Slashdot Mirror
Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com)
Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
The entire internet is 'non-secure', by design. Your silly https is a fucking joke, worse it's a lie.
People know Https by now, most users call it "the key icon thing" and give it exactly 0.2 seconds of thought. You think one more tiny indicator will change behavior significantly? Maybe a little, but it sure doesn't address either problem directly.
"Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. "
How they know this?
Is "Krystalo", the submitter of this submission, actually Emil Protalinski? All three of the articles linked to by this submission are on this "VentureBeat" site, and all three list "Emil Protalinski" as the author.
A cursory glance at the submission history for this "Krystalo" Slashdot user shows other submissions linking to this "VentureBeat" site.
So perhaps this is a case of self-promotion, where this "Emil Protalinski" fellow is submitting his own articles to Slashdot as "Krystalo"? Or perhaps it's a colleague doing it?
Emil Protalinski, can you please confirm what is happening in this case?
This "VentureBeat" situation is starting to look a lot like the "BetaNews" situation. There appears to be about one "VentureBeat" submission that gets on the Slashdot front page each week.
Now this isn't as bad as the "BetaNews" submissions, which end up on the Slashdot front page almost daily. Sometimes there are even multiple submissions in a single day linking to "BetaNews" articles!
The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted. It starts to make Slashdot look sketchy when there's a submission from "BetaNews" on the Slashdot front page almost every day, and one from "VentureBeat" almost every week.
We should get a variety of news here, and it should not come from the same sources again and again and again and again, especially if it may be the sources themselves that are submitting submissions that link back to their own sites.
Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop.
Just ask yourself how Google can possibly know that and you can get a pretty good idea of where it really stands on the spyware/privacy issue.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Is there a modern web browser that we can use that doesn't collect so much information and distribute it to the browser vendor or other parties?
I know that a lot of people will suggest Firefox, but when I looked at the Firefox privacy policy earlier, it sure did list a heck of a lot of information that gets sent to Mozilla and possibly others.
Their page clearly lists various types of identifiers and browsing history that might be sent, including such things as: "IP address", "location", "phone number", "email address", "URLs", "information about visited sites", "terms you type in the Awesome Bar or Search Bar", "website domain", "Google advertising ID", "active URL at time of crash" and "personal information".
These are some of the things I saw listed when I looked earlier:
"Once per day, Firefox sends the following info to Mozilla when it checks for browser updates: your Firefox version information, language preference, operating system, and version."
"Firefox contacts Mozilla once per day to check for add-on information to check for malicious add-ons. This includes, for example: browser version, OS and version, locale, total number of requests, time of last request, time of day, IP address, and the list of add-ons you have installed."
"Firefox sends Mozilla a monthly request to look up your location at a country level using your IP address."
"Some Mozilla sponsored snippets are interactive and allow you to optionally share your phone number or email address. For example, you can enter your phone number to receive an SMS to install Firefox on Android. Your information is received and handled by our email and mobile marketing vendor."
"This data includes, for example: device hardware, operating system, Firefox version, add-ons (count and type), timing of browser events, rendering, session restores, length of session, how old a profile is, count of crashes, and count of pages."
"Firefox may send metadata, including URLs associated with the downloaded file, to the SafeBrowsing service. "
"Firefox that sends Mozilla usage, performance, and responsiveness statistics about user interface features, memory, and hardware configuration. Your IP address is also collected as a part of a standard web log."
"When Telemetry is enabled, certain short-term experiments may collect information about visited sites."
"Firefox sends to Mozilla data relating to the tiles such as number of clicks, impressions, your IP address, locale information, and tile specific data (e.g., position and size of grid)."
"Firefox sends Mozilla a request once to look up your location at a country level using your IP address."
"Firefox may send the terms you type in the Awesome Bar or Search Bar to your Default Search Engine to retrieve suggestions"
"Firefox may send “Referral Data” such as the website domain"
"Firefox sends Referral Data to our mobile analytics vendor, and also includes a Google advertising ID, IP address, timestamp, country, locale, operating system, and app version."
"Firefox records and sends Referral Data to Mozilla as part of Firefox Health Report. "
"Firefox may use several pieces of data to determine your location, including your operating systems geolocation features, Wi-Fi networks, cell phone towers, or IP address."
"This report contains technical information for us to improve Firefox including why Firefox crashed, the active URL at time of crash, and the state of computer memory during the crash. The crash report we receive may include personal information."
"Firefox sends information to Mozilla, including the list of add-ons you have installed, Firefox version information, and your IP address."
