Google Chrome Begins Warns Users About Insecure Pages

An anonymous reader shares an article on CertSimple, a firm that helps companies prove their identity on their websites: Today Chrome's stable channel was updated with a new HTTPS UI. The changes in these versions of Chrome (Chrome 53 for Windows, Mac users got them in Chrome 52) complete 'transition 1' in Google's HTTPS plans, first announced in December 2014: T1: Non-secure origins marked as Dubious. In other words: Chrome now explicitly tells users non-HTTPS sites aren't private. If a Chrome user visits a site that isn't private -- for example, there's no HTTPS, broken HTTPS, or HTTPS only on 'checkout' pages -- Chrome now displays a mid-grey colored info box.

Grammar, anyone?

"Google Chrome Begins Warns Users About Insecure Pages"

Good work, editors.

Re:Grammar, anyone?

[sittingnut]

don't you know that current slashdot editors believe that adding 's' to verbs is more secure. they will duplicate the story later in the day to ensure.

Zero Wing 2

All your Google Chrome Begins Warns Users are belong to us.

Re:Zero Wing 2

they know what you doing take off every secure.

Re:Zero Wing 2

To make glorious nation Kazakhstan.

Re:Zero Wing 2

In AD 2016 Google Chrome was Begins.
Captain: What happens?
Manishs: Someone set up us the insecure pages

Re:Zero Wing 2

operator: we get javascript..
captain: what?!
operator: window screen go big
captain: it's not click!
manishs: How are you gentlemen? you are on the way to SaaS!
captain: what you say?!
manishs: All your secure are belong to us! you have no chance to browse make your time! ha ha ha ha!
operator: captain!
captain: take off every noscript!
captain: you know what you doing! take off every noscript!!

begins warns?

how about
"begins to warn" or better yet
"begins warning"

Re: begins warns?

How about hiring literate editors?

All Chrome pages are not secure

[110010001000]

Google is a spyware company. Chrome is their spawn. You are their product.

Re:All Chrome pages are not secure

You beat me to it.

All pages are insecure if you use Chrome.

Re:All Chrome pages are not secure

So what do you suggest?

Re: All Chrome pages are not secure

Firefox Portable.

Re: All Chrome pages are not secure

...In a private tab.

Re: All Chrome pages are not secure

... behind a VPN.

Re:All Chrome pages are not secure

With https pages only visible in the future, you will not have a visible website without someone's permission.(a cert provider)

Re:All Chrome pages are not secure

SRWare Iron

Re: All Chrome pages are not secure

... through seven proxies.

Re: All Chrome pages are not secure

While wearing a condom

Re:All Chrome pages are not secure

Does the browser do any phoning home if you have sync disabled?
What if I run Chromium instead?

Re: All Chrome pages are not secure

Firefox runs like a dog on my phone, unfortunately.

Re:All Chrome pages are not secure

On Windows, where Chrome users likely are, spyware concerns can not really exist, because otherwise these people wouldn't be using Windows. Chances are these are users who "need" Flash because otherwise "the internet is broken", and those are far better off with a solution that auto-updates Flash on a daily basis like Chrome does than they would be with Firefox and a Flash plugin that maybe updates once a week or so if you're lucky, getting infected by the newest cryptolocker on a regular basis. Better have Google spy on you than play Russian roulette with Adobe's horrible security flaws and update mechanism.
On Linux, you're using Chromium, and I find it highly implausible that Google should leave any intentionally malicious code in Chromium, where it would be out in the open to be discovered, when they can put it all in their nice proprietary spin that applies to 99% of the market anyway.
Bottom line: Either you're a Chromium user and "Google spies on you" doesn't apply, or you're a Windows user who (a) doesn't really care, and (b) is still better off with Chrome than he would be otherwise.

Re:All Chrome pages are not secure

[Jamie+Lokier]

Last time I checked, yes it did send messages to Google, even running Chromium, on Ubuntu Linux, with all the undocumented command-line options I was able to find to disable various functions. That surprised me.

I was wanting to use Chromium to view local applications without any inappropriate network traffic; it wasn't suitable.

Re:All Chrome pages are not secure

Enjoy your placebo

Re: All Chrome pages are not secure

And a tin hat.

