Chrome 43 Should Help Batten Down HTTPS Sites

River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.

Hello, Chrome

[Ignacio]

Welcome to 2013.

The first paragraph of TFA ...

[John+Bokma]

Gives a better summary "The next version of Chrome will include a new security policy that may make it easier for developers to ensure “HTTPS” websites aren’t undermined by insecure HTTP resources."

Re:Is this supposed to be a new thing?

[Culture20]

Firefox and IE copied this feature so fast they went back in time.

Chrome broke my VPN

[140Mandak262Jamuna]

When it rains it pours. I am battling a serious RAID controller failure at my work desktop. At least I could go home, use VPN to access some common team servers to do some work. Lo, and behold! St Murphy, the patron saint of all things barfing, decides to step in at this critical juncture. Chrome decides to cut Java. Our wonderful IT had bought VPN software that relies on java plug-in in the browser. OK firefox will come to my rescue, so I thought. But St Murphy had anticipated my move.

When everything fails, you sell your soul to Satan and decide to fire up, gasp, internet explorer. For some odd reason it manages to get past all the hurdles gets the network extender running. Satan is laughing at St Murphy. St Murphy never loses, his revenge will come soon, and it will be swift.

In the meantime, caught as a mere pawn in the eternal battle between Satan and St Murphy I am ruing my fate and belly aching in slashdot.

Summary misses out the actual feature...

[NoNeeeed]

What a shock, a slashdot summary that misses the actual salient point of the linked article...

Here's the description of the new feature from the linked article:

If the same site was accessed in Chrome 43 -- which is beta now but should be stable in May -- the warning should vanish thanks to a browser Content Security Policy directive known as Upgrade Insecure Resources. The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.

Here's Google's own description of the feature from the Chromium Blog:

Upgrading legacy sites to HTTPS

Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.

So basically this means you don't have to worry if you accidentally miss an HTTP asset link on your site when upgrading to HTTPS, Chrome will automatically do that for you.

Hopefully the other browsers will follow suit soon, otherwise it's of limited use.

Re:Hello

Nice try, but this is significantly different from what Firefox does.

From TFA:

The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.

TFA's link to chromium.org essentially says the exact same thing:

Upgrading legacy sites to HTTPS
Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.

Converting to plain English: If the URL says "http://", Chrome will first try the same link with "https://". You'll only see a mixed-content warning if the website fails to return content for the "https://" link. This obviously assumes that the website is running both HTTP and HTTPS, and that it will give the same content regardless of whether you use HTTP or HTTPS.

Your link to Firefox 23 only talks about issuing warnings for mixed content; it does not say anywhere that it attempts to retrieve the HTTPS version of an HTTP link.

tl;dr: Firefox just blocks it; Chrome looks for a safe alternative and only blocks if the safe alternative doesn't exist.

[ Disclaimer: I use Firefox; I have never used Chrome. ]

great, chrome becomes even more annoying

[X0563511]

For a good long while it's been annoying when dealing with mangled SSL configurations - at least firefox let's you tweak stuff in about:config to work around them.

No, getting the site fixed is not always an option, and validation of the certificate is not always necessary. For instance, there was a good long while where Chrome was completely unusable with some of our ZFS storage appliances (which live on a nonrouted private management network) because of retarded cert validation changes. Sure, that makes sense when you are visiting your bank's site... but not so much when you're trying to get into something on 10.0.0.0/8 when you're directly connected to the thing with a crossover cable... and no, updating the software in the controller wasn't an option because of outstanding critical-level bugs.

Fun times.

Re:Is this supposed to be a new thing?

[Billly+Gates]

Go read IE 7 goes RTM from slashdot circa 2006?

Webmasters freaked by SSL https:/// won't display pictures with non secure hyperlinks.

This is not news as for 9 years ancient IE did not allow

Re:Where's the rest of the summary?

[petermgreen]

The summary is that they are introducing a new http header, this can be used to tell the browser to automatically use https instead of http to request resources used by the page. Thus avoiding "mixed content" warnings without requiring the website operator to go through the whole page (and potentially things like stylesheets referenced by the page) changing urls to https.

Re:HTTPS Everywhere - 3rd Party Certs?

[fahrbot-bot]

"Does it really matter...." is an intellectually lazy argument. Yes it matters.

No it doesn't not for everything or even most things. You're over-thinking things and conflating the important with the unimportant, the big things with the little. Stop sweating the little things.

I used to get more worked up about things, like you apparently are, but then in late 2005, after 20 years together, my wife was diagnosed with a brain tumor and died, literally in my arms, just 7 weeks later. I heard her last breath, felt her last heartbeat and learned what the word "forever" means.

So, having my NYT or /. connection encrypted isn't really that important - my banking connection, yes, but I try to keep everything in perspective. The scenarios you've described lack some of that.

I'm not "intellectually lazy" I just know what is and is not important - for me anyway.

Also, entities like Google are not encrypting their connection to protect your privacy, it's to protect their revenue stream, so third-parties cannot skim ad/search information w/o paying Google for it.