Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than 50 Percent of All Pages In Chrome Are Loaded Over HTTPS Now (onthewire.io)

Posted by msmash on from the secure-web dept.

Reader Trailrunner7 writes: After years of encouraging site owners to transition to HTTPS by default, Google officials say that the effort has begun to pay off. The company's data now shows that more than half of all pages loaded by Chrome on desktop platforms are served over HTTPS. Google has been among the louder advocates for the increased use of encryption across the web in the last few years. The company has made significant changes to its own infrastructure, encrypting the links between its data center, and also has made HTTPS the default connection option on many of its main services, including Gmail and search. And Google also has been encouraging owners of sites of all shapes and sizes to move to secure connections to protect their users from eavesdropping and data theft. That effort has begun to bear fruit in a big way. New data released by Google shows that at the end of October, 68 percent of pages loaded by the Chrome browser on Chrome OS machines were over HTTPS. That's a significant increase in just the last 10 months. At the end of 2015, just 50 percent of pages loaded by Chrome on Chrome OS were HTTPS. The numbers for the other desktop operating systems are on the rise as well, with macOS at 60 percent, Linux at 54 percent, and Windows at 53 percent.

18 of 136 comments (clear)

  1. ...and then blanked out by JavaScript by Anonymous Coward · · Score: 4, Insightful

    loaded over...and then blanked out by JavaScript looking at Adblock's actions.

    do they really think my next action would be to disable Adblock? Really? I just close the tab and move onto another page...

  2. Needless bullshit by JustAnotherOldGuy · · Score: 4, Insightful

    Yes, HTTPS is fine for anything sensitive, but does my recipe site really need to provide HTTPS pages?

    Seriously, there is no need for every site to output HTTPS pages. If you're really afraid that someone might eavesdrop and see you looking at Banana Bread recipes, you have bigger problems than an HTTPS connection can fix.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Needless bullshit by kangsterizer · · Score: 4, Insightful

      https also ensure the pages cannot be modified. if someone knows your recipe site, they trust you and its content.
      if tomorrow they visit and it asks for a donation for example, they'll think its for you and donate. bad luck, it was the attacker.

      basically, there is more than confidentiality issues ("they can see your data"). there's also integrity issues ("they can change the data displayed")

      besides - there's plenty of ways this can go wrong for confidentiality as well. there are billions of websites. some start as a recipe site, and end up asking login, processing password, etc. some not. people make mistakes along the way. its much safer and easier to basically require https across the board - specially that its pretty much free to do so now.

    2. Re:Needless bullshit by swillden · · Score: 4, Informative

      Yes, HTTPS is fine for anything sensitive, but does my recipe site really need to provide HTTPS pages?

      That depends, is every user's browser perfectly secure? (Hint: the answer is no)

      HTTPS provides three guarantees that HTTP does not.

      1. Secrecy. This is the one that you focused on; keeping the contents of the traffic between your recipe server and its clients secure against eavesdroppers. You're probably right that it doesn't matter.
      2. Authentication. HTTPS verifies to the client that it is talking to the server it thinks it is, rather than some other, possibly malicious, server.
      3. Integrity. HTTPS that the contents of the traffic between your reciper server and its clients is secure against modification.

      Both 2 and 3 are important individually, and together they provide an assurance that your clients are getting your content and nothing else. Not only does this mean the recipes won't be modified, but it means the recipe documents cannot be modified so they exploit browser vulnerabilities to hijack the user's browser, or possibly the user's entire computer.

      Of course, this still leaves open the possibility that your recipe server is malicious, either because you are or because someone else has taken control of it. Those possibilities are addressed by Safe Browsing infrastructure that attempts to identify and warn users away from malicious sites. But that only works if the browser actually knows what site it's talking to, so HTTPS is an essential enabling technology for Safe Browsing.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Needless bullshit by Second_Derivative · · Score: 4, Insightful

      If a small amount of global web traffic is encrypted then the encrypted traffic will stand out and bring scrutiny.

      If everything is encrypted, no matter how mundane, then genuinely sensitive traffic becomes less conspicuous.

    4. Re:Needless bullshit by houstonbofh · · Score: 2

      All of the responses to the OP miss his point. Not every website needs to pay the cost of encryption for no real reason. Yes it is a trivial cost on your recipe site, but not so much when you have a thousand hits a minute. For example, why encrypt a popular photography website? (Unless it has a login) When my website was slashdotted I was very glad it was not encrypted! Performance stayed good in spite of the slashdotting. But my monitoring showed it was at 90% plus for a few days! That extra bit of encryption would have tipped it over.

