Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com)

Posted by timothy on from the normalizing-improvement dept.

An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.

11 of 216 comments (clear)

  1. Re:Not Sure What the HTTPS Hooplah is all about by lgw · · Score: 5, Insightful

    HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).

    I'd prefer my employer didn't know the contents of what I post to Slashdot. You can extend this to just about any forum where ideas are exchanged.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  2. title by Anonymous Coward · · Score: 3, Insightful

    I thing the OP wanted the title to be "Google Chrome" Maybe one of the mods can fix that by at least replacing Google with Chrome.

  3. Re: Not Sure What the HTTPS Hooplah is all about by Anonymous Coward · · Score: 4, Funny

    Get back to work.

  4. Re:Not Sure What the HTTPS Hooplah is all about by BradleyUffner · · Score: 3, Informative

    HTTPs only encrypts the contents of what you are retrieving, not the location (URL) that you are retrieving it from. Seems rather pointless to push it everywhere. It only has a purpose when the user and/or server want to exchange secret payloads (e.g. credit card numbers).

    Umm... the full URL certainly IS encrypted.
    https://stackoverflow.com/ques...

  5. Wait... by RJFerret · · Score: 5, Interesting

    So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

    Then some idiot got the bright idea of hiding the start of the URL, so users could be ignorant or infuriated.

    Now they are going to use another symbol to indicate the lack of an "s"?

    Have I really got this right?

    (Hopefully in the future the symbol will be clarified by replacing it with a sequence of letters.)

    1. Re:Wait... by XanC · · Score: 4, Informative

      What we've learned is that not all HTTPS are created equal. There could be insecure ciphers, mixed content, insecure signatures, vulnerabilities, what have you. Just looking for the "s" isn't enough. It's a very good thing that the browsers, which can look at all the factors, are giving better hints about whether a connection is trustworthy.

    2. Re:Wait... by thegarbz · · Score: 3, Insightful

      So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

      Are you on mad? They are both the same. Oh wait let me get my glasses. Oh they are slightly different. What the hell does the s mean? and that http thing? and why are there those two dots and the slashes? Is one supposed to be good and the other bad or something? If one is good and another is bad why not just replace them with a red x and a green tick?

      Why does every software developer think that ever user is a damn guru hacker who knows that the big box under the screen is called the HDD? Wait what do you mean that's not right either? ffs I just want to surf the web, leave me alone with your complicated hacker stuff.

      *An excerpt of a conversation many people have had with the very few computer users who understand the difference an s can make in the titlebar.

    3. Re:Wait... by JesseMcDonald · · Score: 4, Informative

      So we used to have a simple system, see http:/// on the URL bar, or see https:/// on the bar.

      Only http:/// is hidden, so users can still look for https:///. In fact, the difference is even more obvious than before: instead of just one missing letter, the entire protocol field indicates whether the connection is encrypted.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  6. Google and non-SSL site warnings by Lauren+Weinstein · · Score: 3, Informative

    I'm forced to agree with this Slashdot poster. The use of a red X in this context will confuse users about perfectly correct and properly working websites, particularly legacy sites that carry no practical risks and contain widely referenced information, but that cannot be upgraded to SSL in a practical manner. The most likely outcome will be users learning to ignore such warnings completely because they will be so widely present and widely viewed as "crying wolf." It is also likely that many sites will push back against Google on this by posting explicit messages on their pages explaining to users that Google is playing Mommy and that nothing is wrong with their sites. It is perfectly acceptable and reasonable for Google to encourage the use of SSL. However, the approach being discussed is not helpful and is likely to even be counterproductive. REFERENCE: "When Google Thinks They're Your Mommy" - http://lauren.vortex.com/archi...

  7. Re:Good by roman_mir · · Score: 5, Insightful

    That's not my point, FF doesn't just warn people that the certificate is self signed, it actively tries to impress upon the user that the https connection with a self signed certificate is worse than a plain text http connection, because THAT is what a user compares his experiences to, not to another https site but to plain http.

    My position on this is that FF goes to great length to make it seem that an https connection with a self signed certificate is less secure than http, while that is categorically untrue, it is at least AS secure as http. AFAIC CAs are not trustworthy themselves, https is broken, if you think your https session is really secure because it is signed by some 'authority', that's an interesting mental exercise.

    Removing gigantic multi-screen warnings with insane messages about self signed certificates would help to increase overall security on the Internet by making it possible for people to use self signed certificates without making it look like self signed certs are a plague while not making the same types of accusations against plain http (which many sites also use!!! to transfer passwords).

    --
    You can't handle the truth.
  8. Re:Not Sure What the HTTPS Hooplah is all about by fahrbot-bot · · Score: 4, Funny

    Ah right, seems I was wrong.

    Oh my God. Someone on /. (simply) admits he/she was wrong.

    Thank you, dear poster. I can die now, to be whisked off to either a warn Heaven or very cold Hell.

    --
    It must have been something you assimilated. . . .