Google Will Soon Let You Know By Default When Websites Are Unencrypted

An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.

Not Sure What the HTTPS Hooplah is all about

HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).

Re:Not Sure What the HTTPS Hooplah is all about

[lgw]

HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).

I'd prefer my employer didn't know the contents of what I post to Slashdot. You can extend this to just about any forum where ideas are exchanged.

Re: Not Sure What the HTTPS Hooplah is all about

Get back to work.

Re:Not Sure What the HTTPS Hooplah is all about

[BradleyUffner]

HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).

Umm... the full URL certainly IS encrypted.
https://stackoverflow.com/ques...

Re:Not Sure What the HTTPS Hooplah is all about

You can also work instead of wasting away your work-time on private crap. I might surf some big sites from work, but I never go to privatly used forums or pages where I contribute. There are so many reasons why that should not be done!

Re:Not Sure What the HTTPS Hooplah is all about

[NotInHere]

In fact, the URL is encrypted. The only thing that is not encrypted is the hostname. You should probably use APK's host file engine if you don't want the DNS request info to leave your computer (or use DNSSEC), and even then you'd have to disable SNI.

But I kind of agree. HTTPS is a nice concept, but its no silver bullet. It only protects your data on the way to the cloud provider or whatever you are visiting. The cloud provider still gets the unencrypted files. But yeah, HTTPS is something the cloud industry really likes. It protects the data from everyone but them. So they control it, and its their version of greenwashing.

Re:Not Sure What the HTTPS Hooplah is all about

Bad news if your on an employers computer using their internet connection, they can still see everything.

Re:Not Sure What the HTTPS Hooplah is all about

[cweber]

HTTPs only encrypts the contents of what you are retrieving

HTTPS also blinds "proxies" and antivirus software which may have their own opinions of what should and should not travel over plain old port 80. ISPs have done stunts like ad injection, antivirus software routinely blocks websockets, and on and on. HTTPS is a godsend around this bullshit.

Re:Not Sure What the HTTPS Hooplah is all about

The URI is encrypted. I don't understand why those Republicans constantly lie and claim it isn't. It is. Those people are liars.

Re:Not Sure What the HTTPS Hooplah is all about

I'd prefer my employer didn't know the contents of what I post to Slashdot

Your IT department can issue their own Certs and sniff on all your https traffic anyhow, or install keylogging/screen monitoring software. Or install cameras, or just stand behind you and watch over your shoulder.

Simple solution- stop posting from work.

Re:Not Sure What the HTTPS Hooplah is all about

Factually incorrect: The domain or IP is not encrypted, but the URLs and the content are.

Re:Not Sure What the HTTPS Hooplah is all about

It also prevents tampering. Without HTTPS, not only can anyone along the path observe what you download, but they can also replace your client request or the server's reply. You visit slashdot.org, instead of you receiving slashdot you get a flash exploit exploit tailored to your user-agent.

As other people have pointed out, it does encrypt the URL. You might have been thinking that it doesn't encrypt the DNS lookup. Separate problem, both need to be solved. Lack of complete security is no reason to avoid incremental improvements.

Re:Not Sure What the HTTPS Hooplah is all about

HTTPS makes filtering, caching and advertising content blocking harder.

Re:Not Sure What the HTTPS Hooplah is all about

HTTPS is encryption and authentication. Without HTTPS, anyone between your computer and the web servers can manipulate every part of the request and the web page. Mobile networks for example are notorious for adding headers to HTTP requests and "optimizing" the pages you get back.

Re:Not Sure What the HTTPS Hooplah is all about

[dsmatthews9379]

If you really cared about that you would not post at all because all they have to do is fingerprint the text you produce at work and then they can compare it against even anonymous posts. Author identification is not at all new, it was developed to help prevent student plagiarism.

Better to say what you want and fight for the right to say it, than to futilely try and hide under a transparent digital rock.

Re:Not Sure What the HTTPS Hooplah is all about

[bigfinger76]

Just like that, huh?

Re:Not Sure What the HTTPS Hooplah is all about

[ripvlan]

ha ha ha ha.... your employer doesn't know?

My employer has deployed MiM SSL certs to all equipment and we access the web via a proxy. But Chrome happily displays the Green Secure Icon!

ha ha ha -- "my employer isn't watching me." [snork] that's a good one.

Re:Not Sure What the HTTPS Hooplah is all about

[hey!]

This is correct.

Common browser UIs seem to imply that the URL is metadata that is separate from content, but you can make unencrypted HTTP requests using a telnet terminal emulation session to the IP address of the server using port 80. If you do it becomes abundantly clear that the request URL, headers, and body are sent over the same unencrypted network socket. The browser has to parse the URL to the point of extracting the host name (e.g. http:/// foobar.com/requestPath), but the IP address is all that it needs to create the socket; the URI is then transmitted in its entirety on that socket.

When you use HTTPS the browser notices the difference in protocol and makes an encrypted connection to port 443. All the business of certificate are taken care of under the covers, and what you end up is just another socket. Everything else remains the same, including the fact that the only thing that gets transmitted in the packet header is the destination IP address and port number. Everything else is transmitted inside the socket (including the actual hostname you requested).

Re:Not Sure What the HTTPS Hooplah is all about

[XanC]

DNSSEC doesn't provide any encryption. It's not for secrecy; it's for authenticating DNS information.

Re:Not Sure What the HTTPS Hooplah is all about

Not over an HTTPS connection. Unless they've implemented infrastructure and certificates for a MitM approach.

Re:Not Sure What the HTTPS Hooplah is all about

[Obfuscant]

I'd prefer my employer didn't know the contents of what I post to Slashdot.

So you use https://whatever.public.forum.... And your employer monitors your packets and sees a large number of packets to that address at times X, Y, and Z, and then scans the public forum for any posting close to time X, Y, and Z. They might see five different names at each time, but the intersection of those three sets will most likely be ... you.

Now, that evidence might not stand up in a court of law to convict you of anything, but your employer isn't going to care about that level of proof. You want to keep your employer from knowing what you are posting, you're already using a VPN, so the https part is irrelevant.

You can extend this to just about any forum where ideas are exchanged.

Not every website is a forum where ideas are exchanged. Not every website deals in personal or private data of any kind. Some websites are as simple as 'xtide', which allows you to select a location and a time and get back predicted tides. Pretty useful stuff.

I run an xtide server. I had to hack the source to put in a robots.txt so that indexers stopped beating it to death asking for page after page of predictions. I don't have time, and nobody is going to pay me, to hack in SSL so it can become https. When FF stops allowing access to it, those users will just lose access to it.

Re:Not Sure What the HTTPS Hooplah is all about

[NotInHere]

Ah right, seems I was wrong.

Re:Not Sure What the HTTPS Hooplah is all about

[tepples]

When you use HTTPS the browser notices the difference in protocol and makes an encrypted connection to port 443.

Which discloses the hostname in the clear in the Server Name Indication (SNI) field of the ClientHello packet. Otherwise, if the server hosts more than one website, how does it know which site's certificate to use?

Re:Not Sure What the HTTPS Hooplah is all about

[tepples]

HTTPS makes filtering or caching in a proxy harder: the proxy operator has to convince the user to install the proxy operator's root certificate. It doesn't make IP address-based filtering, hostname-based filtering (hello APK), browser-side filtering, or browser-side caching any harder at all.

Re:Not Sure What the HTTPS Hooplah is all about

[jafiwam]

HTTPS is encryption and authentication. Without HTTPS, anyone between your computer and the web servers can manipulate every part of the request and the web page. Mobile networks for example are notorious for adding headers to HTTP requests and "optimizing" the pages you get back.

No.

HTTPS encrypts the data transfer, and provides for VERIFICATION that a third party CA believes the site is who it says it is. No authentication involved.

Re: Not Sure What the HTTPS Hooplah is all about

[guruevi]

HTTPS is also used for (somewhat) authenticating the content. The problem is that any router in between you and eg Google can just remove/replace the ads (which is what they don't want) or even replace the ads with malware (which is what you don't want).

Using HTTPS by default just makes sense. There are plenty of instances where static pages on a cheap site suddenly become dynamic and later need actual user authentication and I've gone through a number of instances where SSL just started breaking shit in the ancient systems and cheaper people may decide to just cut their losses at that point.

Re:Not Sure What the HTTPS Hooplah is all about

[hey!]

This is true. I have to confess I never looked up the details of the TLS handshake negotiation.

Re:Not Sure What the HTTPS Hooplah is all about

You can have authentication, it's optional.

Both client and server are permitted to send certificates. As used popularly, only the server sends one, saying "Here, this proves I'm example.com".

But there are sites, and especially HTTP APIs that use the client cert for authentication, "Here, I'm bob@example.org" and the server verifies the certificate is from a CA it trusts, and if so whether bob@example.org is allowed to do whatever it is with the API.

Re:Not Sure What the HTTPS Hooplah is all about

The good news is that Google punishes sites that don't use SSL. (Even better when they do the honor by excluding crawlers via robots.txt.)

This helps nudge the web incrementally to a future of SSL everywhere. Can't wait.

Re:Not Sure What the HTTPS Hooplah is all about

[tepples]

In the past ten years, I've seen exactly two sites that use a client certificate: Kount (e-commerce risk assessment) and StartSSL (a CA). It isn't very common.

Re:Not Sure What the HTTPS Hooplah is all about

[fahrbot-bot]

Ah right, seems I was wrong.

Oh my God. Someone on /. (simply) admits he/she was wrong.

Thank you, dear poster. I can die now, to be whisked off to either a warn Heaven or very cold Hell.

Re:Not Sure What the HTTPS Hooplah is all about

[JesseMcDonald]

HTTPS encrypts the data transfer, and provides for VERIFICATION that a third party CA believes the site is who it says it is. No authentication involved.

On the contrary, the HTTPS server is forced to authenticate itself as the holder of the private key signed by a CA. Verification is between the server and its CA, not between the client and the server, and serves as a preliminary to obtaining a CA's signature for the server's key.

TLS can also be used to authenticate the client using a client certificate or a password (TLS-SRP), but this is much less common.

Re: Not Sure What the HTTPS Hooplah is all about

There are so many methods of silent remote machine administration with live screen view, that I dont even have to sniff a single packet to see what you're doing at your desk. Packets, proxy logs, firewall rules, etc. are just icing to the cake.

Re: Not Sure What the HTTPS Hooplah is all about

That's not a solution, that's a chilling effect.

