Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Proposes To Warn People About Non-SSL Web Sites

Posted by samzenpus on from the protect-ya-neck dept.

mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

25 of 396 comments (clear)

  1. Re:So perhaps /. will finally fix its shit by bloodhawk · · Score: 4, Interesting

    Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.

  2. Stupid by ShieldW0lf · · Score: 4, Insightful

    Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.

    This is a dumb idea. A very dumb idea.

    --
    -1 Uncomfortable Truth
    1. Re:Stupid by by+(1706743) · · Score: 4, Insightful

      Yeah, I really don't care that a webcomic/news site/etc. is non-SSL.

      That said, if a website has a password field, it might be a Good Idea to notify the user if it's non-SSL.

    2. Re:Stupid by jaymz666 · · Score: 4, Interesting

      It also increases costs and management overhead.
      Does Fred Bloggs lyrics site need to be SSL? Probably not. But throwing a warning up is going to cause fear, uncertainty and doubt.

    3. Re:Stupid by heypete · · Score: 4, Informative

      CPU and power increase for encryption is negligible for most sites.
      The real cost is getting a certificate from a site that the browser will recognize.
      Those are expensive especially if you want a site for a hobbie or a supplemental income.

      StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

      Let's Encrypt, run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.

      If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.

      The financial cost of getting a certificate is essentially negligible.

    4. Re: Stupid by heypete · · Score: 4, Informative

      Also to rent an ip address isn't free.

      IP-based SSL hosting hasn't been necessary since the development of SNI nearly a decade ago.

      Essentially all modern browsers (IE 7+, Firefox 2.0+, Chrome 6+ on XP [all versions of Chrome on Vista+ support SNI], Safari in iOS 4+, Android 3+, WP 7+, etc.) and servers support SNI.

      Several web hosts offer SNI-based SSL/TLS hosting at no additional charge.

    5. Re:Stupid by toejam13 · · Score: 3, Interesting

      Encryption has a cost, it isn't free. ... This is a dumb idea. A very dumb idea.

      Agreed. For most sites, there are only two areas where I care about encryption: 1) login authentication and 2) session tokens (cookies). For #1, briefly switching to SSL/TLS is no big deal.

      The problem today is that there is no satisfactory solution for #2. In order to encrypt your cookies in your HTTP header, you have to encrypt everything. As previously mentioned, this can have some adverse side effects. It is also complete overkill. What HTTP needs is a middle option.

      Enter explicit HTTPS.

      When a client requests a protected URL, it can be given a challenge and negotiation method for TLS not unlike how NTLM authentication over HTTP occurs. It should also negotiate what HTTP headers should be private. When complete, the client then sends encrypted data using a PROT: [session id] [base-64 payload] header. If you wanted to be fancy, you could make the system tolerant of upstream proxies or load-balancers inserting their own cookies.

      Now you have a system where your session tokens cannot be eavesdropped upon, but yet the payload of the HTTP request can be cached.

  3. Re:503 by Dutch+Gun · · Score: 3, Interesting

    Yep, same here.

    On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.

    This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.

    Am I overreacting here? Or is Google going too far, too fast with this?

    --
    Irony: Agile development has too much intertia to be abandoned now.
  4. The major downside to this.. by DigitAl56K · · Score: 5, Insightful

    The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.

  5. This again? by fahrbot-bot · · Score: 5, Interesting

    Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

    Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.

    Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...

    --
    It must have been something you assimilated. . . .
  6. The web is shrinking by hessian · · Score: 4, Insightful

    Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:

    Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.

    When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.

    Then, you have total dominion and total control. For much profit!

    --
    Futurist Traditionalism
    1. Re:The web is shrinking by Dutch+Gun · · Score: 4, Informative

      In fairness to Google, they're also pushing a new standard that will allow free SSL certs to be used by anyone who wants it. Search for Let's Encrypt for more info.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  7. Re:503 by Charliemopps · · Score: 4, Insightful

    Nah... When getting concerned about control, the following usually holds true:
    Rules that inform are good.
    Rules that control are bad.

    This rule informs. It's good.
    This has been a public service announcement. :-)

  8. Re:So perhaps /. will finally fix its shit by bloodhawk · · Score: 3, Informative

    The more traffic is encrypted the more EXPENSIVE it is to host sites and dish out content, it screws up caching and makes everything harder to diagnose with technical issues . encryption comes at a cost and when the content has not real value it is a pointless cost.

