Chrome 43 Should Help Batten Down HTTPS Sites

River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.

great, chrome becomes even more annoying

[X0563511]

For a good long while it's been annoying when dealing with mangled SSL configurations - at least firefox let's you tweak stuff in about:config to work around them.

No, getting the site fixed is not always an option, and validation of the certificate is not always necessary. For instance, there was a good long while where Chrome was completely unusable with some of our ZFS storage appliances (which live on a nonrouted private management network) because of retarded cert validation changes. Sure, that makes sense when you are visiting your bank's site... but not so much when you're trying to get into something on 10.0.0.0/8 when you're directly connected to the thing with a crossover cable... and no, updating the software in the controller wasn't an option because of outstanding critical-level bugs.

Fun times.

Re:Is this supposed to be a new thing?

[Billly+Gates]

Go read IE 7 goes RTM from slashdot circa 2006?

Webmasters freaked by SSL https:/// won't display pictures with non secure hyperlinks.

This is not news as for 9 years ancient IE did not allow

Re:Chrome broke my VPN

[Billly+Gates]

As screwed up as this sounds I would take modern IE 11 over Firefox anyday.

I would have a psychotic episode seeing me type this 5 years ago but Firefox has gone to shit starting with 4. Actually 3.6 U noticed slowness too.

IE is great for running ancient shit intranet sites. Java is negligent to run as a plugin. Only few good reasons for IE is group policy to allow java to run on only intranet or trusted site lists. If your mcses at work have it enabled globally they should be slapped up the back of the head.

Re:Chrome broke my VPN

[The+MAZZTer]

It is your IT dept's responsibility to keep the VPN working, not Google's. Google has chosen to drop support for a 20 year old insecure plugin architecture in favor of a more modern, secure one. Sure, it's one developed by Google, but 1) there wasn't an existing standard out there AFAIK so they had to make one and 2) the plugin interface is open source so anyone can go and implement it in their own browser, or in their own plugin.

Oracle's official stance seems to be that Java users should switch to Firefox or IE, rather than see themselves try and put any effort toward porting Java. To be fair, I don't know how well Java will mesh with PPAPI's sandboxing.

I wonder if they'll change their tune... Chrome has a pretty sizable user base now.

Re:HTTPS Everywhere - 3rd Party Certs?

[fahrbot-bot]

"Does it really matter...." is an intellectually lazy argument. Yes it matters.

No it doesn't not for everything or even most things. You're over-thinking things and conflating the important with the unimportant, the big things with the little. Stop sweating the little things.

I used to get more worked up about things, like you apparently are, but then in late 2005, after 20 years together, my wife was diagnosed with a brain tumor and died, literally in my arms, just 7 weeks later. I heard her last breath, felt her last heartbeat and learned what the word "forever" means.

So, having my NYT or /. connection encrypted isn't really that important - my banking connection, yes, but I try to keep everything in perspective. The scenarios you've described lack some of that.

I'm not "intellectually lazy" I just know what is and is not important - for me anyway.

Also, entities like Google are not encrypting their connection to protect your privacy, it's to protect their revenue stream, so third-parties cannot skim ad/search information w/o paying Google for it.