Slashdot Mirror
Google Proposes To Warn People About Non-SSL Web Sites
mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This is a dumb idea. A very dumb idea.
-1 Uncomfortable Truth
Yep, same here.
On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.
This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.
Am I overreacting here? Or is Google going too far, too fast with this?
Irony: Agile development has too much intertia to be abandoned now.
The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.
<----------------- You must be at least this intelligent to ride the internet.
Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.
Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...
It must have been something you assimilated. . . .
Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:
Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.
When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.
Then, you have total dominion and total control. For much profit!
Futurist Traditionalism
Nah... When getting concerned about control, the following usually holds true:
Rules that inform are good.
Rules that control are bad.
This rule informs. It's good. :-)
This has been a public service announcement.
If google starts their own CA and gives away DV SSL certs (all sorts, counting wildcard, multi-domain), then I'm on board more or less. SSL should be free.
The more traffic is encrypted the more EXPENSIVE it is to host sites and dish out content, it screws up caching and makes everything harder to diagnose with technical issues . encryption comes at a cost and when the content has not real value it is a pointless cost.
Sweet! Now I'll need to get SSL keys for all of my web basic administration consoles on my already secured private LAN, or else management will yell at me. This sounds GREAT!
I see the value of the proposal: it is easy to inject malware inside a HTTP stream. Snowden documents taught us that the NSA and CGHQ do it over internet backbones. Infected machines also do it when it is easy (hint: WiFi). Pushing towards HTTP/SSL address that
However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.
I find it more than ironic that this article was posted on Slashdot, which in 2014..still doesn't support SSL. It'll even redirect HTTPS to plaintext HTTP!
Firefox added a warning against all self signed certs
It makes sense: encryption without authentication is useless, as the browser gets a secure channel to talk with an unidentified peer. It can be your server, it can also be a man in the middle, there is no way to tell.
You can get a properly signed SSL certificate for free from STARTSSL, therefore there is no excuse for your broken setup.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
Some folks at Belgacom may disagree.
Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.
Have they ever read "The boy who cried wolf"? You warn people that their local community bulletin board website isn't encrypted enough times and they will probably start to ignore all your warnings. All this would probably do is annoy people to the extent that they will automatically click away any warning window, including when certs are invalid, possibly forged etc. In other words, it will really annoy people and could even be detrimental to security. Maybe if they restricted it to POSTs not GETs, though that may just incentivize lazy developers to use GETs instead of POSTs.....
Monstar L
On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working.
Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).
In any case, Google hasn't formally announced a decision yet, it has merely made a proposal public and started a discussion on the subject requesting feedback. The fact that everyone is condemning Google for this proposal vindicates all the companies that keep their discussions private and out of the public eye until they work them out -- all secretly first.
This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.
And so are spell-checkers.
Get free satoshi (Bitcoin) and Dogecoins
I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.
I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.
Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.
There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.
Make no mistake, Google doesn't do this because they have our best interest in mind, but because caching means they can't always tell exactly how many and who saw a particular page or ad. They hate caching unless it's them doing it. Going https instead of http defeats most caching, at the expense of the web sites easily having to serve twice as much data to serve the same number of visitors - some of that from the overhead of https, and some of that because of less caching.
Again, follow the money trail, and you'll get the answer for why Google wants to push everyone to https.
The guys over at squid-cache.org are not amused.
Riiiight because the site where I go to look at 1970s toys that has no comments or login NEEDS to be HTTPS because....reasons.
Might want to look up the concept of "security theater" bub because all this will do is train users that any site that doesn't show the "bad place" warning is safe to give any and all data along with CC numbers, its the classic "If we only have X then we'll be safe!" with X being whatever magic dust you wanna push today.
ACs don't waste your time replying, your posts are never seen by me.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
since you have a slashdot account, I'm sure you don't mind your ISP, their transit provider, and slashdot's CDN seeing your password going over their network in cleartext when you log in.
Even if you use a throwaway password for sites like this (and I hope you do), don't you think it would be better to make a small change that has no effect on how end users interact with the site but somewhat increases their security?