Re:All Chrome pages are not secure

Better still, the name and address of the website owner will be available to the cert provider (and therefore the "relevant authorities"). The only people we *know* were spying on Googles traffic were the NSA, who do it after decryption in Googles own datacentres and aren't affected by this at all. Google are "restoring consumer confidence" by lying, while being complicit in the government spying on their own citizens.

wifi connect https redirect issues

Many public wifis have a page they redirect you to. And they will redirect on https as well. You have to tell your browser that you trust the page but there should be a better way to do the public wifi messages. Browser developers and wifi redirect engineers need to talk and should be able to develop a means of notifying user without making it incredibly difficult to accept.

Re:wifi connect https redirect issues

[epyT-R]

Wouldn't having the cert signed by a public authority fix this?

Re:wifi connect https redirect issues

There is a de-facto mechanism for dealing with the problem you describe. It works something like this:

• After connecting to a new wi-fi network, the phone attempts an HTTP request to an endpoint that just returns a static 204 No Content response.
• If what it gets back is a redirect or anything else other than the 204 No Content response it was expecting, a notification appears saying "Sign in to wi-fi network", and the phone goes on using cellular data.
• If the user touches that sign-in notification, a browser window is opened that again loads that same 204 No Content endpoint, which is assumed to redirect the user to some captive portal page to complete signup.
• Eventually the phone detects that it's able to hit that 204 No Content endpoint, and it considers the wi-fi connection to be working and begins using it in preference to the cellular data.

It's ugly, but it works for most captive portal implementations, and it's been around long enough that new captive portal implementations have begun explicitly supporting this flow, which has effectively made it a de-facto standard in spite of it being technically very ugly.

Re:wifi connect https redirect issues

[thsths]

A public wifi login page is by definition insecure, so there should be a warning. And you should never enter any sensitive information, which also means that any password for a public wifi better not be an important one.

Re:wifi connect https redirect issues

You misunderstood the problem. It's not about the Wifi login page itself. The way these login pages work is by redirecting all HTTP requests before the user is logged in (has agreed to TOS, whatever). You can't redirect HTTPS, so as more and more pages are encrypted, the likelihood increases that the first page people request over a Wifi hotspot network can't be redirected. It will just timeout or give you an error message instead of showing you the login/TOS page. That is the problem. I say, goood riddance to that practice. If you're not going to provide open Wifi, then don't pretend you do while you actually don't let anything through before an individual interaction.

Re:wifi connect https redirect issues

[SilentChasm]

Most operating systems I've seen recently test if they can get to the internet themselves and if they are redirected to a captive portal they then automatically open a browser window to where the portal redirected them to (usually a login page). This avoids the issue of trying to MitM attack whatever site the user was trying to get to. You can still make the login page you get redirected to secure with proper certificates. The following are examples of the different things companies use in detecting if they can connect to the internet:

Apple:
http://captive.apple.com/hotsp...

Google:
http://clients3.google.com/gen...

Microsoft:
http://www.msftncsi.com/ncsi.t...

Re:wifi connect https redirect issues

[SilentChasm]

In order to redirect HTTPS traffic to a login page you would need a valid certificate for wherever the user was trying to get to in the first place. Giving random wifi hotspot operators those kinds of certs would be very bad for security and very impractical.

Sorry, but not new

Google implemented this in Chrome 51. It just moved it to a popup in Chrome 53.

HTTPS on home LAN

[tepples]

And thus people will start seeing the "dubious" mark in the UI when accessing the web-based administration interface of a home router, a home NAS, or a home network printer, which lacks HTTPS because it lacks a certificate, in turn because it lacks a globally unique fully qualified domain name.

Or should a device maker instead deploy the same wildcard certificate with the same private key on all of a given make and model?

Re:HTTPS on home LAN

[aix+tom]

This. Plus, browser that puts warnings on all un-enctypted pages is somehow like a radio that warns before every song that the next song isn't encrypted and might be listened to by anybody. Or a barkeeper telling you at the bar "Don't talk so loud, the police might hear."

Of course you should have the right to whisper any time you want. But you also should have the right to shout something for everybody to hear whenever you want, without somebody warning that you shouldn't do it.

Re:HTTPS on home LAN

Devices makers should arrange (and may need to pay) for their devices to obtain an Internet FQDN and self-issue a certificate from a CA.