Re:Not Sure What the HTTPS Hooplah is all about

[grmoc]

Not to mention that it is basically impossible to deploy any new feature or new protocol over port 80 (i.e. unencrypted) thanks to the 'help' of these proxies.

This is why you'll see that HTTP2 is deployed basically only over encrypted :443.

Amusingly, because of the 'helpful' proxies, HTTPS can be faster than HTTP. With the advent of QUIC (i.e. HTTP2 plus improvements), HTTP will almost always be slower unless the carrier is doing something (intentionally?) to screw things up.

Re:Not Sure What the HTTPS Hooplah is all about

[mysidia]

how does it know which site's certificate to use?

Most secure sites should run on a dedicated server, not be shared with other domains websites on the same server, since it is a security issue.

But you could also use a unique IP address for each site hosted on the same server..... IP virtual hosting... present the right certificate when the right IP address is contacted.

This is also good, because not all browsers in use support SNI. For example, Internet Explorer on Windows XP does not.

Re:Not Sure What the HTTPS Hooplah is all about

[mysidia]

. It doesn't make IP address-based filtering, hostname-based filtering (hello APK), browser-side filtering, or browser-side caching any harder at all.

Except IP address-based filtering is inherently hard; it's really not what you want to be doing.

Also, APK is garbage.... stick with OpenDNS or hostname filtering on your Firewall device, or on your DNS servers with BIND Response Policy Zones and some of the commercial real-time feeds regarding malware domains.

Re: Not Sure What the HTTPS Hooplah is all about

That's illegal in Europe. God, what 17th century totalitarian hellhole do you guys live in?

Re:Not Sure What the HTTPS Hooplah is all about

[mysidia]

and provides for VERIFICATION

In security, there are exactly Three kinds of verification regarding a principal: Authentication - Confirms that a party is whom they claim to be
Authorization - Confirms that a party is permitted to proceed with the requested action
Auditability/Non-Repudiation - Confirms that the party commits to the requested action and cannot later pretend they didn't do it, or did it at a different time / under different conditions

No authentication involved.

INCORRECT. With the HTTPS protocol, a Server Certificate is used to Authenticate the server to the client.

In fact, the type of certificate required is one that has the serverAuth Key Usage (Short for "TLS Server Authentication")

You can see that over here: https://www.openssl.org/docs/m...

This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for:

serverAuth SSL/TLS Web Server Authentication.

Re:Not Sure What the HTTPS Hooplah is all about

[spongman]

IE on XP doesn't support secure HTTPS, either.

Re: Not Sure What the HTTPS Hooplah is all about

It's illegal in Europe for employers to monitor what you do on their network with their hardware? What kind of backward, anti-freedom hellhole do you live in?

Re:Not Sure What the HTTPS Hooplah is all about

The warm Heaven seems more likely. Some findings have indicated that Heaven is Hotter than Hell.

(Then again, some of the conclusions are not necessarily universally accepted. Hell might be even hotter than Heaven's hot temperature. However, Heaven's heat wasn't a part that was in dispute.

These articles suggest that the possibilities are an eternal hot place and an eternal hot place. And you thought that global warming was making your outlook be scary hot...

Re:Not Sure What the HTTPS Hooplah is all about

[KGIII]

Ha! I use Thunderbird, not Outlook. I don't even use Windows! I'm safe from AGW!

Re: Not Sure What the HTTPS Hooplah is all about

[Bender+Unit+22]

Well, some have. To scan for vira and malware. Many products can do this. Bluecoat for example.

Re: Not Sure What the HTTPS Hooplah is all about

Yes! Yes, it is illegal in Europe! We have very strong protections for privacy and freedom of speech. Employees can employ technical measures, such as throttle or block sites like YouTube or Facebook, but they certainly can not monitor who accesses these sites, when and what they do on them. If there's reason to suspect criminal activity is happening, you know what? The police handles the investigation! And you know what else? When you go to the store and a smart-ass security guard stops and tells you to empty your pockets, you don't have to oblige! You can legally refuse such nonsense and ask for the police to do inspect you, after which you can file libel charges if nothing is found.

It's generally thought that employees have plenty of means to monitor the output of their workforce and that is how it actually is. Spying on their private messages is voyeurism at best, it's social porn for the superiors. It's a disgusting side-effect of the "job creator" cult people are taught to worship. A "job creator" is a citizen just like everyone else and have the same rights and duties.

People who think like you are the cancer of the United States of America (nothing personal against you per se). I wish you guys, especially the less-fortunate and poor majority, would wake up and realize that they *can* demand better standards. You *can* demand freedom and true individual rights.

Re: Not Sure What the HTTPS Hooplah is all about

[mSparks43]

the ip address isn't encrypted.

the url is.
lots of isps nowith mitm https by default. UK all the major ones do AFAIK. where it is impossible to establish a secure https connection using a secure CA.

Re:Not Sure What the HTTPS Hooplah is all about

You can't tell what the URL was in a TLS/SSL connection, not without using MITM or being able to audit/malicious monitor the client/server side.

Re:Not Sure What the HTTPS Hooplah is all about

[tepples]

Most secure sites should run on a dedicated server [or] IP virtual hosting

If a site has its own dedicated IP address, then the act of accessing this IP address reveals the identity of the site that is being accessed.

Re: Not Sure What the HTTPS Hooplah is all about

[dirtyhippie]

Are you whiny, entitled people serious? Its work for fuck's sake. You have no right to free internet, or freedom of expression thereon, at work.

Frist Psot!

Encryption would just slow me down with all that extra processing.

Hey, Google

Don't "help".

great...

That's great. Now, will Google let us know when it is tracking every thing we do online via its myriad of tracking technologies? Will it let us know when our email is going to be harvested for marketing data just because we sent an email to a non-google-appearing domain that was hosted on gmail? Will it let us know when and how it is logging our movements via android phones? Will it let us know what location data its "self driving cars" are going to be reporting back to google?

Re:great...

Easy answer - always!

title

I thing the OP wanted the title to be "Google Chrome" Maybe one of the mods can fix that by at least replacing Google with Chrome.

Predominantly?

[PPH]

Using that logic: The web is predominantly for porn. So we should label exceptions as SFW (Safe For Work).

Re:Predominantly?

[The-Ixian]

I thought the web was primarily spam and Netflix these days...

Re:Predominantly?

I thought the web was primarily spam and Netflix these days...

Forget Netflix. The web is predominantly ads supplying spam, malware, etc.

Good

[roman_mir]

Good, finally some parity compared to the situation where a browser like FF would through huge error messages around self signed certificates but would absolutely not yell or scream about plain text sites.

Re:Good

[Obfuscant]

Why shouldn't FF tell you that a site was saying "we are secure, really, just trust us", and why should it tell you that the http site you are visiting isn't making any claims of trust at all? That's the default for http, after all.

Re:Good

[roman_mir]

That's not my point, FF doesn't just warn people that the certificate is self signed, it actively tries to impress upon the user that the https connection with a self signed certificate is worse than a plain text http connection, because THAT is what a user compares his experiences to, not to another https site but to plain http.

My position on this is that FF goes to great length to make it seem that an https connection with a self signed certificate is less secure than http, while that is categorically untrue, it is at least AS secure as http. AFAIC CAs are not trustworthy themselves, https is broken, if you think your https session is really secure because it is signed by some 'authority', that's an interesting mental exercise.

Removing gigantic multi-screen warnings with insane messages about self signed certificates would help to increase overall security on the Internet by making it possible for people to use self signed certificates without making it look like self signed certs are a plague while not making the same types of accusations against plain http (which many sites also use!!! to transfer passwords).

Re:Good

[Obfuscant]

it actively tries to impress upon the user that the https connection with a self signed certificate is worse than a plain text http connection,

But it doesn't make that comparison. It tells you when a site is saying "trust me because I say I'm trustworthy". It says nothing about a site that says "I'm making no claims at all about trust." That's not saying that one is better than the other, just that one is something that the user needs to know about ("hey, this is https so it's secure, right?") and the other is the default.

My position on this is that FF goes to great length to make it seem that an https connection with a self signed certificate is less secure than http,

That's not what it says. That's your inference because you forget that http says nothing about security at all. How can you be less secure than "none"?

Re:Good

[roman_mir]

Of-course it does, it is trying to prevent people from using self signed certificates and pushing them towards CAs. FF today doesn't even display the protocol in the address bar by default, it shows either a grey globe or a green padlock, clicking on these you get 'connection secure' or 'connection is not secure' message. It's that easy to simply check if the certificate is self signed, treat the site as if it was an HTTP site by the browser and provide an appropriate status in the details ( self signed certificate for this connection that claims to be secured but is not verified by a third party authority).

THAT would be meaningful and would help the Internet to switch to https.

Re:Good

[tepples]

Of-course it does, it is trying to prevent people from using self signed certificates and pushing them towards CAs.

Is there a problem with that? StartSSL has been issuing DV certs without charge for years, and now there are also WoSign and Let's Encrypt.

FF today doesn't even display the protocol in the address bar by default

Firefox 44 shows the scheme for HTTPS and hides it for HTTP.

it shows either a grey globe or a green padlock, clicking on these you get 'connection secure' or 'connection is not secure' message. It's that easy to simply check if the certificate is self signed

Most users are unwilling to learn to check that pop-up every time.

treat the site as if it was an HTTP site by the browser

Because it's possible for http://example.com/ and https://example.com/ to return entirely unrelated documents, treating them the same in every respect is incorrect behavior. This means you have to define to what extent a browser ought to treat them the same.

encourage error blindness?!

We already suffer from error blindness;

"Since unencrypted content is not an error state" says who?

because to me it is. its not about the encryption, its about the verifiable accountability.

Re:encourage error blindness?!

[tnk1]

Unless Google certifies that all of its links are to HTTPS sites, then it isn't an error condition, because the site is both up and providing the information that you searched for. In that case, it's a warning. And warnings should be clearly marked as such.

If I mean to go to a blog site that I know is insecure, but Google hates that it doesn't have HTTPS and turns it red and puts a line through it, then I might believe that the site is either offline, or perhaps dangerous.

If Google wants a nice shield icon or something to indicate that HTTPS is good to go, I'm down with that. That's informative, and it helps me understand what sites are, or are not secured in that manner.

If they start shaming sites that don't use it, then that is activist bullshit. And with Google's market share of search, that's a near monopoly who is making your site look like shit so most of your audience is going to see it.