Some people will try to justify this by saying nonsense like "At least they disclose it!"
Websites loaded with http: are non-secure.
That is the design and what http: means.
And yet chrome (and firefox) choose to hide http: by default - this has been the case for a while now.
In theory, if they control the connections in between, they could have those figures regardless of the browser being used to connect to any site served using http rather than https. All they're doing is making this a little more obvious to people using their particular browser.
Telemetry is off by default in Firefox. Don't like it, don't ENABLE IT!
Google should mark their entire browser as non-secure given how much it calls home on pretty much everything you browse on it.
Even every time you simply start the browser, with about:blank as your home page and nothing loaded, it still tries to call home.
I'd like to wonder that when you safe your wifi passwords on your android phones, do they get transmitted to Google servers?
The cert expires after 3 months, not the key. I use Let's Encrypt with key pinning and have had the same key pinned for over a year. The verification of domains by Let's Encrypt is similar to that of other CAs. A cert means control over a domain, nothing more.
Why would Google have any control or visibility of anyone's connections, unless either that person also independently uses Google services in some sort of ISP capacity or the sites they are visiting independently use Google services in some sort of hosting capacity?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>> with let's encrypt available, there is zero reason to use http anymore
Unless you host multiple information-only web sites (e.g., read only, no CMS or forms) on a hosting plan that lets you host dozens or hundreds of small sites cheaply. The jump to move each site from http to https typically increases annual hosting fees from a dollar or two to a hundred bucks or so (since ISPs will often charge dedicated IP and/or certificate maintenance fees, even it (or especially if) you bring in a cert from a third party.
"Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop."
Ok, but is that because the users started using https pages, or because the businesses in question switched to https,
I mean, we've been trained for the last 20 years that if you get an error, Switch Browsers.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Sure, maybe for banking sites and anything where money changes hands.
I can understand that.
But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
It's the whole fucking popup verification debacle all over again!
"Are you sure?" Yes.
"Are you sure?" Yes.
"Are you sure?" Yes.
"Nuke your hard drive and fuck you in the ass?" Yes...wait WHAT?
TOO LATE!
Chas - The one, the only.
THANK GOD!!!
> But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
> Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
> But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https. A lot of security, protection from malware, phishing, etc, requires visibility into what's happening on the network. Encryption is very useful when applied properly in the proper places, but https everywhere also has a very real security *cost*. Every security-related decision will have both costs and benefits.
It is wise to consider both costs and benefits and apply the right tools for each situation. *Anything* "everywhere" is probably less than ideal.
You are shilling pretty hard here. The effect of your argument is that "only domains tied to businesses with money deserve encryption."
Please.
>The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https.
Are you retarded? If your company's firewall is MITM-ing all https traffic to filter and block attacks then fire your IT and hire someone half way competent.
Can somebody please mod down the parent? It's flat out wrong.
From the Firefox telemetry FAQ:
Some versions of Firefox do come with telemetry enabled by default. The parent is wrong.
Besides, disabling telemetry doesn't address the other 15+ privacy issues the GP listed.
actually I truly understand trust chains! Let's encrypt has a valid root and yes, they have short life time server trust keys - that's a good thing and ACME isn't hard to deal with.
> > of course it can't see and block the malware encrypted via https
> your company's firewall is MITM-ing all https traffic
I see you're still working on your English language skills. "Can't" means "can not". Much like "isn't", for "is not".
ISPs will often charge dedicated IP and/or certificate maintenance fees
That hasn't been the case since April 2014, when extended support for Internet Explorer on Windows XP ended. Since then, all supported web browsers in wide use have supported Server Name Indication (SNI), which allows the TLS client to specify for which hostname the server should try to present a certificate. WebFaction, for instance, has offered TLS+SNI hosting at no additional charge.
"But I want to support 3-year-old unpatched IE/XP!"
I don't recommend this, because a browser that neither receives security updates nor has been formally proven secure is presumed vulnerable to man-in-the-browser attacks.
The one weakness of Let's Encrypt is sites on a home LAN that don't have a fully qualified domain. To pass the DNS challenge of Let's Encrypt, you first have to buy a domain. Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?
Telemetry in pre-release builds of Firefox defaults on.
Telemetry in release builds of Firefox defaults off.
I imagine that most users of web browsers are not developers.
I imagine that most non-developer end users of web browsers use release builds.