Let's Encrypt's ACME protocol is ideally suited for doing this with a home router or similar device but Let's Encrypt is (as a charity) rate limited so as to prevent it being abused. So unless you're only planning to sell fifty devices, Let's Encrypt is probably not an option (some device makers have asked, and received favourable but hardly urgent responses so it might yet happen, but likely not)

_Nothing_ stops a commercial CA from implementing ACME and agreeing, for example, to register up to one million devices with FQDNs of the form eight_hex_digits.model.brand-name.example in a sub-domain controlled by the manufacturer, in exchange for, let's say $5000 plus $1000 per year for at least the three year intended lifespan of the product.

If a big manufacturer, or group of manufacturers, gets together and funds it, they could certainly build themselves a CA specifically for this purpose, cross-signed by an existing CA and "free" in the sense that it has significant fixed operating costs but doesn't really spend a whole lot to support each device issued with a certificate through ACME. If they _want_ to do this, they can do it tomorrow.

Re: HTTPS on home LAN

Were sorry. We no longer support that router you bought last year. Even though there is no real difference or improvement we recommend you purchase the XYZ445 model. To ensure that you do, we have revoked the certificate and hobbled your ability to manage the device.

Thank you,
XYZ Marketing

Re:HTTPS on home LAN

Absolutely. Plus static html websites don't need https. Simple as. Fuck you google.
Nobody should care when I browse my favorite minecraft fansite...

Re:HTTPS on home LAN

[tepples]

static html websites don't need https

Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?

Re:HTTPS on home LAN

With all the certificate providers i don't trust, I still can't be sure

Re:HTTPS on home LAN

Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?

I can't, and I don't care.

Re:HTTPS on home LAN

I was pleasantly surprised to find that the Brother HL-3170CDW printer I bought allows me to install SSL certs to secure access to its administrative service. It can generate a self-signed cert, or it can import a private key and certificate, or it can even generate a CSR which you can sign with your own CA or an external CA.

Re:HTTPS on home LAN

Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?

How do I know random pictures I browsed out of boredom on deviant art were not modified on way to me? Oh my god, someone modified jokes chat jokes repository I visit for laughs! Paniiiiiic!

Seriously, it is possible someone did it, but it is unlikely to have any consequences at all. Yes, it is possible to do so for the reason of harassment and it must sux when/if that happen, but I am not ready to get scared over that now.

Re:HTTPS on home LAN

[tepples]

[My Brother network printer] can even generate a CSR which you can sign with your own CA or an external CA.

In order to sign the CSR with a CA that other devices on your network already trust, including devices brought in by friends and family visiting your home, you'd first need to buy a domain and dynamic DNS service for that domain to allow the CA to verify that you own the domain. It'd take a huge shift in Internet culture to convince the administrator of each home network to buy a domain for that home network.

Re:HTTPS on home LAN

It's not just about encryption, it's about preventing people from injecting malicious content into the pages you visit - if not from actually hackers, then from asshole ISPs wanting to stick their own adverts in everything you look at.

I wonder if this would be used

for censorship

I has a warns!

Trolololo

Hotspots can use RADIUS

[tepples]

Why can't public Wi-Fi use something like RADIUS, or at least a pre-shared key changed daily and posted on all cash registers, instead of a captive portal?

Re:Hotspots can use RADIUS

All the captive portals I've seen have some sort of lawyer-like or manager speak to cover the business asses.

Re:Hotspots can use RADIUS

[tepples]

The TOS would be displayed either on the sign with today's pre-shared key or through the RADIUS challenge mechanism.

GUH

[eyenot]

Eyenot User Begins Just Smashing The Fuck Out Of This Headline With A Hammer

Re:GUH

[rholtzjr]

Almost looks like they used Google Translate from Hindi to English

Related issue: This Connection is Untrusted

[fustakrakich]

I'm not using Chrome. What's up Slashdot? Is this a time stamp thing?

Re:Related issue: This Connection is Untrusted

The connection's fine. It's really you that's untrusted. We were just trying not to offend you.

Re:Related issue: This Connection is Untrusted

[fustakrakich]

:-) The certificate will not be valid until 09/02/2016 06:19 PM

Then I shall wait another hour for it to clear up

Warning isn't new, icon is

Chrome already showed "Your connection to this site is not private." What's new is that they've replaced the old page icon with a circled-i icon.

Windows will follow...

"Do you want to view this website?" Yes.
"Are you sure you want to view this website?" Yes
"Administrator permissions are needed to view this website, do you wish to continue?" Yes
"Are you sure you want to allow administrator permissions?" Yes
"Page not found, Retry, Reload, Abort?"

Re:Windows will follow...