SSL is not exactly hard to set up, but its not entirely trivial. Some people don't want to have to muck around with it, and they shouldn't have to if they don't actually provide a service that needs to be secure.

Re:encourage error blindness?!

I run a personal site that used to be SSL, but when Firefox changed to warning users when it sees a self-signed certificate many of my viewers started complaining that my site was broken and I had to remove HTTPS access. Fuck you browser developers. I'm not paying your company or a third company for a certificate (especially when you guys let fake certificates through) and I don't want my site directly linked to me personally in real life. I host off my personal net connection and it seems every ISP and now browser is actively trying to stop us self-hosters. Why did you need some company's approval to put anything online nowadays?

As someone below pointed out, there's no magic to CA approved certificates. If I want to obtain a domain-validated certificate to facebok.com I can (assuming no one else has) and the browsers will helpfully tells all the users that my site can be fully trusted.

Wait...

[RJFerret]

So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

Then some idiot got the bright idea of hiding the start of the URL, so users could be ignorant or infuriated.

Now they are going to use another symbol to indicate the lack of an "s"?

Have I really got this right?

(Hopefully in the future the symbol will be clarified by replacing it with a sequence of letters.)

Re:Wait...

[Simulant]

This. Yes you have it right. They took a page right out of Microsoft's book and oversimplified the address bar to the point where people who were capable of learning the difference between HTTP and HTTPS or a search term and a URL no longer have the opportunity, and then they complain of computer illiteracy...

This shit irks me to no end. Windows is full of examples (hiding file extensions by default for instance)

Re:Wait...

[XanC]

What we've learned is that not all HTTPS are created equal. There could be insecure ciphers, mixed content, insecure signatures, vulnerabilities, what have you. Just looking for the "s" isn't enough. It's a very good thing that the browsers, which can look at all the factors, are giving better hints about whether a connection is trustworthy.

Re:Wait...

And when you copy and paste from the address bar, it magically adds the http/s prefix back in. Which is annoying to no end for so many reasons since it wasn't what you actually copied.

Re:Wait...

[thegarbz]

So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

Are you on mad? They are both the same. Oh wait let me get my glasses. Oh they are slightly different. What the hell does the s mean? and that http thing? and why are there those two dots and the slashes? Is one supposed to be good and the other bad or something? If one is good and another is bad why not just replace them with a red x and a green tick?

Why does every software developer think that ever user is a damn guru hacker who knows that the big box under the screen is called the HDD? Wait what do you mean that's not right either? ffs I just want to surf the web, leave me alone with your complicated hacker stuff.

*An excerpt of a conversation many people have had with the very few computer users who understand the difference an s can make in the titlebar.

Re:Wait...

[Impy+the+Impiuos+Imp]

To be honest, a file extension as synonym for type of file was an asinine hack from day 1.

Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

Re:Wait...

Damn straight.

Re:Wait...

Is it too much to ask people to learn just a tiny little bit about the basics of how web sites work? Do you have to fucking dumb down EVERYTHING? It's 2016 - have we just given up and decided that despite information being everywhere, people just can't be bothered to learn something really quite small yet potentially useful?

Re:Wait...

Internet Explorer still shows it. Chrome hides it if it is http, but shows it when it is https. Have not checked other browsers.

Either way, at least Chrome has made it clearer, since you not longer have to notice the absence or presence of "s".

Re:Wait...

[JesseMcDonald]

So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

Only http:/// is hidden, so users can still look for https:///. In fact, the difference is even more obvious than before: instead of just one missing letter, the entire protocol field indicates whether the connection is encrypted.

Re:Wait...

[The-Ixian]

I know that, at least in FF, you can re-enable the /https?/ prefix in about:config.

Re:Wait...

Internet Explorer still shows it. Chrome hides it if it is http, but shows it when it is https. Have not checked other browsers.

Either way, at least Chrome has made it clearer, since you not longer have to notice the absence or presence of "s".

Oh and a few other things. Chrome will color https part red if connection is encrypted but uses unknown certificate. Will color it grey, if it uses encryption but not for the entire page. Finally, it will show an error page if page is encrypted but is actually insecure.

Re:Wait...

[TapeCutter]

I'm not an engineer! I just want to sit behind the steering wheel and drive the horseless carriage, I don't care about the pedals and sticks.

Re:Wait...

HTTPS is not secure anyway so this is all hogwash. The trust chain is too big and broken.

Re:Wait...

To be honest, a file extension as synonym for type of file was an asinine hack from day 1.

Extensions are (arguably) a poor system design choice. That said, once that decision was made, the UI design had to account for the system design. For the UI design to hide the required extension by default sends a mixed message - extensions have a critical function/ignore them. Mixed or ambiguous messages are a sign of a bad UI.

Re:Wait...

Just think of the part after the "." as another data field, and stop worrying.

Re:Wait...

I'm not an engineer! I just want to sit behind the steering wheel and drive the horseless carriage, I don't care about the pedals and sticks.

At work, it is not possible to browse wikipedia to look up something, unless you use internet explorer, and even then it is only the one on prebuilt standard work systems that doesn't nag you.

Maybe just a once a day nag message that says something like: Yes I understand that my company man in the middles everything. Yes, it annoys me, but I still have work to do, so stop protecting me...

Re:Wait...

[thegarbz]

You jest, but not without a lot of truth.

Yes the ultimate in sitting and driving is not having to do the damn driving thing. That's one of the reasons I have a car with cruise control. I can't wait for it to steer itself too. But ultimately there's a big difference in user cases:

Car: Months of lessons. In some cases years of probation. Licensing system to ensure if someone isn't capable of using it the are removed from pool of users.
Computer: Grandma turns it on and she's on her own.

In many ways it's far more important for computer security to be extremely simple and idiot proof than the controls of a motor vehicle since we regulate who is allowed to be in control.

Re:Wait...

[thegarbz]

Is it too much to ask people to learn just a tiny little bit about the basics of how web sites work?

Not at all. Learning is a good idea, but from an interface point of view there's a big difference in usability between:

a) Look at the bar at the top and see if you can see an s in the bit after http and before ://
or
b) Is it red or green?

Or more critically when you compare the proposal to the current situation: why is red (encrypted with a problem) worse than no warning at all (completely unencrypted subject to snooping from every idiot at starbucks)?

Re:Wait...

[allo]

This isn't too stupid, as an icon is faster and easier to understand than looking for a single letter.

Re:Wait...

The "http" vs. "https" difference has no meaning to our moms so it has to go away.

Re:Wait...

[linuxrocks123]

Silly response: If you are driving in such a way that you assume you will ultimately receive years of probation, that is quite disturbing.

Serious response: In the US states I am aware of, graduated licenses are only for those under 18. Your mileage (ha ha mileage) with Euro-nannies may vary.

Re:Wait...

[thegarbz]

Your Silly response is assuming that a) I'm European and b) I'm driving in a disturbing way.

Many places in the world put you on 3 years automatic probation when you first get your licence. You get to display a big P on the back of your car, have a 0.0 alcohol limit, a max speed limit (this one is the dumbest fucking idea in the world), and after 10pm you have a limit of the number of people you can have in the car if no one holds a valid open drivers license. I believe Canada has a similar system though not nearly as strong.

My point remains the same:
a) the ultimate goal of the car would be to get in and tell it where to take you without having to do anything.
b) there's a lot of training and licencing and policing involved with operating a motor vehicle.

Could still use improvement

[dissy]

I can't see any problem with showing clear icons for the state of the connection, which includes unencrypted being distinguishable from encrypted with a cert signed by an untrusted party (aka self-signed) vs a cert signed by a trusted party.

It's better than the current state of things, where the web browser programmers out right mis-interpret what is going on and potentially lying to the user.

For example, if I run my own CA and sign all of my own certificates, and push my CA public key by hand to computers intended to access my server, verified by hash fingerprints - this is arguably MORE secure than a "secure" public CA signed certificate that I have no control over.
After all I know exactly who signs certs with my CA - me - and despite what the public CAs and web browser programmers claim, I in fact do trust myself.

CAs are known to have signed fraudulent certs, so they are not the ultimate high tier of trust.

Of course the self-signed situation described above is very different from random snakeoil.crt style self-signed certs where the only possible way to verify the servers identity is to check the thumbprint hash. And who has time for that?

Displaying the lowest tier of security icon for non-https sounds just as useful as it has been since SSL was invented.
(After all, a lock vs a lack of a lock works good enough for anyone that cares about encryption, but I could care less what the two icons actually are of)

At least Googles approach is better than Mozillas by an infinite amount!
I'd rather use Chrome and at least have it bitch about the lack of SSL while still actually showing me the webpage.
Firefox will soon actively remove non-https support and display an "unknown protocol 'http'" error instead.
Hope you don't like browsing .html files locally in firefox :P
https://blog.mozilla.org/secur...

Re:Could still use improvement

[Knuckles]

local files are file:///

Re:Could still use improvement

If Firefox does this, their market share will implode very quickly. Deservedly. Stupid agenda pushers.

Re:Could still use improvement

Firefox will soon actively remove non-https support and display an "unknown protocol 'http'" error instead.

No way. Does anyone have proof of this?

Re:Could still use improvement

[Zontar+The+Mindless]

You apparently did not bother to read the blog to which you linked:

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Re:Could still use improvement

[thegarbz]

Not quite. This is indeed "legacy" support. The goal being that "new features" of Firefox are only available if a site is served via https.

This is actually a good way of forcing the point. HTML6 (or whatever we will call the successor or addons past HTML5) will effectively only work if the site serves content securely.

Unfortunately I don't think Mozilla has the clout or marketshare to make this work. The reality is people will just consider it a broken browser and move elsewhere.

Re:Could still use improvement

[AmiMoJo]

According to the FAQ linked in your link, local unencrypted content will be supported for those who need it.

Signaling that HTTP is going away in the long term is a good thing. With hindsight, not encrypting everything from the start was a mistake. The transition won't be difficult for most people.

Another step to a corporate internet?

Seems to me that this great push towards https everywhere could lead to an unwelcome endgame. Tried viewing youtube through a proxy doing an m-i-t-m interception? Seems you can't with chrome and certificate pinning. Of course that's by design, and exactly what you want, but it means Google now has end-to-end control of the media. No slipping an ad-blocking proxy in there or otherwise tampering with or examining their content.

Now it's heading towards "no https, no play". Next, only content signed by "trusted" CA's? Nice way to raise the barrier to entry for the web.

