Slashdot Mirror
More Than 50 Percent of All Pages In Chrome Are Loaded Over HTTPS Now (onthewire.io)
Reader Trailrunner7 writes: After years of encouraging site owners to transition to HTTPS by default, Google officials say that the effort has begun to pay off. The company's data now shows that more than half of all pages loaded by Chrome on desktop platforms are served over HTTPS. Google has been among the louder advocates for the increased use of encryption across the web in the last few years. The company has made significant changes to its own infrastructure, encrypting the links between its data center, and also has made HTTPS the default connection option on many of its main services, including Gmail and search. And Google also has been encouraging owners of sites of all shapes and sizes to move to secure connections to protect their users from eavesdropping and data theft. That effort has begun to bear fruit in a big way. New data released by Google shows that at the end of October, 68 percent of pages loaded by the Chrome browser on Chrome OS machines were over HTTPS. That's a significant increase in just the last 10 months. At the end of 2015, just 50 percent of pages loaded by Chrome on Chrome OS were HTTPS. The numbers for the other desktop operating systems are on the rise as well, with macOS at 60 percent, Linux at 54 percent, and Windows at 53 percent.
loaded over...and then blanked out by JavaScript looking at Adblock's actions.
do they really think my next action would be to disable Adblock? Really? I just close the tab and move onto another page...
Great push for HTTPS, guys.
Good to know that when state actors or, heck, our own government, want to flood out DNS again, we'll be stuck resolving certificates and failing to consume services because we got so giddy with SSL everywhere.
Keep writing downgrade proxies and alternate routes. We're reaching a point where the US is self-sabotaging DNS.
Yes, HTTPS is fine for anything sensitive, but does my recipe site really need to provide HTTPS pages?
Seriously, there is no need for every site to output HTTPS pages. If you're really afraid that someone might eavesdrop and see you looking at Banana Bread recipes, you have bigger problems than an HTTPS connection can fix.
Just cruising through this digital world at 33 1/3 rpm...
That made my fucking day
Thanks to these guys encryption like it should be - quick, easy and no exorbitant fees imposed by the old school certification mob. Got everything running over TLS now - in production, staging and private... Cheers
Thanks Google. I feel so much safer now.
How do they know what websites I visit and what percentage of them are using HTTPS?
Sounds like I don't have the privacy they are trying to protect
it's not a perfect solution, but it's far better than nothing
And install Linux. Telemetry on what you pages you load going back to Google? No thanks.
Without HTTPS, you can't trust the Chinese government to not MITM your recipe and add a superdose of red hot chilli pepper as an ingredient in your recipe. Once they do, expect to get sued for burning my tongue.
I run Apache and I even compiled in HTTPS support, but here's the thing; I need a valid certificate which costs real money.
Is there an anonymous way to run an HTTPS server?
Something that doesn't guarantee the identity of the website, but still allows the traffic to be encrypted?
...where anyone visits with a browser?? Let this be a reminder, all you Chrome consumer sheep, not to wander anywhere that you wouldn't want Google (and therefore, the cops and feds) to know about.
Why do you say StartCom is dead? My website is secured with a StartCom SSL certificate and it's still working. I can also buy a new one.
Menzoberranzan Networks
... it's a racket for SSL authorities who charge for their certs. Unless you want to install onerous ACME software on your server. Suckage.
https://letsencrypt.org/
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Following numerous severe breaches of CA protocol by WoSign (StartCom's parent company) and by StartCom under their ownership, Mozilla, Google and Apple have all decided to revoke the trust in both the CAs - MS has yet to commit, but is very likely to follow suit. The only saving grace is that they are doing so in such a way as to not disrupt existing certificates, but if you get a new StartCom certificate now, it's not going to work in any of the major browsers in a few months time.
UNIX? They're not even circumcised! Savages!
My site is a podcast hosting where people connect to simply grab the latest episode, I am not going to pay for a fucking SSL cert for a read only site.
Sorry but there is no reason at all for SSL everywhere. read only sites dont need it and adding that heavy overhead to read only sites is a bunch of BS.
But your new one will not work in most popular browsers. https://blog.mozilla.org/secur... And Chrome joined them this week...
My webhost offers FREE SSL certificates through Let's Encrypt or you can roll your own. There's also a paid SSL certificate option.
https://letsencrypt.org/
Thanks for the heads-up! I'll have to look for an other SSL provider...
Menzoberranzan Networks
so what's the alternative now to get a free SSL certificate valid in browsers?
"jez9999 ( 618189 )" says:
... it's a racket for SSL authorities who charge for their certs. Unless you want to install onerous ACME software on your server. Suckage.
"swillden ( 191260 )" says:
I know what will make me look smart, I'll provide an alternative to requiring ACME software running as root, by giving a link to a cert provider requiring ACME software running as root!
https://letsencrypt.org/
This is clearly the solution, the exact thing you are complaining about!