Enforcing https is an attack on our freedom.

Overly aggressive

[jez9999]

I used to think that maybe this kind of thing was a good idea, but I've changed my mind. There are all sorts of reasons you might not want to use HTTPS for a website, usually revolving around the fact that it is just a pain in the ass to set up and maintain (especially if you run your own server). It's often overkill during development, or in a situation where you're piggybacking on an already-secure connection like SSH.

I suspect this is all to do with the desire of big corporations like Google to make the web more of a place for people with $$$. The money and time to setup and maintain SSL infrastructure.

And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with (good luck if it's not Apache). But that sucks, frankly.

Re:Overly aggressive

[GameboyRMH]

I still think a better solution is to treat HTTP and self-signed HTTPS the same - giving no warning for them. By all means display a secure icon for HTTPS with a CA cert, but there's nothing inherently dangerous about an HTTP or self-signed HTTPS connection.

Re:Overly aggressive

There's no way I would install that software on my server.

Re:Overly aggressive

[tepples]

It's often overkill during development

Chrome considers the loopback interface secure. If you can't use localhost because you're testing a web application on a mobile browser, you can run a private CA with OpenSSL and install its root certificate on your testing devices.

And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with

You don't have to install Certbot (the canonical client recommended by LE) to get a certificate for a host in a domain that you own. Certbot is only one of many ACME clients that LE supports. Some of these clients support a DNS challenge, in which the CA asks you to put a TXT record on your domain's DNS server instead of a file on your host's server. To use the DNS challenge, you just need the ability to update the zone file. Besides, a growing number of VPS administration packages support ACME; in fact, cPanel 58 added it a couple weeks ago:

sudo /scripts/install_lets_encrypt_autossl_provider

Re: Overly aggressive

[corychristison]

Alternatively you can get Comodo brand PositiveSSL certs for about $10 for 3 years.

Tell me again how expensive SSL Certificates are?

Re:Overly aggressive

[RandomSurfer314]

I agree. An even better thing would be to store the identity if the other side the first time when it is visited, warn the user when it changes afterwards, and leave the initial authentication to side channels. Like SSH does without manual keys. The certificate system with its dubious chain of trust is broken anyway. But corporations and authorities can't allow this, because that would make the Web more secure without giving them any control or other benefits.

Re: Overly aggressive

Who's paid to manage all the certificates?

HTTPS everywhere is garbage and you should just fuck off.

So long as the device is actually hardware

[tepples]

Devices makers should arrange (and may need to pay) for their devices to obtain an Internet FQDN and self-issue a certificate from a CA.

Paying works so long as the device is actually hardware, as the price of a certificate can be built into the price of hardware. It wouldn't work so well if the "device" is a general-purpose computer, such as a PC, an Android device, or a Raspberry Pi board, running a particular application that is free software or otherwise distributed without charge.

in exchange for, let's say $5000 plus $1000 per year for at least the three year intended lifespan of the product.

Which would leave Slashdot's comment section even more up in arms about "planned obsolescence" once the three years run out.

Re:So long as the device is actually hardware

For the DIY stuff you already can just use Let's Encrypt. All the popular "home web server / cloud service / github / Slashdot clone / whatever" systems now have people either writing tutorials for how to use them with Let's Encrypt, or in some cases just contributing a button push "Make sure the machine has an actual FQDN then press this button" one click SSL setup.

The point of Let's Encrypt was to set the entry price at $0 and zero hours by group funding the whole thing as a 501(c)3. But if you want to sell a bazillion devices you can find a few spare dollars to pay for the infrastructure.

The device makers I've seen who were taking this even halfway seriously all assumed that if you HAVE your own FQDN you'd use Let's Encrypt and they won't get in your way, they're planning for the millions of users who don't know what an FQDN even is. It's the difference between the person whose WiFi network is named "I Can't Even" and the person whose WiFi network is named "FooCom-E5B206". The latter person probably doesn't even know what an ESSID is, and doesn't care how to change it, but auto-naming is better than the situation where every other WiFi network is called "Netgear".

Headline is bad syntax

[krakrjak]

Try reading it like this, "Google Chrome Warns Begins ...." What a terrible turn of phrase, get it together editors.

that one hurts

Obviously they have "successfully" outsourced the headline writing to China to save a buck.

Does ANYONE read anything they write now before they post? Email to a friend, ok, but stories you intend to publish could a least have one read thru :/
MSN story repeated a paragraph halfway down the page. If you expect us to read YOU read it first, shesh.