Seems like the internet could end up as a proprietary, closed content-delivery system, just like cable TV was.

Anon, because tinfoil hat.

Re:Another step to a corporate internet?

[amiga3D]

Of course the web isn't the internet. There are many ways around it.

Now isn't that special

[Bomarc]

Now I have to pay someone else to have a web site that will visible to the public.

My website is primarily static information (actually, it is only static information). I don't exchange any data (other than standard log files) ... I don't even use cookies. Now big-ass Google is coming in and I need to pay someone else to have an encryption certificate.

If things were bad enough, the last one I tried to implement ... after three days I was not able to implement SSL on my server (help!?!). I suspect that implementation of SSL is one of those "if you know it - it's simple. If you don't - good luck".

Re:Now isn't that special

Hello?

You don't need to pay someone else. https://letsencrypt.org/

Implement ACME (or more often, get software that does it for you) and letsencrypt.org will automatically issue certificates that yes, working in people's existing web browsers, and auto-renew them. This is how it was _supposed_ to be from the outset before leeches got to blood sucking.

Re:Now isn't that special

[ChadL]

Free certificates can now be gotten via https://letsencrypt.org/. Its still in public beta, but functional. For help on the how to set up encryption, LetsEncrypt's client can take care of few web servers, but for more specific instructions you would need to disclose what web server software your using.

Re:Now isn't that special

[Bomarc]

Thank you for the URL, however 'letsencrypt.org' won't work (that I can see) for me... I have windows servers (only worried about one that is public facing). It appears that they only support Linux.

Plan "B"?

I've been trying to replace / upgrade the my key server; the upgrade is dependent on a change to the network. The change to the network involves finding need documentation on non-straightforward 'rout' commands.

Re:Now isn't that special

[ChadL]

It appears at least a few people have had luck with using it on Windows here, but the results certainly appear mixed and no official clients are offered.
I've not touched a Windows server since the days of 2k (and never ran SSL on it), so... I can't really provide much useful assistance I'm afraid.

Re:Now isn't that special

You trust Microsoft to implement the features you need, well, now a feature you need is ACME support (to automate Let's Encrypt) so let's hope your trust is well placed.

Or, you can do it manually. All the steps Let's Encrypt have automated for popular Linux setups are steps a human can do by hand, though they're not always easy.

To prove to the Let's Encrypt system that you really control your domains ACME lets you offer several possible proofs, the easiest one to do by hand for the average capable web site administrator is returning a value Let's Encrypt have picked, as the contents of a URL they have also picked. Basically this will mean asking them to pick, then creating a file on your web server in the right directory so that when they access the URL they'll get the file, proving you administrate the entire site or else you wouldn't be able to do that. If that sounds like something you can do, look online for "manual let's encrypt steps".

Re:Now isn't that special

[JesseMcDonald]

The Let's Encrypt project will work just fine with Windows servers. You just need a compatible ACME client, and there are a few options available:

ACMESharp

letsencrypt-win-simple

Re:Now isn't that special

[Bomarc]

You trust Microsoft to implement the features you need...

Now *THAT* is funny!

They (M$) keep pulling features I need, keep adding bugs (and features) I don't want. Further... key features that I do need as an administrator (Example: export / import a black list of IP addresses is not available.) I *WISH* I could move to a different OS (Linux) but that would add even more to my painful process.

Re:Now isn't that special

[Bomarc]

Thank you for the info: I'll follow-up!

Re: Now isn't that special

Not at all. It _used_ to be that you had to validate at some length that you were who you claimed to be in order to get your cert signed. This took real time and effort, and the processing fee was justified.

After the great internet race to the bottom, however, now "EV" certs arent even worth that, and sites are composed of so many third party reesources running on insecure cloud hosted images churned out by unqualified developers with no idea of security (or systems architecture, or often programming) that Im surprised when someone browing the web _doesnt_ get royally screwed.

Re:Now isn't that special

Can you upload small text files to http://yourdomain/.well-known/acme-challenge ? And can you run openssl from a (local) Linux commandline? Then you should be able to get Letsencrypt certificates for your site with gethttpsforfree without running anything on the server. It's a bit tedious but it works.

Google and non-SSL site warnings

[Lauren+Weinstein]

I'm forced to agree with this Slashdot poster. The use of a red X in this context will confuse users about perfectly correct and properly working websites, particularly legacy sites that carry no practical risks and contain widely referenced information, but that cannot be upgraded to SSL in a practical manner. The most likely outcome will be users learning to ignore such warnings completely because they will be so widely present and widely viewed as "crying wolf." It is also likely that many sites will push back against Google on this by posting explicit messages on their pages explaining to users that Google is playing Mommy and that nothing is wrong with their sites. It is perfectly acceptable and reasonable for Google to encourage the use of SSL. However, the approach being discussed is not helpful and is likely to even be counterproductive. REFERENCE: "When Google Thinks They're Your Mommy" - http://lauren.vortex.com/archi...

Re:Google and non-SSL site warnings

[thegarbz]

There's no such thing as crying wolf in this case. The users just need to be taught if you see red, don't enter your credit card.

I see red sign and red x all the time, but they often have context as to what I can and can't do with them. This is no different.

Re:Google and non-SSL site warnings

[The-Ixian]

Exactly right.

I swear, techies are so egotistical and think that nobody can possibly understand stuff.

Just spend some time training instead of immediately assuming that people will be confused.

More likely, techies are just lazy or afraid of dealing with people and would rather find the "solution" that involves the least amount of face time possible.

Re:Google and non-SSL site warnings

[qaz123]

There's no such thing as crying wolf in this case. The users just need to be taught if you see red, don't enter your credit card.

The users just need to be taught if you don't see green, or "https" or whatever icon they show now for https sites, don't enter your credit card.

Re:Google and non-SSL site warnings

There's no such thing as crying wolf in this case. The users just need to be taught if you see red, don't enter your credit card.

I see red sign and red x all the time, but they often have context as to what I can and can't do with them. This is no different.

You exemplify why this is harmful. HTTPS won't help you if the site has been compromised to scrape and forward data after it has been decrypted. HTTPS won't help you if the sites database is lifted. Is PCI compliance a requirement for HTTPS?

Google is simply pushing another type of security theater, and in doing so encouraging people to remain ignorant about risk.

Google is absolutely crying wolf here.

Re:Google and non-SSL site warnings

[JesseMcDonald]

particularly legacy sites that carry no practical risks

There is no such thing. It doesn't matter whether the content of the connection is particularly sensitive; whenever you connect to any Internet site over an unauthenticated connection, an attacker can take advantage of that opportunity to substitute malware in place of the innocuous data you expected. Malicious scripts, injected third-party ads, exploit-riddled media filesâ"unprotected connections offer endless opportunities for those so inclined to take over your PC. The only way to protect yourself and your PC is to use TLS to verify that the data came from the expected source.

Re:Google and non-SSL site warnings

[thegarbz]

I'm fine with that too, but don't flash a bright red warning then if a site is encrypted with a self signed certificate.

I'm happy with either way, but 100% displeased with the current system which gives a pass to something completely open, but flags something that has at least a partial attempt at security.

It's almost like we need something very simple like:
red: Unencrypted, or certificate has changed indicating MITM
yellow: Encrypted with a broken trust chain.
green: You're safe.

Re:Google and non-SSL site warnings

[bradley13]

"...cannot be upgraded to SSL in a practical manner"

Um, why would that be? I'm having trouble imagining.

Once upon a time, getting an SSL certificate cost $100 or so; installing an SSL certificate was a pain. Still, for any sort of web server with commercial intent, the costs and effort were negligible. I manage a site for a very small company, and it has used SSL for years. Ok, maybe it wasn't worth it for a hobbyist site.

As of a couple of months ago, with LetsEncrypt, the excuses are all gone. For the company I mentioned, I moved to LetsEncrypt this year. Even though the project is still officially in beta, getting and installing the certificate was totally painless - completely automatic. It was also free, as in beer. What possible reason is there, not to put SSL on every web server out there?

Ok, two reality checks:

- LetsEncrypt does not yet have an automatic renewal process. They believe in short-lived certificates, and at the moment that means that you have to manually renew your certificates every 3 months. That problem should be resolved in the next couple of months.

- Likely, many shared-hosting ISPs are not yet set up for LetsEncrypt. Some may even resist, because they make money selling SSL certs. A bit of market pressure should solve that problem, and likely will by the end of 2016.

Encrypt everything: your internet connection, your hard disks, your cat, everything. Not only for your own security, but also as your small contribution to the fight against overreaching governments.

Re:Google and non-SSL site warnings

[AmiMoJo]

Upgrading a site to HTTP costs nothing and for many people can be done automatically by their hosting provider anyway.

Google's move should prompt the stragglers to get their arses in gear and make this simple change.

Simple filter proposal

How about just showing the red bar if the HTML/javascript posts anything?

Why encrypt non-sensitive content?

[SpaceDave]

Forgive my ignorance but this is an honest question - am I missing something?

I run about 50 websites, some for myself and some for local non-profit organizations. They're all simple information/brochure websites with no real interaction or sensitive content. For the life of me I can't conceive of any reason to encrypt any of these websites, yet it's going to cost me a small fortune in certificates to keep them alive in the future.

Why would I need to encrypt a website that offers nothing more than, for example, a list of local historical sites to visit? Thanks for any insights.

Re:Why encrypt non-sensitive content?

And even if you had money, you would have to renew certificate each year (for some reason these things expire) and if you forget, people will have to go through hoops and bogus security alerts to open it (at best).

Re:Why encrypt non-sensitive content?

[damn_registrars]

I've been wondering that myself for a while as well. Google - and others - have been on a campaign for a while now to try to get every web site to move to https. As best I can tell it's just evangelism run amok. This is no different from people who tell us that every phone we buy - and hence every phone call we make - should be encrypted as well, even though they can't give a sane explanation for why my call for a pizza to to ask my wife what we want to do for dinner should be handled with the same stringency as nuclear launch codes from the POTUS.

Re:Why encrypt non-sensitive content?

1. No, it shouldn't cost you a dime. https://letsencrypt.org/

2. SSL means your "list of local historical sites" remains exactly as you wrote it, and doesn't mysteriously lose mention of that awful thing which happened in 1846 that a local politician feels "school children just don't need to be taught" when it is viewed on school WiFi. It also won't suddenly gain a banner advertisement for Amazon when viewed from a certain US ISP. You presumably care about the "simple information" on your sites and want it presented as you wrote it, so that seems valuable, but without SSL there just isn't any guarantee at all.