And the fact that them being able to get this information doesn't scare and infuriate people? Even if the metric is anonymized, why the fuck do people accept software that spies on you? Yes I'm aware that majority of software does.. but why the hell do we accept it?
Digital is, by definition, imperfect. Analog is the way to go.
Not only does most stuff not need to be HTTPS, it often destroys caching, lowers battery life, and hurts performance.... but also.... how does Google know these statistics unless they are freely admitting that they have major spyware in their non-open, binary-only Chrome browser? So this whole https on non-important pages is theoretically so much better for privacy and security, except that Google gets to know everywhere you go?
There are many reasons I don't use Chrome....
How does Google know this? I would assume they are keeping metrics of which sites people are viewing, in which case...
Whoa, Big Brother, much? I do not want my browser reporting back to the mothership of what sites I use or what passwords I use when I access whichever bank I use.
So https and "Let's Encrypt" is a massive money maker for Google.
Google makes their money off advertising. The more https, the more ad sales for them! And the less for their competitors.
It's a mega win for Google.
LetEncrypt is still free, if their system will work for you, and Symantec is in the process of setting up something that seems similar over at FreeSSL. Otherwise, you can get cheap certs from Comodo and GoDaddy (yeah, their rep isn't great either, but it's just a binary file when you get right down to it) - ideally via one of their resellers who will offer lower prices, and the prices go up from there. Another approach is to shop around for a suitable VPS or other hosting bundle that includes a certificate in the price, which can often work out quite cost effective. Finally, if you fit the criteria, there are some commercial vendors that offer free certificates to non-profits - e.g. GlobalSign's offer of a free certificate for OSS projects.
UNIX? They're not even circumcised! Savages!
You seriously haven't heard of letsencrypt.org?
>After years of encouraging site owners to transition to HTTPS by default, Google officials say that the effort has begun to pay off.
Of fuck off, go sell some ads. Is this mere ad broker really claiming the credits of increased https adoption? That's rich. This is a company that loads all kinds of crapware ads and data collection crap in websites everywhere. The kind of shit company you have to filter out with ad blockers, with dns and anti-tracking plugins.
I feel for you. StartCom was nice to use, but after a string of naughty behaviour most browsers are revoking trust in their certificates. I recommend finding a new CA.
If anything, ACME is a vast improvement over what we had before.
You might not mind 1) obtaining a new client certificate, 2) installing it in the browser, 3) generating and uploading a CSR, 4) proving that you have control over the domain, 5) downloading the new certificate, 6) installing it the server, 7) restarting the server with minimal downtime.
It used to take about 30min of work once a year for each of my domains. It also was a little tedious to schedule, as StartCom only gave a relatively small time window to do so. I think it was only about two weeks or so. But everything considered, for a private site with only one or two domains, it just about bearable.
With Let's Encrypt, things are a lot easier. You set things up once, and certificates will continue renewing automatically in perpetuity. Very little if any maintenance is required, and you can do it on your own schedule. Also, Let's Encrypt is much saner with regards to "subject alternate names". That solves a lot of problems that I used to have with StartCom.
Finally, there is a plethora of different ACME clients to chose from with lots of different feature sets and designs. I don't have first-hand experience with how things look on Mac or Windows, but on most traditional UNIX systems (including Linux), there really is no excuse for not setting up ACME. Also, most of the clients support both HTTP and DNS as way to verify control of the domain. That's huge! It solve a lot of the problems of dealing with complicated firewalls and legacy server software.
Then use an ACME client that doesn't require administrator privilege, in particular one that uses the DNS challenge instead of the HTTP challenge.
so what's the alternative now to get a free SSL certificate valid in browsers?
Really, who do you expect to honestly verify that the person ordering the certificate actually owns the domain name being issued to for FREE?
For FREE you can't even match a credit card against DNS registration records. At a small loss, someone can auto-approve all requests. You're missing the point of SSL if you're using an encrypted channel to an anonymous server.
I keep saying that we want to encrypt all internet traffic, so as to make it impossible for the Three Letter Agencies to snoop on us all.
However I'm willing to amend that. Your recipe site does not need HTTPS. There, are you happy?
What we really need is for a substantial component of all Web traffic to be encrypted, and for 99.999% of all encrypted traffic to be recipe sites, standard commercial or financial traffic, porn, cat videos, political arguments, just boring old business as usual. That way, simply being encrypted does not draw the attention of the TLAs. We want that because when 0.1% of all Web traffic is encrypted, you can become a suspect just for using encryption. That's not right no matter what the TLAs say about it.
I don't know how great a traffic percentage a "substantial component" needs to be. Let's say between one-third and two thirds of all internet traffic, as a lower bounding limit. If I really had my way however, it would be 99.999% of all packets, everywhere.
And that's the problem. Until recently HTTP was the default and you had to specifically request and implement HTTPS. This resulted in the vast majority of all packets being unencrypted. We need to flip that around, so that HTTPS is the default and you only get HTTP if you specifically request and implement that.
