Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Begins Warns Users About Insecure Pages (certsimple.com)

Posted by msmash on from the better-security dept.

An anonymous reader shares an article on CertSimple, a firm that helps companies prove their identity on their websites: Today Chrome's stable channel was updated with a new HTTPS UI. The changes in these versions of Chrome (Chrome 53 for Windows, Mac users got them in Chrome 52) complete 'transition 1' in Google's HTTPS plans, first announced in December 2014: T1: Non-secure origins marked as Dubious. In other words: Chrome now explicitly tells users non-HTTPS sites aren't private. If a Chrome user visits a site that isn't private -- for example, there's no HTTPS, broken HTTPS, or HTTPS only on 'checkout' pages -- Chrome now displays a mid-grey colored info box.

35 of 86 comments (clear)

  1. Grammar, anyone? by Anonymous Coward · · Score: 1

    "Google Chrome Begins Warns Users About Insecure Pages"

    Good work, editors.

    1. Re:Grammar, anyone? by sittingnut · · Score: 1

      don't you know that current slashdot editors believe that adding 's' to verbs is more secure. they will duplicate the story later in the day to ensure.

  2. All Chrome pages are not secure by 110010001000 · · Score: 3, Informative

    Google is a spyware company. Chrome is their spawn. You are their product.

    1. Re:All Chrome pages are not secure by Anonymous Coward · · Score: 1

      You beat me to it.

      All pages are insecure if you use Chrome.

    2. Re: All Chrome pages are not secure by Anonymous Coward · · Score: 1

      Firefox Portable.

    3. Re:All Chrome pages are not secure by Jamie+Lokier · · Score: 1

      Last time I checked, yes it did send messages to Google, even running Chromium, on Ubuntu Linux, with all the undocumented command-line options I was able to find to disable various functions. That surprised me.

      I was wanting to use Chromium to view local applications without any inappropriate network traffic; it wasn't suitable.

  3. wifi connect https redirect issues by Anonymous Coward · · Score: 1

    Many public wifis have a page they redirect you to. And they will redirect on https as well. You have to tell your browser that you trust the page but there should be a better way to do the public wifi messages. Browser developers and wifi redirect engineers need to talk and should be able to develop a means of notifying user without making it incredibly difficult to accept.

    1. Re:wifi connect https redirect issues by epyT-R · · Score: 1

      Wouldn't having the cert signed by a public authority fix this?

    2. Re:wifi connect https redirect issues by thsths · · Score: 1

      A public wifi login page is by definition insecure, so there should be a warning. And you should never enter any sensitive information, which also means that any password for a public wifi better not be an important one.

    3. Re:wifi connect https redirect issues by SilentChasm · · Score: 1

      Most operating systems I've seen recently test if they can get to the internet themselves and if they are redirected to a captive portal they then automatically open a browser window to where the portal redirected them to (usually a login page). This avoids the issue of trying to MitM attack whatever site the user was trying to get to. You can still make the login page you get redirected to secure with proper certificates. The following are examples of the different things companies use in detecting if they can connect to the internet:

      Apple:
      http://captive.apple.com/hotsp...

      Google:
      http://clients3.google.com/gen...

      Microsoft:
      http://www.msftncsi.com/ncsi.t...

    4. Re:wifi connect https redirect issues by SilentChasm · · Score: 1

      In order to redirect HTTPS traffic to a login page you would need a valid certificate for wherever the user was trying to get to in the first place. Giving random wifi hotspot operators those kinds of certs would be very bad for security and very impractical.

  4. HTTPS on home LAN by tepples · · Score: 4, Insightful

    And thus people will start seeing the "dubious" mark in the UI when accessing the web-based administration interface of a home router, a home NAS, or a home network printer, which lacks HTTPS because it lacks a certificate, in turn because it lacks a globally unique fully qualified domain name.

    Or should a device maker instead deploy the same wildcard certificate with the same private key on all of a given make and model?

    1. Re:HTTPS on home LAN by aix+tom · · Score: 4, Insightful

      This. Plus, browser that puts warnings on all un-enctypted pages is somehow like a radio that warns before every song that the next song isn't encrypted and might be listened to by anybody. Or a barkeeper telling you at the bar "Don't talk so loud, the police might hear."

      Of course you should have the right to whisper any time you want. But you also should have the right to shout something for everybody to hear whenever you want, without somebody warning that you shouldn't do it.