Re:Why encrypt non-sensitive content?

[qaz123]

"SSL means your "list of local historical sites" remains exactly as you wrote it"
Easy solution. Allow self-signed certificates. Don't show crazy warnings about self signed certificates. Because an https connection with a self signed certificate is not less secure than http. Actually it's more secure.

Re:Why encrypt non-sensitive content?

[The-Ixian]

Well, from what I understand Google's SPDY (which will become the next HTTP standard?) works over TLS and is significantly faster than HTTP 1.1

While I don't think that TLS is required for SPDY, I also don't think that it is going to be implemented without it.

So, basically, I think the next generation of HTTP protocol will (arbitrarily?) require TLS.

Other than that. I guess the other side of the argument to "why not use just use unencrypted HTTP?" is "if there is no cost involved and doesn't a lot of extra effort to set up, why NOT use encrypted HTTP?"

Encryption does raise the bar a little bit further on various attacks making them harder to accomplish as well. For example, with certificate pinning, you can be better assured that you are visiting the site you actually think you are.

Re:Why encrypt non-sensitive content?

[JustAnotherOldGuy]

...even though they can't give a sane explanation for why my call for a pizza to to ask my wife what we want to do for dinner should be handled with the same stringency as nuclear launch codes from the POTUS.

But, but...what if you asked for anchovies? Would you really want just anyone to know that? My god, man, think of your children. Or their children, or somebody's children.

Re:Why encrypt non-sensitive content?

[JustAnotherOldGuy]

I'm in the same position as you, with about ~100 sites of my own. The vast majority would not benefit in the slightest from encryption, yet it would impose significant costs and hassle on me to get certificates for every site, keep them updated, etc etc etc.

It seems pointless to me. No one gives a fuck if (for example) the recipe for Walnut Blueberry Muffins that someone grabs from one of my sites is "safe from prying eyes". FFS, I put it out there specifically so people could find it and use it. No one gets arrested or threatened or ostracized for wanting to make blueberry muffins. What's the need for HTTPS security there?

There's no secret shit there, it's a public site meant to be browsed by anyone and everyone. How the fuck would encryption benefit the users of that site?

Re:Why encrypt non-sensitive content?

[allo]

you're missing free certificates and that HTTP with TLS should be the new standard. It was a design fail to allow HTTP to be unencrypted all these years. Now you just need to adopt a new practice.

Re:Why encrypt non-sensitive content?

[allo]

The warning is not about the encryption, but about the trustworthiness. When you accepted a self signed certificate (after you checked it, i hope for you), you will get no warnings anymore. If you did not check and accept it, it's correct to warn you.

Re:Why encrypt non-sensitive content?

[fustakrakich]

Because when you separate the two, you are flagging one as the more valuable target. It will call unwanted attention from the exact people you are avoiding. If everything were to be encrypted your adversary will waste time chasing it all, whether it's credit card numbers or a shopping list. If he were to do my shopping for me, he can have both.

All of that notwithstanding, HTTPS is a joke, worse, it's a tracker. Its vulnerabilities are well documented (I love seeing this story on a "secure" site). And our favorite TLAs have it all covered. The internet is still a broadcast system, just like TV and radio. Everything you do can be seen by all. So the best way to hide a message is to say it real loud with flashing lights and blaring horns.

Re:Why encrypt non-sensitive content?

[fustakrakich]

It's pretty damn simple. You don't want the encrypted shit to stand out. It puts a bulls-eye on the message. It's a beacon.

Re:Why encrypt non-sensitive content?

The real advantage is that your content cannot be changed in transit.

So if, say, you think that viewers of your site don't deserve to have malware injected into the content you are providing them, using encryption helps prevent that.

Re:Why encrypt non-sensitive content?

[damn_registrars]

That is probably the best explanation I've ever heard for that, thank you. Push the signal-to-noise down so that the people who want to eavesdrop are wasting time decrypting trivial communications that are of no significant value.

Danger...there's a big red "X" on your browser

[evolutionary]

They finally figured out nobody pays attention to anything unless you give it bright colors. It's amazing how little we have evolved (or perhaps devolved) since our early formative years. Of course when people see a big red "x" they tend to panic somewhat (as red often symbolizes danger). But because a site is not encrypted doesn't necessarily pose a danger. If there was sensitive data being sent unencrypted (or even a password field and unencrypted), okay, alert them. But to encourage ALL sites to encrypt regardless of purposes/data to avoid the big red "x" from google Chrome...seems a bit much. I'm enjoying the Vivaldi browser so I think I'll just keep using that. :D

Re:Danger...there's a big red "X" on your browser

[TapeCutter]

Bright colours are not enough these days, the icon must vibrate wildly to catch the users eye. When the eye is trained it may become lazy, so you regularly change and move the icon to keep the user alert.

Identification

[qaz123]

So they are forcing identification of all website owners.

Re:Identification

[allo]

No

Why do I need SSL?

[sgrover]

So my simple web server, serving up some basic info - like maybe my most recent cat photos.. Are you saying that I *must* use SSL to do this? And to make SSL work I have to pay to get a certificate (cuz I don't really trust the freebie options yet). All so that visitors to my site will *know* that they are looking at cat pictures securely? That doesn't really make too much sense, and seems to suggest a broad assumption about the main purpose of web sites. Not everything requires an encrypted channel. Won't someone think of the kitties? All this hype about safeguarding the Internet for the kids, and not enough to remember that kitties need love too.

Re:Why do I need SSL?

[The-Ixian]

I don't think anyone has ever said that.

All this is doing is upping the ante a little bit by expanding on the idea of the "lock" icon. As in, we have visual cues that tell us when a connection is secure, why not have some visual cues for letting us know a connection is not secure.

As far as I know, nobody is talking about refusing connections to non-secure sites.

Also, this is a Chome only thing. If you don't like it, use a different browser. Google is known to use their market dominance as a bully pulpit.

Re:Why do I need SSL?

[JesseMcDonald]

So my simple web server, serving up some basic info - like maybe my most recent cat photos.. Are you saying that I *must* use SSL to do this?

If you don't use SSL then you're putting your users at risk, not because someone might find out that they're looking at cat pictures, but because someone can tamper with the unprotected connection and inject malware which appears to come from you.

And to make SSL work I have to pay to get a certificate (cuz I don't really trust the freebie options yet).

That's your problem. The free certificates work just fine, so there's no need to pay unless you run a big enough operation to warrant an EV certificate.

Re:Why do I need SSL?

So my simple web server, serving up some basic info - like maybe my most recent cat photos.. Are you saying that I *must* use SSL to do this? And to make SSL work I have to pay to get a certificate (cuz I don't really trust the freebie options yet). All so that visitors to my site will *know* that they are looking at cat pictures securely? That doesn't really make too much sense, and seems to suggest a broad assumption about the main purpose of web sites. Not everything requires an encrypted channel. Won't someone think of the kitties? All this hype about safeguarding the Internet for the kids, and not enough to remember that kitties need love too.

As well as the other reasons mention, the higher percentage of traffic encrypted greatly improves the security of the web. If only the important stuff is encrypted then attackers automatically know what to attack to steal important information. If everything is encrypted, it makes it much harder for hackers/governments to choose important targets to hack.

Re:Why do I need SSL?

If you don't use SSL then you're putting your users at risk, not because someone might find out that they're looking at cat pictures, but because someone can tamper with the unprotected connection and inject malware which appears to come from you.

It's hyper TEXT transport protocol. You and I are not a financial institution or healthcare provider or Snowden's leak overseers keeping war secrets groped tightly. Those guys are NOT affected by this nonsense decision so there is Nothing to lose by carrying on serving casual stuff the casual way.
When someone is getting man in the middle'd over cat picture transport, their problems are bigger than pointless arguing we do here about browsers that stopped serving their *users* decades ago. We are forgetting that one thing is "this is my browser and I can tweak it to shoot my foot off if the need ever arose" and another is having some kind of lease from the browser providers to look at curated content on viewports that are carefully pre-approved and curated by the media companies out there. I bet few here even recall how many versions ago Mozilla blatantly removed the GUI option to disable javascript.

Given the orders of magnitude difference between directed delusions against imagined MITM attacks and today's pervasive javascript-assisted ad atacks and real danger of ransomware encrypting your corporate IP, there is more reason than ever to give us more choice over the UI and restore that switch without secret config gimmicks. Twenty versions ago when that JS checkbox was still around, the browser was more secure in that sense.

Re:Why do I need SSL?

The very fact that there are people asking that question means that the statement "unencrypted content is not an error state" is wrong. The public network is hostile, and it gets more hostile every year. If the connection isn't secure, the page content may be altered, maybe to track you or to serve drive-by malware trying to exploit the latest browser zero-day, and the page content may be listened in on, e.g. by ad networks who profile exactly what I'm looking at, in order to use underhanded means to get me to buy stuff I don't need.

Unencrypted content is an error state. People have tried to get site authors to secure their sites, which is fine and dandy, but this also means that people are starting to get used to the idea that their connection is private. And currently there is no real warning that a connection is not secure. And some of the idiots who forego SSL operate websites of *BANKS* for crying out loud.

And tell me -- why is a broken SSL connection less safe than an HTTP connection? If you MITM an SSL site and you keep it on SSL, you break the cert and you get an error. But strip out the encryption completely and *poof* it looks like everything is safe. How is that defensible?

Re:Why do I need SSL?

[thegarbz]

No. Just saying that the user will be warned that their cat photos are not being transmitted securely and if they have a dog owning administrator with a fascist grudge then they should cease accessing the site.

But there's the problem really, what do you know about the viewing situation of the content of your site? Maybe the user is looking at cat pictures which are illegal in their repressive regime and don't wish to be monitored? Content providers don't define the risk of their content, the viewers do. Take for instance the Anarchists Cookbook. There are plenty of places around the world where no one would bat an eye about downloading such a book, but there are others where doing so will land you on a terrorist watchlist or worse.

It's not unreasonable to let people know there's no encryption and anyone could be watching.

Re:Why do I need SSL?

[allo]

Self signed, freebie or bought. If you do not trust the free ones, why do you trust HTTP without any certificates?

Break-time

[tepples]

Then do what on break-time?

Re:Break-time

[spongman]

tether?