The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS
If a site has a comment section, you are providing at least some personal information every time you post a comment.
the sites they are visiting independently use Google services in some sort of hosting capacity
This is in fact the case. One possible reason for this is that Google's AdSense was the one of the first major ad networks (if not the first) to support HTTPS, beginning in September 2013. Other sites are hosted on Blogspot or Google App Engine, or they include YouTube embeds, Google "+1" buttons, jQuery from Google's CDN, Google Fonts, reCAPTCHA, or Google Analytics.
HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days.
Relying on a firewall to do virus / malware scanning (as opposed to IP / site blocking) also seems terribly inefficient. And even if the firewall does the scanning, you'd have to re-do it on the local device anyway, since there's always a way to get around the firewall.
> HTTPS everywhere protects against the mass surveillance
To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:
A) The NSA can tell that someone in your company viewed catvideos.com.
B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.
It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.
> there's always a way to get around the firewall
No, that's the difference between an actual real firewall, which is installed on the network at the demarc, and "personal privacy software", which runs on the host. A firewall has two network ports. One connects to the internet (or other "outside" network) one connects to the internal network. There is literally no physical path for signals to travel except through the firewall. There's physically no way around a hardware firewall, no wires for packets to travel through. All packets go *through* the firewall.
You can also do some checks on the local host, but given you must assume the local host is compromised, you don't trust the local host to identify the malware that it's infected by. Any anti-virus anti-malware on the host is *always* auxiliary to monitoring from a trusted system. Also, the local host obviously can't detect anomalous botnet traffic when a worm infects your network, sweeps trying default and common passwords across your network, etc.
You get much better security by having dedicated security appliances (some of which cost $20,000 or more, not practical to run one for each desktop and laptop), managed and monitored 24/7 by the SOC, looking at a holistic view of the entire network, rather than trusting a potentially infected laptop, run by an accountant, clerk or manager, to protect itself. Frankly, your perspective of security is very much that a typical home user in 1995. That's not how it's done in the enterprise, and that's not how its done in 2017. Our SOC, as an example, employees about 200 security specialists. CorpSec is probably another 40 specialists. We've moved a bit beyond installing McAfee and thinking we're protected. Those 200 specialists in the SOC can't monitor and manage things nearly as well if they can't see anything, though. 10,000 encrypted TLS connections doesn't provide many actionable events.
Btw, you mentioned "(as opposed to IP / site blocking)". Where do you think the IP blacklists come from? They come from the SOC, both ours and Cisco TALOS. They are based on what we learn about traffic flows from those IP addresses - because we can *see* the malware being delivered from those IPs.
WordPress, Joomla and pretty well every CMS out there have a login page for at least the site administrator (if not for other non-admin users that have been created) - at least that login page needs to be in https otherwise the creds go across the network in the clear. If you've installed an https cert just for the login page, you may as well extend it to the entire site for no real extra effort.
If a site has a comment section, you are providing at least some personal information every time you post a comment
Shirley anyone posting in a forum uses a thow away email and fake name.
Let's encrypt is the most expensive certificate unless you either already have people on staff or don't care about security.
Their web services are hard to script (they could easily have gone with something that could have been a one-liner curl), so either requires you forgo all security and just run their crapware as root, or it turns into a complicated manual process, If this complicated manual process had been needed once per year or every two years, it would be acceptable, but every three months is not something I'm willing to waste time on. So I'll have to hire someone just to update certificates on my hobby server (a raspberry pi in my bedroom).
I can get cheaper certificates from even Verisign.
And that's not even mentioning how https is completely and utterly insecure.
I will never accept a 3 month expiration. Never. I manually renew my certs and I am not putting some shitty software on my box to do it. Let's Encrypt can fuck off with their short expiries, I'd rather go with COMODO.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Shirley anyone posting in a forum uses a thow away email and fake name.
That's not my name, and more and more sites are using blacklist services to identify and reject throw-away e-mail domains, such as Block Disposable Email.
If there are 67 million home LANs in a country, activating TLS on all of them would represent a $1 billion windfall for the domain registrar industry just for that country.
HTTPS everywhere protects against the mass surveillance
Except for surveillance by nation-states big enough to have their own certificate authorities, including countries as large as Turkey.
And except for surveillance by companies that make browsers (such as Google and Microsoft).
And except for surveillance by advertising companies, whose code already runs in your browser before your personal information gets encrypted.
Why would you think http sites have less tracking than https ones?
actually I truly understand trust chains! Let's encrypt has a valid root and yes, they have short life time server trust keys - that's a good thing and ACME isn't hard to deal with.
PKI and X.509 is still a turd no matter how hard you polish it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Since $15 annually is no biggie, you've got no problem paying for me then.
Well, aren't you a bitch.