At least get a readable headline or is ONE damn line too much for ya to read?

Re:Stop whining! Httpv2 is good

Requiring a certificate is a way to censor us and undermines our freedom.

Good lord, editors

[sootman]

This story has been on the front page for two hours with a glaring error in the headline? Do you guys even look at the site?

sutommatic audio video

how about not allowing a random page to choose to play video and audio by it's own choice - i'm sick of the moaning porn adverts on the bus next to all the innocent children. Google think of the children.

I can has cheezburger

[SlaveToTheGrind]

Google Chrome Begins Warns Users

Come on, manishs, I know it's after beer thirty on a holiday weekend, but good grief -- this would take about 30 seconds to fix.

Re:I can has cheezburger

It doesn't matter. He doesn't speak english.

And yet, they removed the warning a long time ago!

Chrome was one of the first to hide the "http://" prefix.

That is exactly what "http://" means: no encryption, no authentication.

And of course, some other browsers started to copy chrome in this regard.

Stop hiding important information from the user!!!

The browser UI was perfect around firefox 25 or so. It's gone downhill since.

Re:Stop whining! Httpv2 is good

[DavidRawling]

Honestly,

- If you run a webserver, go get yourself letsencrypt, use cloudflare or namecheap has cheap ssl.
- Enable http2 on nginx (if you are using it, use it well)
- Enjoy faster loading time.

Your welcome.

- The argument against https is pointless.

Let me rephrase that:

Honestly,

- If you run a webserver, install this software, just trust us it's fine; redelegate your DNS to this company with-whom-I'm-totally-not-involved so they proxy all your connections and know who's visiting your site (and can sell or hand it over to whatever TLA you like); or pay money to another organisation for a set of we-promise-they're-unique-and-secure-numbers and we would totally never be compromised or behave unethically [cough] Symantec [cough] DigiNotar [cough] Verisign [hack] [cough];
- Do it my way because spinach and everything supports enforced HTTPS, and the peons can do without
- Don't worry that your data usage just doubled for HTTPS, it's only $50 a month extra for the upgraded plan and everyone can get gigabit fiber anyway.

You'rE unwelcome here.

- The argument against https is my-way-or-the-highway so screw you.

There, I think I covered it all.

About time

[thsths]

Here we have still unencrypted pages that ask for the single sign on login information. And IT say that's ok, because the HTML POST request is sent off over https...

I assume Google Chrome would think otherwise.

HTTPS on slashdot

How come every HTTPS website works fine on a shit connection, but slashdot always timeouts since it switched to HTTPS

Fix this!

Let's Encrypt is rate limited

[tepples]

a particular application that is free software or otherwise distributed without charge.

For the DIY stuff you already can just use Let's Encrypt. [...] contributing button push "Make sure the machine has an actual FQDN then press this button" one click SSL setup

The "Make sure the machine has an actual FQDN" is the hard part. Each user of an application will have to buy a domain, keep the domain renewed, buy dynamic DNS service for that domain to publish the required TXT record, and keep the dynamic DNS service renewed. Many domain registrars bundle basic DNS service with domain registration, but it's often not dynamic; a user has to edit the zone file through a web form. The application's developer can't just buy its own domain, give subdomains to users, and let all users of that application obtain certificates for those subdomains, because of the rate limit of Let's Encrypt. This means that if an application gets a million users, a million domains will need to be registered, which breaks the "distributed without charge" constraint.

It's the difference between the person whose WiFi network is named "I Can't Even" and the person whose WiFi network is named "FooCom-E5B206". The latter person probably doesn't even know what an ESSID is, and doesn't care how to change it, but auto-naming is better than the situation where every other WiFi network is called "Netgear".

But who would pay for the renewal of foocom-e5b206.net after the device's warranty expires?

Must be a drunk writer

Showssssssss the world that education don't matter these days

I Wants Be Slashdot Editor

[frovingslosh]

Google Chrome Begins Warns Users About Insecure Pages

I've always wished for a job that involved no manual labor and no mental labor.

Re:And yet, they removed the warning a long time a

[allo]

http vs https in the Adressbar were never a good indicator. People do not want to know if its http or https, they want to know if its secure or not.
And we nerds should acknowlege, that http, spdy, http2, gopher or ftp should be the same for a transport protocol and the user does not need to care, but if its ftp or ftps is important to him.