Re:Break-time

[mindwhip]

Read a book, read a newspaper, talk to your co-workers, get your employer to install a TV in the break room, go for a walk.

Re:Break-time

[tepples]

Not all suggestions apply to all situations:

read a newspaper

Newspapers have moved to the Internet.

talk to your co-workers

Depends on whether they're on break at the same time.

get your employer to install a TV in the break room

It has become increasingly common to deliver TV over the Internet.

go for a walk

Practicality depends on weather.

HTTPS sites rank slightly higher

[tepples]

Unless the feature is going to be added not only to Google Chrome but also to Google Search. The latter already uses HTTPS availability as a weak tiebreaker for ranking.

True sense of insecurity

[tepples]

it actively tries to impress upon the user that the https connection with a self signed certificate is worse than a plain text http connection

A URL using the https: scheme and an unknown certificate authority gives a false sense of security, while a URL using the http: scheme gives a true sense of insecurity. Browser publishers rank truth of sense greater than security.

Re:True sense of insecurity

[qaz123]

They don't show http(s): in the address bar anymore

Re:True sense of insecurity

[roman_mir]

In the version of FF I am on right now 41.0.1 on Linux Mint 17 I don't see http or https in the address bar. I see a green padlock for https, you click on it and it gives you some details including saying 'secure connection'.

HTTP is just a grey url, click on it and see 'connection is not secure'.

Go to a site with a self signed certificate and get this crap:

This Connection is Untrusted

You have asked Firefox to connect securely to www.pcwebshop.co.uk, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

--get me out of here-- (button)

--Technical details-- (link)

--I understand the risks --(link)

Well, shit, I don't think most people actually understand the risks, but given that FF doesn't even show https in the URL any longer WTF is it doing treating a self signed https site worse than an http site that may also have user name / password on it?

If you don't think this is a case of either stupidity or malicious intent, trying to push people towards CAs while in reality preventing tons of people from setting up SSL in the first place, then you don't get people's behaviour.

Re:True sense of insecurity

[tepples]

The major Free browsers show https: but hide http:. I tried them on a site with a domain-validated certificate from StartSSL:

Firefox 44 HTTP shows no scheme and a gray globe, whereas HTTPS shows https: and a green lock. Chromium 48 HTTP shows no scheme and a gray dog-eared page, whereas HTTPS shows https: and a green lock.

Re:True sense of insecurity

[tepples]

In the version of FF I am on right now 41.0.1 on Linux Mint 17 I don't see http or https in the address bar. I see a green padlock for https

I haven't seen this behavior. I've seen shown for HTTPS and hidden for HTTP. To help me confirm the behavior you are seeing, please visit some HTTPS site, take a screenshot, post it to Imgur or wherever, and link it here.

Re:True sense of insecurity

[qaz123]

So maybe they can hide "https" for self-signed connections? I mean self-signed certificates is an easy and free way to encrypt connection. If I only want to encrypt connection so it remained unmodified, then a self-signed certificate is enough.

Re:True sense of insecurity

[roman_mir]

You are correct, I was wrong, checked it again, I can see https in the URL.

This does not change my point, FF should treat HTTPS that FF doesn't like the same as it treats HTTP with a detailed explanation that you get by clicking on the grey globe or the padlock sign.

'Unsecured' (from the perspective of the browser ) HTTPS or unsecured (because it is) HTTP, treating one as if it is something to be avoided while not even remotely bringing up attention against the other is a political and/or a financial statement, not a technical one.

Bank of Arnerica

[tepples]

What's an acceptable level of "verifiable accountability" to you? I assume HTTPS with a self-signed certificate. Is a domain-validated certificate enough? Or do you demand an organization-validated certificate because of the risk of someone registering bankofarnerica.com and obtaining a domain-validated cert?

Google sponsors Let's Encrypt

[tepples]

Next, only content signed by "trusted" CA's?

Let's Encrypt is a trusted certificate authority. And I don't see that going away any time soon, as the division of Google responsible for Chrome is a platinum sponsor of Let's Encrypt.

Re:Google sponsors Let's Encrypt

[Oligonicella]

Google, Chrome and trusted really shouldn't be used together in the same paragraph.

Re:Google sponsors Let's Encrypt

[tepples]

I can remove the word "trusted" without loss of meaning.

Let's Encrypt is a certificate authority whose root certificate is included in the default root certificate set used by Google Chrome. And I don't see that going away any time soon, as the division of Google responsible for Chrome is a platinum sponsor of Let's Encrypt.

Automating error blindness.

[TapeCutter]

My Chrome browser recently started putting up an error page because python.org's certificate was a few days out of date. The error page has a big blue button marked "back to safety", the other button is a little harder to spot. It was mildly annoying since I was using the online docs while writing a script and the browser forgets your "fuck off" answer to the error between sessions. I'm sure there's an option somewhere that will automate my willful blindness to this error page, I'm just too lazy to look it up

Re:Automating error blindness.

[fahrbot-bot]

My Chrome browser recently started putting up an error page because python.org's certificate was a few days out of date.

I wasn't aware that browsers use fuzzy logic for a certificate expiration date? I thought it was either expired or not-expired. They're not milk where's there's a little wiggle room past the expiration date, but more like condoms - broken or not-broken.

Re:Automating error blindness.

My Chrome browser recently started putting up an error page because python.org's certificate was a few days out of date.

I wasn't aware that browsers use fuzzy logic for a certificate expiration date? I thought it was either expired or not-expired.

I think the point is that GP doesn't care if his connection to python.org is secure, period.

Let's Encrypt

[tepples]

Now I have to pay someone else to have a web site that will visible to the public.

You already have to pay your domain registrar and hosting provider.

Now big-ass Google is coming in and I need to pay someone else to have an encryption certificate.

But you don't have to pay StartSSL, WoSign, or Let's Encrypt for a TLS certificate.

Re:Let's Encrypt

[Bomarc]

You already have to pay your domain registrar and hosting provider.

I actually tried to avoid an itemized list. (Hosting provider: My basement)

But you don't have to pay StartSSL, WoSign, or Let's Encrypt for a TLS certificate.

As noted: After three days of working on just this problem; I was not able to implement SSL.

Re:Let's Encrypt

[tepples]

You already have to pay your domain registrar and hosting provider.

I actually tried to avoid an itemized list. (Hosting provider: My basement)

You already have to pay your domain registrar and your home ISP. Many home ISPs' acceptable use policies prohibit running a publicly accessible server from your basement, and they enforce it either through a firewall (blocking inbound connections on 80/443 or on all ports), through carrier-grade network address translation (CGNAT) which doesn't give your computer a public IPv4 address in the first place, or simply through threat of having your home disconnected from the Internet for twelve months. To avoid this threat of disconnection, many customers upgrade to a business-class plan that includes an IPv4 address with inbound and no server ban in the AUP.

After three days of working on just this problem; I was not able to implement SSL.

How long ago were these three days spent? If it was years ago, perhaps the installer has improved since then.

Re:Let's Encrypt

[Bomarc]

You already have to pay your domain registrar and your home ISP.

I actually tried to avoid an itemized ... oh well

Many home ISPs' acceptable use policies prohibit running a publicly accessible server from your basement, and they enforce it either through a firewall (blocking inbound connections on 80/443 or on all ports), through carrier-grade network address translation (CGNAT) which doesn't give your computer a public IPv4 address in the first place, or simply through threat of having your home disconnected from the Internet for twelve months. To avoid this threat of disconnection, many customers upgrade to a business-class plan that includes an IPv4 address with inbound and no server ban in the AUP.

... one key term (missing) "commercial"; for profit; (If they start blocking, I switch ISP's... there are three nice ones in the area. It is good having a little competition) I'm using my server as an non-profit information portal. The technique also can route traffic to different ports (using 6 now) based on the actual domain (URL). As for CGNAT implementation ... I'll start bitching about being blocked by wikipedia and other broken websites. I will continually ask for credit for non-working internet access. After several credits, they will need to reconsider implementation of CGNAT.

How long ago were these three days spent? If it was years ago, perhaps the installer has improved since then.

It was 2-3 years ago. From above: I'll re-try installation (work... please... work!)

You want MITM inserting porn in historical sites?

[tepples]

I run about 50 websites, some for myself and some for local non-profit organizations. They're all simple information/brochure websites with no real interaction or sensitive content.

The "sensitive content" is what a man in the middle could insert into your stream: pornography, libel, ransomware downloads, or what have you.

yet it's going to cost me a small fortune in certificates to keep them alive in the future.

Let's Encrypt certificates cost zip.

When will Google admit hosts = superior?

Can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dynamic dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up surfing (adblock & hardcoded favs)
14.) Works on anything webbound multiplatform.
15.) EZ data control
16.) Block ads better vs. addons more efficiently

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it seeing addons via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee who verified its source is safe http://forum.hosts-file.net/vi... ) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe per 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

a 32-bit model too https://www.virustotal.com/en/...

& Installer -> http://f.virscan.org/APKHostsF...

What do I #include to write that field?

[tepples]

Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

How would a portable program specify the content type of its output? The standard library of ISO C provides no way to manipulate "another data field of the OS". Nor does the standard library of ISO C++. Which well-known multi-platform programming language's standard library does?

Re:What do I #include to write that field?

He's arguing how things should be and you are arguing how things are. We are well-aware that no cross-platform way exists.

>How would a portable program specify the content type of its output?

HTTP standard is to print the Content-Type header to stdout. I'm not sure how Terminology does it, though. Escape sequences come to mind as the usual hack.

But this is one of the things Apple got right. The File Type and Creator App are extra metadata fields there and it was supported in their API throughout.

Lots of other filesystems support extended attributes and there's a freedesktop standard for this, at least.

Rox Filer also has it right and so had RISC OS.

Re:What do I #include to write that field?

Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

How would a portable program specify the content type of its output? The standard library of ISO C provides no way to manipulate "another data field of the OS". Nor does the standard library of ISO C++. Which well-known multi-platform programming language's standard library does?

None of this is necessary. Use libmagic.

Re:What do I #include to write that field?

[tepples]

Lots of other filesystems support extended attributes

Unfortunately, FAT32 is not among them. In theory, Windows may support them technically, but Wikipedia's article about extended attributes gives no indication of how it is supported or what other operating systems support Microsoft's implementation. And FAT is the only removable media file system I'm aware of that 1. can be formatted by software included with Windows and 2. can be read and written by Windows, OS X, and free software.

there's a freedesktop standard

I found it. It involves setting the user.mime_type attribute. But traditional methods still need to be used for files stored on FAT32 media (usually USB flash drives or SD cards) or processed by attribute-unaware applications. Or is it recommended to amend major GNU/Linux distributions' inclusion criteria to exclude attribute-unaware applications?

slashdot is SSL free

So, uh, when is slashdot.org going to run over https?