    2. Re:HTTPS on home LAN by tepples · · Score: 2

      static html websites don't need https

      Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?

    3. Re:HTTPS on home LAN by tepples · · Score: 1

      [My Brother network printer] can even generate a CSR which you can sign with your own CA or an external CA.

      In order to sign the CSR with a CA that other devices on your network already trust, including devices brought in by friends and family visiting your home, you'd first need to buy a domain and dynamic DNS service for that domain to allow the CA to verify that you own the domain. It'd take a huge shift in Internet culture to convince the administrator of each home network to buy a domain for that home network.

  5. Hotspots can use RADIUS by tepples · · Score: 1

    Why can't public Wi-Fi use something like RADIUS, or at least a pre-shared key changed daily and posted on all cash registers, instead of a captive portal?

    1. Re:Hotspots can use RADIUS by tepples · · Score: 1

      The TOS would be displayed either on the sign with today's pre-shared key or through the RADIUS challenge mechanism.

  6. GUH by eyenot · · Score: 1

    Eyenot User Begins Just Smashing The Fuck Out Of This Headline With A Hammer

    --
    "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
    1. Re:GUH by rholtzjr · · Score: 1

      Almost looks like they used Google Translate from Hindi to English

  7. Related issue: This Connection is Untrusted by fustakrakich · · Score: 1

    I'm not using Chrome. What's up Slashdot? Is this a time stamp thing?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Related issue: This Connection is Untrusted by fustakrakich · · Score: 1

      :-) The certificate will not be valid until 09/02/2016 06:19 PM

      Then I shall wait another hour for it to clear up

      --
      “He’s not deformed, he’s just drunk!”
  8. Overly aggressive by jez9999 · · Score: 2

    I used to think that maybe this kind of thing was a good idea, but I've changed my mind. There are all sorts of reasons you might not want to use HTTPS for a website, usually revolving around the fact that it is just a pain in the ass to set up and maintain (especially if you run your own server). It's often overkill during development, or in a situation where you're piggybacking on an already-secure connection like SSH.

    I suspect this is all to do with the desire of big corporations like Google to make the web more of a place for people with $$$. The money and time to setup and maintain SSL infrastructure.

    And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with (good luck if it's not Apache). But that sucks, frankly.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:Overly aggressive by GameboyRMH · · Score: 1

      I still think a better solution is to treat HTTP and self-signed HTTPS the same - giving no warning for them. By all means display a secure icon for HTTPS with a CA cert, but there's nothing inherently dangerous about an HTTP or self-signed HTTPS connection.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:Overly aggressive by tepples · · Score: 1

      It's often overkill during development

      Chrome considers the loopback interface secure. If you can't use localhost because you're testing a web application on a mobile browser, you can run a private CA with OpenSSL and install its root certificate on your testing devices.

      And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with

      You don't have to install Certbot (the canonical client recommended by LE) to get a certificate for a host in a domain that you own. Certbot is only one of many ACME clients that LE supports. Some of these clients support a DNS challenge, in which the CA asks you to put a TXT record on your domain's DNS server instead of a file on your host's server. To use the DNS challenge, you just need the ability to update the zone file. Besides, a growing number of VPS administration packages support ACME; in fact, cPanel 58 added it a couple weeks ago:

      sudo /scripts/install_lets_encrypt_autossl_provider

    3. Re: Overly aggressive by corychristison · · Score: 1

      Alternatively you can get Comodo brand PositiveSSL certs for about $10 for 3 years.

      Tell me again how expensive SSL Certificates are?

    4. Re:Overly aggressive by RandomSurfer314 · · Score: 1

      I agree. An even better thing would be to store the identity if the other side the first time when it is visited, warn the user when it changes afterwards, and leave the initial authentication to side channels. Like SSH does without manual keys. The certificate system with its dubious chain of trust is broken anyway. But corporations and authorities can't allow this, because that would make the Web more secure without giving them any control or other benefits.

  9. So long as the device is actually hardware by tepples · · Score: 1

    Devices makers should arrange (and may need to pay) for their devices to obtain an Internet FQDN and self-issue a certificate from a CA.

