate.
All you have to do to enable SSLashdot is log in and subscribe.
Step 1: Sign your own cert(s).
Step 1b (optional): Use certs signed in step 1 to sign additional certs.
Step 2: Publish the hash of the certs in step 1 in one or more widely-printed, widely-available newspapers or magazines.
Step 3: On your web site host installable copies of all certs made in steps 1 and 1b, text and photographic copies of the printed hashes from step 2, and instructions on where to find copies of these publications (e.g. "go to your local library and look up XYZ newspaper dated DATE MONTH YEAR and go to section X page P and look in the 2nd column about 2 inches down").
While most people won't go to the trouble of going to the library, the fact that it is fairly easily check-able by people with access to a big-city library will make it that much more difficult for someone to launch a MITM attack without being caught. Not impossible, just much more difficult.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Great illustration.
On my desktop, over the LAN, with caching forcibly disabled, HTTP took 5.3 seconds and was 9% slower than HTTPS.
On my mobile, over WiFi, again, with caching forcibly disabled, HTTP took 6.8 seconds and HTTPS took 10.8 seconds, 33% slower, AND instead of consumed 2 MB of data because caching couldn't be used.
On my mobile, over the cellular network, HTTP took 18 seconds, and HTTPS took 30 seconds, 69% slower, AND consumed 2 MB of data.
So, considering that mobile is huge and growing, THIS IS A DUMB IDEA.
-1 Uncomfortable Truth
And that adequately reflects the rest of the world how? I have customers with multiple 5Mbps connections (literally the best they can get, there IS NO FIBER) at $400/month. They have dozens of users, 10-100MB files to send and receive, every day, and therefore a local caching proxy is the only way they can get any reasonable web access at all. But go on believing the rest of the world is like your little Utopia.
Enterprise? Install your own CA on the client machines and just MITM proxy it, then.
cookie, which contains my login credentials
Contains your session ID. Someone could steal your current session, but not your credentials. I'm sure you could argue that a session ID is a credential, but unlikely. Can be mitigated (if known) by simply logging out of the site and invalidating the session ID.
SSL everywhere defeats fishing expeditions.
Not really - most phishing attacks are hosted on compromised servers. They could just as well be serving content via SSL as not.
Warning about all sites that don't use TLS is excessive. Many web sites gather no information (they may not even issue cookies) and there is no reason for the warning on those sites. Warning about the lack of TLS on pages that include input forms might be a reasonable compromise; not all of those actually gather any sensitive information (online entertainment quizzes, for example, unless they ask for your email address or the like) but there is no way for the browser to know that.
My hack would be that any non-secure website would have its background image replaced at the browser end by a red warning background with a watermark "WARNING" embedded in it.
"There is no god but allah" - well, they got it half right.
And if you install your CA on the machines, you can still use a local caching proxy.
-Bucky