Didn't anybody notice?

Re:slashdot is SSL free

www.soylentnews.org

Has supported https by default (as well as UNICODE) for years.

Nobody took notice, but SoylentNews is the defacto owner and maintainer of what used to be Slashcode.

Let's Encrypt automatically renews

[tepples]

And even if you had money, you would have to renew certificate each year

Let's Encrypt automatically renews your certificate every couple months.

(for some reason these things expire)

They expire as a means of pruning the revocation list.

When will Google admit hosts = superior?

Can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dynamic dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up surfing (adblock & hardcoded favs)
14.) Works on anything webbound multiplatform.
15.) EZ data control
16.) Block ads better vs. addons more efficiently

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it seeing addons via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee who verified its source is safe http://forum.hosts-file.net/vi... ) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe per 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

a 32-bit model too https://www.virustotal.com/en/...

& Installer -> http://f.virscan.org/APKHostsF...

It does take extra effort

[tepples]

Other than that. I guess the other side of the argument to "why not use just use unencrypted HTTP?" is "if there is no cost involved and doesn't a lot of extra effort to set up, why NOT use encrypted HTTP?"

And the answer is that it does "a lot of extra effort to set up", at least according to Bomarc's comment.

Man in the middle

[tepples]

If I only want to encrypt connection so it remained unmodified

A man in the middle can decrypt on one end and encrypt on the other end in order to modify the data. A self-signed certificate protects against only passive attacks, not active (man in the middle) attacks, unless you find some way to communicate the certificate's fingerprint out of band.

Re:Man in the middle

[qaz123]

Still better than http. But I said "If I want to encrypt". But I don't want to. I think this problem is exaggerated. Most websites just don't need it

Re:Man in the middle

[tepples]

If you do not encrypt, a third party can insert malware downloads into your site. Do "most websites just [not] need" a lack of malware?

Re:Man in the middle

[qaz123]

maybe I should be afraid to visit slashdot now

Re:Man in the middle

A self signed certificate is a man in the middle attack in some situations.

Imagine a corporate network with an internet proxy server - everything you do, SSL or not, is readable by the proxy. If you accept the self signed certificate, you have no indication that securelogon.personalbank.com is really proxy.companyname.local siting in the middle. The self signed certificate might have been accepted on your behalf thanks to GPO.

No consider that ISPs are very similar to a corporate proxy server regarding the man in the middle attack. They control the connection, they control DNS, they control everything.

I'd much rather have a certificate warning pop up than simply say 'great, it's secure'.

Secure has a number of meanings. HTTP vs HTTPS is about 'is this communication private or not?' HTTPS is secure in the privacy sense. CA signed vs self signed (in theory) is about 'are you really who you say you are?' CA signed is (in theory) is much more secure in a truth sense.

When you visit a http site, you are not secure in terms of privacy. When you visit a https site, you are secure in terms of privacy.

To be secure in terms of trust, you have to trust registrars, domain name authority and dns resolution. To add secure in terms of privacy to that, regardless how long or short it may be, you have to trust the entire CA chain.

Re:Man in the middle

[tepples]

Imagine a corporate network with an internet proxy server - everything you do, SSL or not, is readable by the proxy. If you accept the self signed certificate, you have no indication that securelogon.personalbank.com is really proxy.companyname.local siting in the middle. The self signed certificate might have been accepted on your behalf thanks to GPO.

The company's root certificate would have to have been deployed through GPO.

No consider that ISPs are very similar to a corporate proxy server regarding the man in the middle attack. They control the connection, they control DNS, they control everything.

But not the root certificate. (Yet.) This is the key difference between a home ISP and a corporate LAN: the former is less likely to try to install a proxy's root certificate on customer-provided equipment.

MITM breaks self-signed HTTPS

[tepples]

Easy solution. Allow self-signed certificates.

Then let me rephrase Anonymous Coward's post:

Use of a CA means your "list of local historical sites" remains exactly as you wrote it, and doesn't mysteriously lose mention of that awful thing which happened in 1846 that a local politician feels "school children just don't need to be taught" when it is viewed through a man-in-the-middle proxy on school WiFi. It also won't suddenly gain a banner advertisement for Amazon when viewed through the man-in-the-middle proxy of a certain US ISP. You presumably care about the "simple information" on your sites and want it presented as you wrote it, so that seems valuable, but without some means of detecting a man-in-the-middle proxy, there just isn't any guarantee at all.

because ad networks used to be SSL free

[tepples]

Slashdot used to offer subscriptions. When it offered subscriptions, subscribers used HTTPS to view ad-free pages. HTTPS was treated as a subscriber perk because until September 2013, there were no major ad networks that worked over HTTPS.

Give me this

First, allow me to decide how MUCH of the URL to show in the address bar when I'm finished typing

ie: allow me to type cnn and hit return, knowing that it will resolve to http://www.cnn.com/ and allow me to decide whether I just want that displayed as www.cnn.com or as the full http://www.cnn.com/

Second, allow me to decide whether my browser should be even allowed to display non-https content. Because frankly, if you aren't using HTTPS on your site for EVERYTHING, you are doing your users a dis-service, period. I do currently use HTTP sites, but if this was the default behavior for all browsers, we would quickly see the entire internet switch over to HTTPS and I personally see this as a good thing.

Third, warn me and allow me to decide what level of SSL I want to support (I will always pick to ONLY support the most advanced currently unbroken SSL level). Again, if your site isn't using TLS 1.2 then I'm not going to be using your site.

Why is this so fucking difficult? I devised these rules in 5 minutes. Come on Google, get your Chrome team ahead of the curve.

Whois already identifies you

[tepples]

So they are forcing identification of all website owners.

Whois already does that, thank you very much. And Let's Encrypt doesn't need any more information than what's already on your domain's Whois record before issuing a domain-validated certificate.

Get Perspectives

[tepples]

Firefox defines typing in s as indicating that the user desires protection from a man in the middle (MITM). Install the Perspectives extension, which adds a second method of detecting MITM that works with self-signed certificates, and self-signed certificate errors will go away.

Re:Get Perspectives

[roman_mir]

I am not talking about myself, I am talking about every user that gets these errors and decides that the site is somehow dangerous in a way that the user doesn't understand, more dangerous than a http site, while in reality it is not more dangerous. Setting up extensions to fix broken browser problems is all great, whatever. My point on this story here stays: GOOD.

Since FF team can't figure out what to do next without looking at Chrome and other 'amazing' browsers first, this likely means that eventually FF will have the same thing Chrome is about to have in it and it will also put a big red 'birdy' near an http site. At least we are going to start achieving some parity, which was the point of my initial comment.

Re:Get Perspectives

[tepples]

I am talking about every user that gets these errors

Every user that gets these errors can install the Perspectives extension to make self-signed certificates not dangerous.

and decides that the site is somehow dangerous in a way that the user doesn't understand, more dangerous than a http site, while in reality it is not more dangerous.

It's not about whether a site is dangerous per se as much as whether a site is as dangerous as a reasonable person would expect when keying in the URL.

and it will also put a big red 'birdy' near an http site.

I've already got a big blue 'birdy' on an HTTPS site.

Re:Get Perspectives

[roman_mir]

It's not about whether a site is dangerous per se as much as whether a site is as dangerous as a reasonable person would expect when keying in the URL.

- that's complete nonsense. A person 'keying in' (most just click) a URL expects to get to the site. A browser actively trying to prevent a user from getting to that site based on the fact that the certificate for the site is not what the browser company decides is in the best interest of the company (AFAIC) is not an indicator of the site being secure or insecure.

In most cases nobody is hit with MITM attacks, however ALL communications are stolen and recorded by NSA and the like. It is better to be on an https site with a self signed certificate, when a government is listening to all communications to filter it by keywords than to be on http and not be warned by the browser about anything.

I am not advocating treating https with self signed certificate exactly the same as https with a certificate that some 'authority' verifies. I am saying that a browser treating a site with a self signed certificate as if it is a virus while happily letting people navigate the rest of the http web is not for the benefit of a user.

Re:Get Perspectives

[tepples]

A person 'keying in' (most just click) a URL expects to get to the site.

A person either keying in or clicking a URL that specifically uses the https: scheme also expects the site not to be modified between the server and the browser. This means a person expects a man in the middle attack to be detectable. I know of three means of detecting MITM: CAs, DANE, and Perspectives.

A browser actively trying to prevent a user from getting to that site based on the fact that the certificate for the site is not what the browser company decides is in the best interest of the company (AFAIC) is not an indicator of the site being secure or insecure.

There's no financial interest in the sale of certificates, as both Mozilla and Google sponsor the no-charge CA Let's Encrypt. This means "the best interest of the company" lies in building a reputation for producing a browser that ensures prompt detection of MITM. The browser ships with one means of detecting MITM, namely CAs, and provides an extension mechanism to add others.

It is better to be on an https site with a self signed certificate, when a government is listening to all communications to filter it by keywords than to be on http and not be warned by the browser about anything.

True, HTTPS is better than HTTP at a passive attack. But immunity to passive attacks will drive at least one attacker to cease passive attacks in favor of active attacks, even if said attacker happens to be an attacker other than the NSA. This is why Perspectives exists: to verify lack of an active attacker between the server using a self-signed cert and the user. It retrieves the cert through the Internet over several routes, and if they all match, then either no active attack is in progress (most likely) or the same active attacker has compromised all routes (highly unlikely).

I am saying that a browser treating a site with a self signed certificate as if it is a virus while happily letting people navigate the rest of the http web is not for the benefit of a user.

And I am saying that a browser with Perspectives doesn't treat self-signed certs this way.

Buck feta. Buck FIZX.

[tepples]

Especially because SlashdotMedia just got bought out by BIZX, and some people think this is dangerous.

You can always come to SoylentNews. It has HTTPS, and we won't bite.

Hmmm.