Isn't it a bit stupid to support HTTP for domain validation? The whole point of HTTPS is that you can't trust the identity of HTTP as it's vulnerable to a MITM attack yet it's just fine for getting an automated cert.
== Jez ==
Do you miss Firefox? Try Pale Moon.
It's the browser acting as if a self signed certificate is less secure than no certificate.
Browser makers find it important to accurately report the truth of the sense of security. A self-signed certificate used with the https: scheme gives a false sense of security, whereas the http: scheme gives a true sense of insecurity.
Let's encrypt may be better, but it depends on how browsers decide to treat domain-validated certificates.
The only browser I've ever seen that warns for valid domain-validated certificates is Comodo Dragon. Any certificate that isn't at least organization-validated causes Dragon to show the "mixed passive content" icon in the location bar and an amber interstitial, which resembles the red interstitial for an untrusted issuer and has text to this effect:
You can trust HTTP as much as you can trust DNS. That's why automated CAs hit a site from several different paths through the Internet. The only practical way the MITM can compromise the validation is by being on the server's only uplink.
And don't bring up DNSSEC until the root is signed with a key longer than 1024 bits.
The easiest way to switch a legacy service to HTTPS is to install an NGINX reverse proxy in front of it.
Provided it has its own fully-qualified domain name.
If a service accessible over a LAN is normally accessed with a private IP address (such as one in 192.168/16), or with a hostname under a phony TLD (such as .local), the CAs won't issue a certificate. This is true, for example, of the HTTP server for administering a router, printer, or NAS. Mozilla's FAQ about deprecation of cleartext HTTP acknowledges this problem but offers no fix yet:
There's also the expense and upkeep of maintaining current certificates. I have 100+ sites
Then set up Certbot or another ACME client to renew certificates for 100+ of these sites, and put it on a cron job.
DNS validation is awesome. I have a couple of embedded devices (e.g. a remote KVM switch) that have minimal support for SSL certificates. I was never able to figure out how to use them with traditional CAs. But ACME over DNS was super easy to set up for these devices
That's what "certificate transparency" is for. And it's quickly becoming a mandatory feature.
Also, "certificate pinning" can help. But there are pros and cons to it. It's not appropriate for every site.
Anyone else trying that will first need to buy a domain with which to do ACME over DNS, correct?
Anyone still trusting Google for ANYTHING in 2016 is a fool. If you're not actively blocking everything Google-powered from a trustworthy browser (anything Google didn't create or help create), you're being tracked by Google, and a quick visit to your Google preferences will show you a disturbing trail of all the Googlebot sites you've been to. And while they say you can "disable" this, they're still tracking you behind the scenes.
Just say "fuck you" to Google and embrace privacy and common sense. Oh, and if you have a smartphone of ANY description, not just Google and even if you've disable as much Googleification on the Androids, you're still being tracked. We need to start fighting back against being tracked, cataloged, categorized, and watched NOW. Say no to Google, Microsoft, Amazon, Apple, and many other companies that wants nothing but to watch everything you do and give themselves and other companies the opportunity to deny you things or at least change what they offer based on your innocent habits. The fallacy of "I have nothing to hide" is complete bullshit, and you need to understand that not giving your habits to companies is not just for people trying to hide illegal or bad activities.
Yes, you need to own at least one domain. But you can then use sub domains for everything else. Any cheap domain will do. But yes, it'll cost you on the order of $10/year for all your computation needs
how many pages that chrome loads are to google's own sites, services, and pages? gmail? https. youtube? https. photos and g+? https. search? https. even grandma's web searches for "google" and "yahoo" and "hotmail" get counted.
HyperText Markup Language (HTML) is the standard markup language for creating web pages and web applications. With Cascading Style Sheets (CSS), and JavaScript, it forms a triad of cornerstone technologies for the World Wide Web.[1] Web browsers receive HTML documents from a webserver or from local storage and render them into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document.
tamil ringtones
Thus the inclusion of WebRTC and Fullscreen in the Secure Contexts proposal, currently a W3C Candidate Recommendation, is one big handout to domain registrars. Ten million homes with NAS devices means 10 million domains that need to be registered and renewed annually, to the tune of $100 million a year for registrars. At least it's not quite as bad as it'd be without Let's Encrypt, in which it would have been a handout to both the registrar racket and the CA racket.
Even most paid certs are only verified with a file on the webserver or an email sent to the domain.
EV certs are the exception (and in that case the CA does, or at least is supposed to, provide an actual useful identity verification service), but for normal certs you can easily automate the check in exactly the way LE does.
How come no one points out the concern about how Google is apparently harvesting URL information from deployed instances of Chrome?
The "onerous ACME software" that the OP was complaining about is the Let's Encrypt application, FYI.
Thanks, went with Let's encrypt. Turns out it's even better as the certificate auto-renew. So even if the duration is only 90 days (1 year with Startcom) it doesn't matter.