  9. Including Slashdot? by Midnight_Falcon · · Score: 3, Informative

    I find it more than ironic that this article was posted on Slashdot, which in 2014..still doesn't support SSL. It'll even redirect HTTPS to plaintext HTTP!

  10. Re:So perhaps /. will finally fix its shit by heypete · · Score: 5, Insightful

    Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.

    Exactly. What's the benefit?

    There's a time and place for encryption, and Slashdot ain't it.

    Some folks at Belgacom may disagree.

    Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.

  11. Re:503 by stephanruby · · Score: 4, Insightful

    On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working.

    Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).

    In any case, Google hasn't formally announced a decision yet, it has merely made a proposal public and started a discussion on the subject requesting feedback. The fact that everyone is condemning Google for this proposal vindicates all the companies that keep their discussions private and out of the public eye until they work them out -- all secretly first.

  12. Re:503 by Anonymous Coward · · Score: 5, Insightful

    This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
    Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
    I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.

  13. Bad for small business owners by wvmarle · · Score: 5, Insightful

    I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.

    I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.

    Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.

    There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.

  14. Re: So perhaps /. will finally fix its shit by arth1 · · Score: 4, Insightful

    Make no mistake, Google doesn't do this because they have our best interest in mind, but because caching means they can't always tell exactly how many and who saw a particular page or ad. They hate caching unless it's them doing it. Going https instead of http defeats most caching, at the expense of the web sites easily having to serve twice as much data to serve the same number of visitors - some of that from the overhead of https, and some of that because of less caching.

    Again, follow the money trail, and you'll get the answer for why Google wants to push everyone to https.
    The guys over at squid-cache.org are not amused.

  15. Re:503 by hairyfeet · · Score: 3, Insightful

    Riiiight because the site where I go to look at 1970s toys that has no comments or login NEEDS to be HTTPS because....reasons.

    Might want to look up the concept of "security theater" bub because all this will do is train users that any site that doesn't show the "bad place" warning is safe to give any and all data along with CC numbers, its the classic "If we only have X then we'll be safe!" with X being whatever magic dust you wanna push today.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  16. Sly by Anonymous Coward · · Score: 3, Interesting

    It's not nuts. It's sly. What they're trying to do here is force increased purchasing of SSL certificates from third parties. It's about profit and the wealthy and powerful scratching each other's backs. Sure, you can put in your own, but the the browsers will all put up scare dialogs about how they don't know who issued the cert, and away go your visitors / customers.

    Do you NEED to have SSL for your blog? For your comic strip? For your aquarium how-to pages? For your archive of 50's pinups? For your CGI that calculates pixels-per-planet for specific lens magnifications and sensor densities? Doubtful. Well, they're looking to change that. It'll be SSL or no visitors, and the web gets hooked even further into the pockets of commercial interests, while the cost of entry slowly inches away from the poor.

    Coincidence? Hardly.

    Google's pissing directly on your heads here and trying to tell you it's rain.

    1. Re:Sly by arth1 · · Score: 5, Insightful

      That you can get free certs doesn't mean it's easy or in some cases even possible to install them. These days, you find web servers in lots of embedded devices. Should i have to click by a warning every time I want to access my DVR on my LAN?

      Encryption is useful when it serves a purpose. It doesn't always, and then it's just a waste at best and a false sense of security at worst.
      SSL is inherently a weak solution - it is never any stronger than the least strong of the enormous list of CAs built into every browser. If just one of them is compromised (or have handed over the keys to a three letter agency), visitors lose the protection against MITM attacks and similar.

      Self-signed certs are actually far safer, if done right, where the user has to actually validate the cert the first time. But those gets warned against.

    2. Re:Sly by dave420 · · Score: 3, Insightful

      So make your own CA, create certificates using that, and trust the CA on the devices on your network. Problem solved: No warnings.

  17. Re:503 by thegarbz · · Score: 4, Insightful

    Not overreacting, but not thinking rationally here either. Google may be going too far alone, but they are definitely not going too fast.

    It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.

    Google have been quite pushy, but with interesting result. The world hasn't blindly bowed down to them but rather increased the speed at which they have solved other long standing problems which were getting no interest. I'm hoping the same thing will happen here, that one company doing something different may spur people into fixing what I believe is a horrendously broken approach to security.