I would argue that in our new we are recording you world, unencrypted content IS an error state. Just like not wearing your seatbelt is an error state now. In the old days, it wasn't. And when those "BEEP BEEP WEAR YOUR BELT" signs came along, they were greeted with similar "useless warning" arguments. In fact, it was NOT a useless warning, and now everyone mostly wears their belts. Some day, all data will be encrypted, and it will seem just as dumb not to encrypt as it is not to wear a sealt belt in a car.

Good idea!

This hopefully will encourage more sites *cough*slashdot*cough* to enable HTTPS connections, and make them the default for all traffic. The more the internet is encrypted, the better. Keeps the spooks busy and hopefully in the dark (or at least wasting a lot of resources decrypting mundane traffic.)

Just give the users the option.

[gatfirls]

On install or setup ask if they would prefer SSL only results/sites and inform them after the fact they elected for the option if they want to proceed to an unecrypted site. Kind of the same thing with sites that have certificate errors.

As others have said the warning thing will just add a layer of complexity that users ultimately won't understand.

Cacheable pages don't load ads

[Sloppy]

Cacheable pages might have ads, but they're not The Right ads.

IPv4 address exhaustion

[tepples]

Most secure sites should run on a dedicated server, not be shared with other domains websites on the same server, since it is a security issue.

Because of IPv4 address exhaustion, multiple dedicated servers would have to sit behind a load balancer with one IPv4 address that terminates the TLS connection.

But you could also use a unique IP address for each site hosted on the same server..... IP virtual hosting

This became impractical as of IPv4 address exhaustion.

Internet Explorer on Windows XP does not

...receive security updates anymore. It hasn't for 21 months. Therefore, it should be assumed subject to compromise by things such as keyloggers and therefore insecure.

Re:IPv4 address exhaustion

[mysidia]

This became impractical as of IPv4 address exhaustion.

No... It didn't become impractical at all; By the time it becomes impractical, everyone will have to have IPv6 connectivity, anyways. The truth is, there are many IP addresses which have been assigned which are not being used yet, and those who have a reason to use an IP address will be able to economically obtain the addresses they need for a buck or two extra.

Anybody who is serious about putting up a secure website can still obtain a unique IP address for their website, very easily, and it's not even expensive; there is a marginal increase in cost per IP address, which will be insignificant for just a few IP addresses. In fact, multiple unique IP addresses will be required for achieving geographic redundancy.

Re:IPv4 address exhaustion

[tepples]

those who have a reason to use an IP address will be able to economically obtain the addresses they need for a buck or two extra.

A buck or two extra per what period of time?

Anybody who is serious about putting up a secure website can still obtain a unique IP address for their website, very easily

Let's say, hypothetically, that 2 billion out of the world's 7 billion people each decide to put up a blog. Each blog operator also needs to add security so that he or she can log in and add posts, and so that users can log in and leave comments, without their passwords and/or session cookies being copied by a Firesheep user. Subtracting IP address blocks reserved for other purposes, this leaves fewer than 2 billion IP addresses left for users' client devices.

Wage equivalent of not having to tether

[tepples]

An upgrade from my present cellular plan to one allowing tethering would cost roughly $50 per month, or $600 per year. At 2000 hours per year (full-time) and 25 percent income tax, this would reduce my effective hourly wage by 40 cents per hour. At 1000 hours per year (part-time) and 25 percent income tax, this would reduce my effective hourly wage by 80 cents per hour. But if an employer provides unrestricted break-time Internet, I don't have to pay $600 per year to a cellular company, and the employer can keep me as an employee without having to give me such a raise.

It makes hacked sites more dangerous, are common

[raymorris]

While it's true that https makes it harder to MITM the guy's blog or whatever, in my 15 years of full-time web security work, I haven't seen too many problems with MITM.

What I've seen a LOT more of, at least 200 times more, is hacked sites. Some Wordpress vulnerability or whatever and the bad guys ad malware to the public pages, while hosting phishing related pages in hidden directories.

A security- conscious company, head of household, or even ISP can largely protect users against malware that's been added to sites by detecting it at the firewall, as it enters the network. Unless of course it's https, in which case you can't detect the content at all. (Unless you do your own MITM, which often turns out badly).

So while https on a content site, a site that doesn't handle secure transactions, can theoretically reduce the risk of something that rarely happens anyway, it makes it much harder to protect against the far more common threat.

Overall, turning on the light and seeing what's flowing through your network is often safer than operating in the dark. In the dark you may -feel- like noone can see you, but in fact you can't see what's going on either. Often, what's hiding in the dark is more dangerous than being visible in the light.

That's just may experience, my fifteen years with the 70,000 or so client web sites I have data for.

A hacked site's hostname is sent in the clear

[tepples]

The firewall can detect the hostname through the Server Name Indication field of the ClientHello packet, which is sent in the clear. If the hostname is known to have been infected, it can block the connection. It cannot detect the URL with path granularity, but if a site has been compromised, all paths on that site are probably shot as well.

So while https on a content site, a site that doesn't handle secure transactions

The Firesheep extension demonstrated that any site into which a user can enter a name and password, such as to post to the site's comment section or to read private messages or paywalled documents, is a site that "handle[s] secure transactions".

SSL hides malware added by WordPress etc hack

[raymorris]

While it's true that https makes it harder to MITM the guy's blog or whatever, in my 15 years of full-time web security work, I haven't seen too many problems with MITM.

What I've seen a LOT more of is hacked sites. Some Wordpress vulnerability or whatever and the bad guys add malware to the public pages, while hosting phishing related pages in hidden directories. 99.9% of malware on sites is actually added to the site, not MITM by a rogue ISP or whatever. (And if you're buying internet service from a rogue ISP that alters web pages, you need a new ISP, not a red X).

A security-conscious company, head of household, or even ISP can largely protect users against malware that's been added to sites by detecting it at the firewall, as it enters the network. Unless of course it's https, in which case you can't detect the content at all. (Unless you do your own MITM, which often turns out badly).

So while https on a content site, a site that doesn't handle secure transactions, can theoretically reduce the risk of something that rarely happens anyway, it makes it much harder to protect against the FAR more common threat.

That's just my experience, my fifteen years with the 70,000 or so client web sites I have data for.

Re:SSL hides malware added by WordPress etc hack

[JesseMcDonald]

And if you're buying internet service from a rogue ISP that alters web pages, you need a new ISP, not a red X.

Big-name ISPs like AT&T, Verizon, and Comcast have been caught tampering with HTTP traffic to insert their own tracking headers and ads—including scripts in some cases—and not everyone has a great deal of choice in ISPs in their area. This is hardly a theoretical concern, and HTTPS is the most direct and effective way to prevent such tampering.

Your own reputation is at stake, along with users' security. Do you want to get blamed for inappropriate content that some random ISP injected into your page? It may technically be the ISP's fault, or even the user's for choosing that ISP, but you made the tampering possible by failing to take reasonable and customary steps to ensure the integrity of the data delivered from your server.

A security-conscious company, head of household, or even ISP can largely protect users against malware that's been added to sites by detecting it at the firewall, as it enters the network. Unless of course it's https, in which case you can't detect the content at all.

If users want that sort of protection they can manually configure a proxy, thus consenting to allow their traffic to be inspected. We do need better proxy protocols for HTTPS which permit inspection but not tampering, and avoid bypassing the browser's built-in certificate validation. This could be accomplished by making the proxy a simple passive conduit while sharing the client's symmetric encryption key and IV with the proxy. This would let the proxy decrypt the traffic as it's forwarded and cut off the connection in the event of a problem, but tampering would still be detectable since the proxy would not possess the HMAC secret.

Companies and households could force all traffic to pass through the proxy simply by blocking direct connections. ISPs would have a harder time getting away with that, which is as it should be. ISP-level malware protection should be an optional benefit, not a mandatory requirement.

Maybe an ICON in the URL field?

You know, LiKe iT UsEd To Be!!!! (I werent allowed to use all caps for the desired effect since acording to /. its like yelling. I kNoW! ThAtS WhY I DiD iT!

Bad security

[Britz]

This is actually bad security. It is similar to the Vista UAC debacle. Vista taught a generation of users that they don't need to read security pop ups. By having them pop up way too often and without consequences if you don't read them for most of the time. Even if the user had read them, they wouldn't understand.

The user is the most important part of security, period. Thus teaching the user is more important than anything else, when you want to mitigate risk.

Google is making the web a lot unsafer with this.

Slashdot does not use HTTPS

Goodbye Slashdot, nice knowing ya!

Google Chrome will make Slashdot, and all other non-HTTPS websites, obsolete in 2016.

\what's the point?

What's the point?

They should also remove the HTTPS warning

Once this feature gets implemented, by default any website will be considered insecure unless it uses proper HTTPS connection and the certificate is valid.
Then it would be just a matter of coherence to completely remove the warning when accessing an HTTPS website with an incorrect/untrusted certificate. I have never understood this warning and the extreme reaction from browsers in this use case.

A shade

[JustOK]

A shade/brightness of red depending on scripts and input fields on the page.

Bad Usability

"Principle: It is just important to be visually inconsistent when things act differently as it is to be visually consistent when things act the same
Make objects that act differently look different. For example, a trash can is an object into which a user may place trash and later pull it back out. If you want to skip the “and pull it back out” functionality, that’s fine. Just make it look like an incinerator or shredder or anything other than a trash can.

Make pages that have changed look changed. If someone encounters an unfamiliar page on an updated website or in a revised app, they know to look around and figure out what’s different. In the absence of such a cue, they will attempt to use the page exactly as they have always done, and it won’t work."

From http://asktog.com/atc/principles-of-interaction-design/

forces admins to buy ssl

[slibsirk]

Completely unnecessary. Many sites that only have plain-text, non-sensitive information will have a big "X" on them, scaring off unaware users. Google is forcing admins to get SSL certs for no reason

Update on article admits this story is not true

I know it goes against all /. rules, but I went and read the original article. At the end there is an update saying,

"UPDATE: We were contacted by Peter Kasting, one of Google's engineers in the Chromium project, who told us we're idiots. But at least we're not the only ones. As Mr. Kasting's puts it: "In other words, there's no story here, unless the story is 'by the way, a year ago the Chrome team added a flag to do this and we just wanted to let you know that the flag still happens to exist'." So there's no permanent to Chrome coming by the end of 2016. We're sorry, but most of today's stories break via Twitter. Sometimes you get nice teasers, sometimes you get developers talking about their wishes and desires, instead of actual implementations."

So this is a non-story.

I'm hoping this get voted down sufficiently, so the tinfoil hat brigade and continue to lament about Google breaking the interwebs.