Slashdot Mirror
Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com)
An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.
HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).
I'd prefer my employer didn't know the contents of what I post to Slashdot. You can extend this to just about any forum where ideas are exchanged.
Socialism: a lie told by totalitarians and believed by fools.
I thing the OP wanted the title to be "Google Chrome" Maybe one of the mods can fix that by at least replacing Google with Chrome.
Get back to work.
HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).
Umm... the full URL certainly IS encrypted.
https://stackoverflow.com/ques...
In fact, the URL is encrypted. The only thing that is not encrypted is the hostname. You should probably use APK's host file engine if you don't want the DNS request info to leave your computer (or use DNSSEC), and even then you'd have to disable SNI.
But I kind of agree. HTTPS is a nice concept, but its no silver bullet. It only protects your data on the way to the cloud provider or whatever you are visiting. The cloud provider still gets the unencrypted files. But yeah, HTTPS is something the cloud industry really likes. It protects the data from everyone but them. So they control it, and its their version of greenwashing.
So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.
Then some idiot got the bright idea of hiding the start of the URL, so users could be ignorant or infuriated.
Now they are going to use another symbol to indicate the lack of an "s"?
Have I really got this right?
(Hopefully in the future the symbol will be clarified by replacing it with a sequence of letters.)
I can't see any problem with showing clear icons for the state of the connection, which includes unencrypted being distinguishable from encrypted with a cert signed by an untrusted party (aka self-signed) vs a cert signed by a trusted party.
It's better than the current state of things, where the web browser programmers out right mis-interpret what is going on and potentially lying to the user.
For example, if I run my own CA and sign all of my own certificates, and push my CA public key by hand to computers intended to access my server, verified by hash fingerprints - this is arguably MORE secure than a "secure" public CA signed certificate that I have no control over.
After all I know exactly who signs certs with my CA - me - and despite what the public CAs and web browser programmers claim, I in fact do trust myself.
CAs are known to have signed fraudulent certs, so they are not the ultimate high tier of trust.
Of course the self-signed situation described above is very different from random snakeoil.crt style self-signed certs where the only possible way to verify the servers identity is to check the thumbprint hash. And who has time for that?
Displaying the lowest tier of security icon for non-https sounds just as useful as it has been since SSL was invented.
(After all, a lock vs a lack of a lock works good enough for anyone that cares about encryption, but I could care less what the two icons actually are of)
At least Googles approach is better than Mozillas by an infinite amount! .html files locally in firefox :P
I'd rather use Chrome and at least have it bitch about the lack of SSL while still actually showing me the webpage.
Firefox will soon actively remove non-https support and display an "unknown protocol 'http'" error instead.
Hope you don't like browsing
https://blog.mozilla.org/secur...
I'm forced to agree with this Slashdot poster. The use of a red X in this context will confuse users about perfectly correct and properly working websites, particularly legacy sites that carry no practical risks and contain widely referenced information, but that cannot be upgraded to SSL in a practical manner. The most likely outcome will be users learning to ignore such warnings completely because they will be so widely present and widely viewed as "crying wolf." It is also likely that many sites will push back against Google on this by posting explicit messages on their pages explaining to users that Google is playing Mommy and that nothing is wrong with their sites. It is perfectly acceptable and reasonable for Google to encourage the use of SSL. However, the approach being discussed is not helpful and is likely to even be counterproductive. REFERENCE: "When Google Thinks They're Your Mommy" - http://lauren.vortex.com/archi...
DNSSEC doesn't provide any encryption. It's not for secrecy; it's for authenticating DNS information.
Ah right, seems I was wrong.
Then do what on break-time?
That's not my point, FF doesn't just warn people that the certificate is self signed, it actively tries to impress upon the user that the https connection with a self signed certificate is worse than a plain text http connection, because THAT is what a user compares his experiences to, not to another https site but to plain http.
My position on this is that FF goes to great length to make it seem that an https connection with a self signed certificate is less secure than http, while that is categorically untrue, it is at least AS secure as http. AFAIC CAs are not trustworthy themselves, https is broken, if you think your https session is really secure because it is signed by some 'authority', that's an interesting mental exercise.
Removing gigantic multi-screen warnings with insane messages about self signed certificates would help to increase overall security on the Internet by making it possible for people to use self signed certificates without making it look like self signed certs are a plague while not making the same types of accusations against plain http (which many sites also use!!! to transfer passwords).
You can't handle the truth.
HTTPS is encryption and authentication. Without HTTPS, anyone between your computer and the web servers can manipulate every part of the request and the web page. Mobile networks for example are notorious for adding headers to HTTP requests and "optimizing" the pages you get back.
No.
HTTPS encrypts the data transfer, and provides for VERIFICATION that a third party CA believes the site is who it says it is. No authentication involved.
I run about 50 websites, some for myself and some for local non-profit organizations. They're all simple information/brochure websites with no real interaction or sensitive content.
The "sensitive content" is what a man in the middle could insert into your stream: pornography, libel, ransomware downloads, or what have you.
yet it's going to cost me a small fortune in certificates to keep them alive in the future.
Let's Encrypt certificates cost zip.
In the version of FF I am on right now 41.0.1 on Linux Mint 17 I don't see http or https in the address bar. I see a green padlock for https, you click on it and it gives you some details including saying 'secure connection'.
HTTP is just a grey url, click on it and see 'connection is not secure'.
Go to a site with a self signed certificate and get this crap:
This Connection is Untrusted
You have asked Firefox to connect securely to www.pcwebshop.co.uk, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
--get me out of here-- (button)
--Technical details-- (link)
--I understand the risks --(link)
Well, shit, I don't think most people actually understand the risks, but given that FF doesn't even show https in the URL any longer WTF is it doing treating a self signed https site worse than an http site that may also have user name / password on it?
If you don't think this is a case of either stupidity or malicious intent, trying to push people towards CAs while in reality preventing tons of people from setting up SSL in the first place, then you don't get people's behaviour.
You can't handle the truth.
Of-course it does, it is trying to prevent people from using self signed certificates and pushing them towards CAs. FF today doesn't even display the protocol in the address bar by default, it shows either a grey globe or a green padlock, clicking on these you get 'connection secure' or 'connection is not secure' message. It's that easy to simply check if the certificate is self signed, treat the site as if it was an HTTP site by the browser and provide an appropriate status in the details ( self signed certificate for this connection that claims to be secured but is not verified by a third party authority).
THAT would be meaningful and would help the Internet to switch to https.
You can't handle the truth.
Ah right, seems I was wrong.
Oh my God. Someone on /. (simply) admits he/she was wrong.
Thank you, dear poster. I can die now, to be whisked off to either a warn Heaven or very cold Hell.
It must have been something you assimilated. . . .
It's not about whether a site is dangerous per se as much as whether a site is as dangerous as a reasonable person would expect when keying in the URL.
- that's complete nonsense. A person 'keying in' (most just click) a URL expects to get to the site. A browser actively trying to prevent a user from getting to that site based on the fact that the certificate for the site is not what the browser company decides is in the best interest of the company (AFAIC) is not an indicator of the site being secure or insecure.
In most cases nobody is hit with MITM attacks, however ALL communications are stolen and recorded by NSA and the like. It is better to be on an https site with a self signed certificate, when a government is listening to all communications to filter it by keywords than to be on http and not be warned by the browser about anything.
I am not advocating treating https with self signed certificate exactly the same as https with a certificate that some 'authority' verifies. I am saying that a browser treating a site with a self signed certificate as if it is a virus while happily letting people navigate the rest of the http web is not for the benefit of a user.
You can't handle the truth.