    5. Re:Needless bullshit by vadim_t · · Score: 3, Informative

      Some ISPs and access points have been doing realtime traffic modification and inserting ads into websites. Since it's well known that some ads are malicious, then yes, it's very much beneficial for a recipe site run on SSL, because it makes it impossible to hijack the trusted and harmless site for nefarious purposes, such as serving you some kind of trojan via an ad.

    6. Re:Needless bullshit by Cramer · · Score: 2

      99.9999999999999999999999999999999999999999% of "rewriting" attacks happen on the webserver itself -- i.e. hacks that insert crap into your swiss cheese wordpress blog. The remaining rounding error are the result of local malware on the web browsing PC -- i.e. the browser inserted that crap. I have yet to even hear of a nefarious operation inserting crap into live traffic. (yes, there have been ISPs with aggressive proxies that can (and did) insert/modify content. If you cannot trust your ISP, you have other problems that SSL won't always fix.)

    7. Re:Needless bullshit by Dagger2 · · Score: 2

      Last year, Github was hit by a DDoS caused by attack code injected into plain-text http:// traffic by someone in China.

      Let's assume for a moment that the attack on Github consisted of altering the contents of a single 50 byte packet. If that 50 byte packet corresponds to 0.0000000000000000000000000000000000000001% of rewritten traffic, then the remaining 99.9999999999999999999999999999999999999999% would correspond to 10^19 yottabytes of traffic.

      Bearing in mind that total global internet traffic is barely even one zettabyte per year, let alone over a million trillion yottabytes, I think it's reasonable to conclude that the percentage of attacks that occur on the webserver as opposed to somewhere in-flight is lower than 99.9999999999999999999999999999999999999999%. (Especially when you consider that the DDoS that Github was struggling with for 4 days most likely involved rewriting more than a single 50-byte packet.)

  3. Let's Encrypt definitely helped... by dimethylxanthine · · Score: 2

    Thanks to these guys encryption like it should be - quick, easy and no exorbitant fees imposed by the old school certification mob. Got everything running over TLS now - in production, staging and private... Cheers

    1. Re:Let's Encrypt definitely helped... by dargaud · · Score: 2

      I just decided to convert my ancient and minor (used to be big in '96 [like yahoo!!!]...) website to https with let's encrypt, but CentOS 5 is not supported and I have no plan to reinstall the entire server. I spent 2 hours looking at various pages giving complex and non-working workarounds without success before giving up. A decade ago I went through the entire 'normal' https process, spent a morning to get it all working with success and then 6 months later when I had to renew I had no clue what I had to do again and said fuck it instead of wasting another morning.

      --
      Non-Linux Penguins ?
  4. Re:My personal web site does not support HTTPS by fph+il+quozientatore · · Score: 4, Informative

    Ever heard of https://letsencrypt.org/ ?

    --
    My first program:

    Hell Segmentation fault

  5. Re:My personal web site does not support HTTPS by Junta · · Score: 2

    lets encrypt will issue certificates, without even so much as a registered account.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  6. Re:And with StartCom dead... by Zocalo · · Score: 3, Informative

    Following numerous severe breaches of CA protocol by WoSign (StartCom's parent company) and by StartCom under their ownership, Mozilla, Google and Apple have all decided to revoke the trust in both the CAs - MS has yet to commit, but is very likely to follow suit. The only saving grace is that they are doing so in such a way as to not disrupt existing certificates, but if you get a new StartCom certificate now, it's not going to work in any of the major browsers in a few months time.

    --
    UNIX? They're not even circumcised! Savages!
  7. Re:And with StartCom dead... by houstonbofh · · Score: 2

    But your new one will not work in most popular browsers. https://blog.mozilla.org/secur... And Chrome joined them this week...

  8. Re:My personal web site does not support HTTPS by drago177 · · Score: 2

    Ya, and any webhost running cPanel can do it through Comodo (or letsencrypt with a plugin):
    https://blog.cpanel.com/autoss...

  9. Re:Another reason to wipe the Chromebook by Cramer · · Score: 2

    If you run chrome from that fresh linux install, they'll get exactly the same stats from you.

  10. Re:spyware by markus · · Score: 2

    HTTP/2 requires encryption and gives much better performance than plain old HTTP.

    If you want a fast and efficient site, there is no way around getting a valid certificate.

    The same is true if you want to use any of the more modern HTML5 features. They're disabled for legacy sites