Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Proposes To Warn People About Non-SSL Web Sites

Posted by samzenpus on from the protect-ya-neck dept.

mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

6 of 396 comments (clear)

  1. The major downside to this.. by DigitAl56K · · Score: 5, Insightful

    The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.

  2. This again? by fahrbot-bot · · Score: 5, Interesting

    Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

    Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.

    Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...

    --
    It must have been something you assimilated. . . .
  3. Re:So perhaps /. will finally fix its shit by heypete · · Score: 5, Insightful

    Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.

    Exactly. What's the benefit?

    There's a time and place for encryption, and Slashdot ain't it.

    Some folks at Belgacom may disagree.

    Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.

  4. Re:503 by Anonymous Coward · · Score: 5, Insightful

    This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
    Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
    I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.

  5. Bad for small business owners by wvmarle · · Score: 5, Insightful

    I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.

    I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.

    Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.

    There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.

  6. Re:Sly by arth1 · · Score: 5, Insightful

    That you can get free certs doesn't mean it's easy or in some cases even possible to install them. These days, you find web servers in lots of embedded devices. Should i have to click by a warning every time I want to access my DVR on my LAN?

    Encryption is useful when it serves a purpose. It doesn't always, and then it's just a waste at best and a false sense of security at worst.
    SSL is inherently a weak solution - it is never any stronger than the least strong of the enormous list of CAs built into every browser. If just one of them is compromised (or have handed over the keys to a three letter agency), visitors lose the protection against MITM attacks and similar.

    Self-signed certs are actually far safer, if done right, where the user has to actually validate the cert the first time. But those gets warned against.