It's not nuts. It's sly. What they're trying to do here is force increased purchasing of SSL certificates from third parties. It's about profit and the wealthy and powerful scratching each other's backs. Sure, you can put in your own, but the the browsers will all put up scare dialogs about how they don't know who issued the cert, and away go your visitors / customers.
Do you NEED to have SSL for your blog? For your comic strip? For your aquarium how-to pages? For your archive of 50's pinups? For your CGI that calculates pixels-per-planet for specific lens magnifications and sensor densities? Doubtful. Well, they're looking to change that. It'll be SSL or no visitors, and the web gets hooked even further into the pockets of commercial interests, while the cost of entry slowly inches away from the poor.
Coincidence? Hardly.
Google's pissing directly on your heads here and trying to tell you it's rain.
You know you can get free SSL certificates, right?
Not overreacting, but not thinking rationally here either. Google may be going too far alone, but they are definitely not going too fast.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
Google have been quite pushy, but with interesting result. The world hasn't blindly bowed down to them but rather increased the speed at which they have solved other long standing problems which were getting no interest. I'm hoping the same thing will happen here, that one company doing something different may spur people into fixing what I believe is a horrendously broken approach to security.
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL"
posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.
Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.
Caching only works with static content anyway, and a good chunk of the web has largely moved onto dynamic, real time or near-real time content.
Also, note that caching methods like Google Cache and Coral Cache have no issues with encryption, as they can access a site via HTTPS separately, store the page's contents, and then serve the information back to whoever requests it. It's not as convenient as automatically caching at an intermediate hop, but it still works for situations where there's a sudden localized spike in traffic to a particular page.
Besides which, now that everybody has easy access to data centers all over the world, caching can (and arguably should) be done by the site administrators rather than by a server admin in between.
So your concerns aren't really valid. If you want to cache on your server and then serve the cached pages from your server as if the client was hitting the real site, well, tough shit. That was only feasible during the innocent days of the internet. Now, it's called MITM and frowned upon.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Also, it will make people accustomed to the pop-up by giving so many false positives. So much that, when it actually matters and they are sending information, they'll just ignore it because it comes up 10 times per day anyway.
Religion is the best example of mass psychosis
Every HTTP request I send to Slashdot contains my cookie, which contains my login credentials. When I do this over a public WiFi network, it's trivial for any passive member of the network to sniff it, as it is for any intermediary. Worse, because it uses AJAX stuff in the background, if I briefly connect to a malicious access point by accident, there's a good chance that it will immediately send that AP's proxy my credentials. I've been using this account for a decade or so. I don't want some random person to be able to hijack it so trivially.
I am TheRaven on Soylent News
What about when it misinforms?
If I go to a local restaurant site that does not take orders and it is not running SSL just how is it insecure?
It is like a warning that a public park is insecure because it doesn't have a burglar alarm.
Also just because a site uses ssl does not mean that it is malware free or that it has not been hacked and all the user data taken.
When is a false sense of security a good thing?
And please do not tell me that I should worry about the NSA knowing that I was looking at restaurants.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).
IE taught us that this kind of thing doesn't happen quickly - web developers _still_ have to deal with IE's buggy rendering, despite good alternatives having been available for 15 years. Ok, IE has got better but it's still not great. Users don't see this stuff as a browser problem - if your website doesn't work right then the users see it as a problem with your website.
http://blog.nexusuk.org
Most non-SSL sites use a single IP address for multiple sites and the actual hostname portion of the URL is not known until the GET request.
Assuming that we want IPv4 to continue to work, a mechanism to permit an SSL certificate to secure a group of sites would be needed before more widespread use of SSL for non-commerce/non-login sites would be practical.
Essentially, if a server hosts 30 domains, the server's certificate would need to have a certificate of its own and that certificate would have to be signed by EACH of the 30 domains. That is tricky and would require revision of HTTPS. You would probably have to have the server initially use its OWN unsigned/self-signed certificate to establish an SSL connection, have the browser specify the hostname, then have the server return a signature record that uses that hostname's certificate to sign the fingerprint of the server's SSL certificate. Once the browser confirms that the appropriate CA signed for the hostname and the hostname signed for the server, then it could continue the request (and cache the server's fingerprint).
Google should get cracking on this new HTTPS handshake first.