Google Chrome Begins Warns Users About Insecure Pages

An anonymous reader shares an article on CertSimple, a firm that helps companies prove their identity on their websites: Today Chrome's stable channel was updated with a new HTTPS UI. The changes in these versions of Chrome (Chrome 53 for Windows, Mac users got them in Chrome 52) complete 'transition 1' in Google's HTTPS plans, first announced in December 2014: T1: Non-secure origins marked as Dubious. In other words: Chrome now explicitly tells users non-HTTPS sites aren't private. If a Chrome user visits a site that isn't private -- for example, there's no HTTPS, broken HTTPS, or HTTPS only on 'checkout' pages -- Chrome now displays a mid-grey colored info box.

All Chrome pages are not secure

[110010001000]

Google is a spyware company. Chrome is their spawn. You are their product.

HTTPS on home LAN

[tepples]

And thus people will start seeing the "dubious" mark in the UI when accessing the web-based administration interface of a home router, a home NAS, or a home network printer, which lacks HTTPS because it lacks a certificate, in turn because it lacks a globally unique fully qualified domain name.

Or should a device maker instead deploy the same wildcard certificate with the same private key on all of a given make and model?

Re:HTTPS on home LAN

[aix+tom]

This. Plus, browser that puts warnings on all un-enctypted pages is somehow like a radio that warns before every song that the next song isn't encrypted and might be listened to by anybody. Or a barkeeper telling you at the bar "Don't talk so loud, the police might hear."

Of course you should have the right to whisper any time you want. But you also should have the right to shout something for everybody to hear whenever you want, without somebody warning that you shouldn't do it.

Re:HTTPS on home LAN

[tepples]

static html websites don't need https

Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?

Overly aggressive

[jez9999]

I used to think that maybe this kind of thing was a good idea, but I've changed my mind. There are all sorts of reasons you might not want to use HTTPS for a website, usually revolving around the fact that it is just a pain in the ass to set up and maintain (especially if you run your own server). It's often overkill during development, or in a situation where you're piggybacking on an already-secure connection like SSH.

I suspect this is all to do with the desire of big corporations like Google to make the web more of a place for people with $$$. The money and time to setup and maintain SSL infrastructure.

And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with (good luck if it's not Apache). But that sucks, frankly.

Headline is bad syntax

[krakrjak]

Try reading it like this, "Google Chrome Warns Begins ...." What a terrible turn of phrase, get it together editors.

I can has cheezburger

[SlaveToTheGrind]

Google Chrome Begins Warns Users

Come on, manishs, I know it's after beer thirty on a holiday weekend, but good grief -- this would take about 30 seconds to fix.

I Wants Be Slashdot Editor

[frovingslosh]

Google Chrome Begins Warns Users About Insecure Pages

I've always wished for a job that involved no manual labor and no mental labor.