Slashdot Mirror
Chrome 43 Should Help Batten Down HTTPS Sites
River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.
Welcome to 2013.
Gives a better summary "The next version of Chrome will include a new security policy that may make it easier for developers to ensure “HTTPS” websites aren’t undermined by insecure HTTP resources."
Perl Programmer for hire
Firefox and IE copied this feature so fast they went back in time.
When everything fails, you sell your soul to Satan and decide to fire up, gasp, internet explorer. For some odd reason it manages to get past all the hurdles gets the network extender running. Satan is laughing at St Murphy. St Murphy never loses, his revenge will come soon, and it will be swift.
In the meantime, caught as a mere pawn in the eternal battle between Satan and St Murphy I am ruing my fate and belly aching in slashdot.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
What a shock, a slashdot summary that misses the actual salient point of the linked article...
Here's the description of the new feature from the linked article:
Here's Google's own description of the feature from the Chromium Blog:
So basically this means you don't have to worry if you accidentally miss an HTTP asset link on your site when upgrading to HTTPS, Chrome will automatically do that for you.
Hopefully the other browsers will follow suit soon, otherwise it's of limited use.
Paul Leader
Run grep on every article (or SELECT from your database) and on every script for http[^s]. Then open a bug for every one of them you find. You're done when every bug is closed and every regression test passes.
Oh shit, I forgot, web developers aren't engineers and aren't capable of doing the above. So this is really hard and can't be solved except by brilliant Google.
Nice try, but this is significantly different from what Firefox does.
From TFA:
The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.
TFA's link to chromium.org essentially says the exact same thing:
Upgrading legacy sites to HTTPS
Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.
Converting to plain English: If the URL says "http://", Chrome will first try the same link with "https://". You'll only see a mixed-content warning if the website fails to return content for the "https://" link. This obviously assumes that the website is running both HTTP and HTTPS, and that it will give the same content regardless of whether you use HTTP or HTTPS.
Your link to Firefox 23 only talks about issuing warnings for mixed content; it does not say anywhere that it attempts to retrieve the HTTPS version of an HTTP link.
tl;dr: Firefox just blocks it; Chrome looks for a safe alternative and only blocks if the safe alternative doesn't exist.
[ Disclaimer: I use Firefox; I have never used Chrome. ]
Seriously, OS X Yosemite's 'auto correct' is a total failure: meant to post "...it can't be relied upon..."
AC comments get piped to
For a good long while it's been annoying when dealing with mangled SSL configurations - at least firefox let's you tweak stuff in about:config to work around them.
No, getting the site fixed is not always an option, and validation of the certificate is not always necessary. For instance, there was a good long while where Chrome was completely unusable with some of our ZFS storage appliances (which live on a nonrouted private management network) because of retarded cert validation changes. Sure, that makes sense when you are visiting your bank's site... but not so much when you're trying to get into something on 10.0.0.0/8 when you're directly connected to the thing with a crossover cable... and no, updating the software in the controller wasn't an option because of outstanding critical-level bugs.
Fun times.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Go read IE 7 goes RTM from slashdot circa 2006?
Webmasters freaked by SSL https:/// won't display pictures with non secure hyperlinks.
This is not news as for 9 years ancient IE did not allow
http://saveie6.com/
Ahem.. https://www.eff.org/HTTPS-EVER...
The HTTPS Everywhere is a great idea, but how great when so many use self signed certs. This just gives the illusion of security. One of the biggest problems here is that browsers don't recognize legit free third party cert authorities like CAcert.
I disagree that Everywhere is a great idea. Seriously, does it really matter if an NYT article or /. is delivered securely, or 99.9% of search queries?
It must have been something you assimilated. . . .
The summary is that they are introducing a new http header, this can be used to tell the browser to automatically use https instead of http to request resources used by the page. Thus avoiding "mixed content" warnings without requiring the website operator to go through the whole page (and potentially things like stylesheets referenced by the page) changing urls to https.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
The push for https everywhere also means there is more metadata floating around. If all your are looking at is the metadata and not the data stream, https gives an observer more info about what is going on than with just http. Once you get into properly verifing certs, both sides and an observer has more info to tie a converstaion between a specific client and a server.
You can see this yourself by getting something that does netflow and look at the data that comes from that.
Seriously, does it really matter if an NYT article or /. is delivered securely, or 99.9% of search queries?
Seriously, yes it does. It makes a big difference.
First there is paranoia, based in the obvious facts that throughout the course of human history aspersion have been cast, prosecutions have been level, executions committed, stakes burned, all with the evidence simply being something read - be it books or web page. Maybe nobody will get prosecuted for reading the NYT today, but human history has has episodes of tyrannical left/right turns. And what one reads in the NYT today will be logged and stored by people who have questionable motives of logging and storing this data in the first place....
And then the is the simply more practical op-sec argument. When there is both unencrypted and encrypted communication, simply the fact that a communication is or is not encrypted provides a ton information. This is why several privacy advocates have lobbied for the encryption for all web traffic, be it an NYT article or a banking transaction. The theory being the harder one makes it for the whoever is tracking traffic - be it hackers with ill intent of the surveillance-industrial complex - the better.
"Does it really matter...." is an intellectually lazy argument. Yes it matters. And there is really little excuse beyond intellectual laziness. The infrastructure for encrypting all we traffic exists - its not like one has to decrypt by hand.
Revolution is the opium of the intellectuals.
"Does it really matter...." is an intellectually lazy argument. Yes it matters.
No it doesn't not for everything or even most things. You're over-thinking things and conflating the important with the unimportant, the big things with the little. Stop sweating the little things.
I used to get more worked up about things, like you apparently are, but then in late 2005, after 20 years together, my wife was diagnosed with a brain tumor and died, literally in my arms, just 7 weeks later. I heard her last breath, felt her last heartbeat and learned what the word "forever" means.
So, having my NYT or /. connection encrypted isn't really that important - my banking connection, yes, but I try to keep everything in perspective. The scenarios you've described lack some of that.
I'm not "intellectually lazy" I just know what is and is not important - for me anyway.
Also, entities like Google are not encrypting their connection to protect your privacy, it's to protect their revenue stream, so third-parties cannot skim ad/search information w/o paying Google for it.
It must have been something you assimilated. . . .