    Paying works so long as the device is actually hardware, as the price of a certificate can be built into the price of hardware. It wouldn't work so well if the "device" is a general-purpose computer, such as a PC, an Android device, or a Raspberry Pi board, running a particular application that is free software or otherwise distributed without charge.

    in exchange for, let's say $5000 plus $1000 per year for at least the three year intended lifespan of the product.

    Which would leave Slashdot's comment section even more up in arms about "planned obsolescence" once the three years run out.

  10. Headline is bad syntax by krakrjak · · Score: 2

    Try reading it like this, "Google Chrome Warns Begins ...." What a terrible turn of phrase, get it together editors.

  11. I can has cheezburger by SlaveToTheGrind · · Score: 2

    Google Chrome Begins Warns Users

    Come on, manishs, I know it's after beer thirty on a holiday weekend, but good grief -- this would take about 30 seconds to fix.

  12. And yet, they removed the warning a long time ago! by Anonymous Coward · · Score: 1

    Chrome was one of the first to hide the "http://" prefix.

    That is exactly what "http://" means: no encryption, no authentication.

    And of course, some other browsers started to copy chrome in this regard.

    Stop hiding important information from the user!!!

    The browser UI was perfect around firefox 25 or so. It's gone downhill since.

  13. Re:Stop whining! Httpv2 is good by DavidRawling · · Score: 1

    Honestly,

    - If you run a webserver, go get yourself letsencrypt, use cloudflare or namecheap has cheap ssl.
    - Enable http2 on nginx (if you are using it, use it well)
    - Enjoy faster loading time.

    Your welcome.

    - The argument against https is pointless.

    Let me rephrase that:

    Honestly,

    - If you run a webserver, install this software, just trust us it's fine; redelegate your DNS to this company with-whom-I'm-totally-not-involved so they proxy all your connections and know who's visiting your site (and can sell or hand it over to whatever TLA you like); or pay money to another organisation for a set of we-promise-they're-unique-and-secure-numbers and we would totally never be compromised or behave unethically [cough] Symantec [cough] DigiNotar [cough] Verisign [hack] [cough];
    - Do it my way because spinach and everything supports enforced HTTPS, and the peons can do without
    - Don't worry that your data usage just doubled for HTTPS, it's only $50 a month extra for the upgraded plan and everyone can get gigabit fiber anyway.

    You'rE unwelcome here.

    - The argument against https is my-way-or-the-highway so screw you.

    There, I think I covered it all.

  14. About time by thsths · · Score: 1

    Here we have still unencrypted pages that ask for the single sign on login information. And IT say that's ok, because the HTML POST request is sent off over https...

    I assume Google Chrome would think otherwise.

  15. Let's Encrypt is rate limited by tepples · · Score: 1

    a particular application that is free software or otherwise distributed without charge.

    For the DIY stuff you already can just use Let's Encrypt. [...] contributing button push "Make sure the machine has an actual FQDN then press this button" one click SSL setup

    The "Make sure the machine has an actual FQDN" is the hard part. Each user of an application will have to buy a domain, keep the domain renewed, buy dynamic DNS service for that domain to publish the required TXT record, and keep the dynamic DNS service renewed. Many domain registrars bundle basic DNS service with domain registration, but it's often not dynamic; a user has to edit the zone file through a web form. The application's developer can't just buy its own domain, give subdomains to users, and let all users of that application obtain certificates for those subdomains, because of the rate limit of Let's Encrypt. This means that if an application gets a million users, a million domains will need to be registered, which breaks the "distributed without charge" constraint.

    It's the difference between the person whose WiFi network is named "I Can't Even" and the person whose WiFi network is named "FooCom-E5B206". The latter person probably doesn't even know what an ESSID is, and doesn't care how to change it, but auto-naming is better than the situation where every other WiFi network is called "Netgear".

    But who would pay for the renewal of foocom-e5b206.net after the device's warranty expires?

  16. I Wants Be Slashdot Editor by frovingslosh · · Score: 2

    Google Chrome Begins Warns Users About Insecure Pages

    I've always wished for a job that involved no manual labor and no mental labor.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  17. Re:And yet, they removed the warning a long time a by allo · · Score: 1

    http vs https in the Adressbar were never a good indicator. People do not want to know if its http or https, they want to know if its secure or not.
    And we nerds should acknowlege, that http, spdy, http2, gopher or ftp should be the same for a transport protocol and the user does not need to care, but if its ftp or ftps is important to him.