Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com)

Posted by msmash on from the tightening-the-bolts dept.

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.

36 of 67 comments (clear)

  1. Oh Please! Let's stop pretending here by Anonymous Coward · · Score: 2, Insightful

    The entire internet is 'non-secure', by design. Your silly https is a fucking joke, worse it's a lie.

    1. Re:Oh Please! Let's stop pretending here by Anonymous Coward · · Score: 1

      Can you elaborate?
      Millions of online banking transactions happen a day over https. Is each connection susceptible to unwanted examination?

    2. Re:Oh Please! Let's stop pretending here by Anonymous Coward · · Score: 2, Interesting

      I assume you haven't heard the old joke about how fast you have to run to outrun a lion? The answer is: faster than the other guy. Think about it.

    3. Re:Oh Please! Let's stop pretending here by grumpy_old_grandpa · · Score: 2

      Security is not an absolute, or a single point target.

      HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days. It will not protect against a targeted attack by the CIA, but it will challenge the NSA dragnet programs and Phorm ad injections.

      Security is always a cat and mouse game ad infinitum. The attacker comes up with a better weapon, so you raise your fence, so he brings a trebuchet...

    4. Re:Oh Please! Let's stop pretending here by edtice1559 · · Score: 2

      In most cases, the goal is to protect the data from garden variety criminals not state-sponsored actors. My house is insecure as well since the police could bust the door down. But having locks on the door still goes a long way. The NSA doesn't need to impersonate a certificate to get my credit card number, they could just send a national security letter to the issuer!

  2. Do I really want to know by WaffleMonster · · Score: 2

    "Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. "

    How they know this?

    1. Re:Do I really want to know by Afty0r · · Score: 4, Informative

      How they know this?

      From all the browsing activity conducted through Google Chrome by people who have agreed to let them use anonymised browsing data for statistical purposes.

    2. Re:Do I really want to know by thegarbz · · Score: 1

      How they know this?

      Wait. Are you telling me you didn't read the EULA?

  3. Is "Krystalo" actually Emil Protalinski? by Anonymous Coward · · Score: 4, Interesting

    Is "Krystalo", the submitter of this submission, actually Emil Protalinski? All three of the articles linked to by this submission are on this "VentureBeat" site, and all three list "Emil Protalinski" as the author.

    A cursory glance at the submission history for this "Krystalo" Slashdot user shows other submissions linking to this "VentureBeat" site.

    So perhaps this is a case of self-promotion, where this "Emil Protalinski" fellow is submitting his own articles to Slashdot as "Krystalo"? Or perhaps it's a colleague doing it?

    Emil Protalinski, can you please confirm what is happening in this case?

    This "VentureBeat" situation is starting to look a lot like the "BetaNews" situation. There appears to be about one "VentureBeat" submission that gets on the Slashdot front page each week.

    Now this isn't as bad as the "BetaNews" submissions, which end up on the Slashdot front page almost daily. Sometimes there are even multiple submissions in a single day linking to "BetaNews" articles!

    The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted. It starts to make Slashdot look sketchy when there's a submission from "BetaNews" on the Slashdot front page almost every day, and one from "VentureBeat" almost every week.

    We should get a variety of news here, and it should not come from the same sources again and again and again and again, especially if it may be the sources themselves that are submitting submissions that link back to their own sites.

    1. Re:Is "Krystalo" actually Emil Protalinski? by thegarbz · · Score: 1

      The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted.

      Why? Slashdot has constantly been used for self promotion almost back to its inception. The only thing that anyone is interested in is:
      a) is the story relevant and interesting to the site
      b) is the story true
      c) what are the story's biases

      Who it comes from is secondary to all this.

  4. Re:But will it mark gmail and google.com as spywar by Anonymous+Brave+Guy · · Score: 2, Insightful

    Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop.

    Just ask yourself how Google can possibly know that and you can get a pretty good idea of where it really stands on the spyware/privacy issue.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. Re:What browser isn't as invasive? It isn't Firefo by Anonymous Coward · · Score: 1

    Telemetry is off by default in Firefox. Don't like it, don't ENABLE IT!

  6. Re:good by Anonymous Coward · · Score: 3, Informative

    The cert expires after 3 months, not the key. I use Let's Encrypt with key pinning and have had the same key pinned for over a year. The verification of domains by Let's Encrypt is similar to that of other CAs. A cert means control over a domain, nothing more.

  7. Re:But will it mark gmail and google.com as spywar by Anonymous+Brave+Guy · · Score: 2

    Why would Google have any control or visibility of anyone's connections, unless either that person also independently uses Google services in some sort of ISP capacity or the sites they are visiting independently use Google services in some sort of hosting capacity?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  8. Re:So why does chrome hide http: in the url????? by jaklode · · Score: 1

    This makes it more obvious. If it's secure, there's a :// in the URL bar :D

  9. Re:So why does chrome hide http: in the url????? by KiloByte · · Score: 1

    Thanks! Now I know I can trust ftp:// and gopher:// links to be safe!

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  10. "23 percent reduction" by roc97007 · · Score: 1

    "Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop."

    Ok, but is that because the users started using https pages, or because the businesses in question switched to https,

    ...or because the user switched to Firefox?

    I mean, we've been trained for the last 20 years that if you get an error, Switch Browsers.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  11. Worse than that, it hides the malware on WordPress by raymorris · · Score: 1

    > But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
    > Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
    > But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?

    Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https. A lot of security, protection from malware, phishing, etc, requires visibility into what's happening on the network. Encryption is very useful when applied properly in the proper places, but https everywhere also has a very real security *cost*. Every security-related decision will have both costs and benefits.

    It is wise to consider both costs and benefits and apply the right tools for each situation. *Anything* "everywhere" is probably less than ideal.

  12. Not a native English speaker I guess? by raymorris · · Score: 1

    > > of course it can't see and block the malware encrypted via https

    > your company's firewall is MITM-ing all https traffic

    I see you're still working on your English language skills. "Can't" means "can not". Much like "isn't", for "is not".

  13. SNI (TLS virtual hosting) works in all browsers by tepples · · Score: 2

    ISPs will often charge dedicated IP and/or certificate maintenance fees

    That hasn't been the case since April 2014, when extended support for Internet Explorer on Windows XP ended. Since then, all supported web browsers in wide use have supported Server Name Indication (SNI), which allows the TLS client to specify for which hostname the server should try to present a certificate. WebFaction, for instance, has offered TLS+SNI hosting at no additional charge.

    "But I want to support 3-year-old unpatched IE/XP!"
    I don't recommend this, because a browser that neither receives security updates nor has been formally proven secure is presumed vulnerable to man-in-the-browser attacks.

    1. Re:SNI (TLS virtual hosting) works in all browsers by tepples · · Score: 1

      Another example is DreamHost, a sponsor of Let's Encrypt. Or any VPS provider such as Amazon EC2. I'd be interested to see which popular shared hosting services don't offer HTTPS at no extra charge by now.

    2. Re:SNI (TLS virtual hosting) works in all browsers by xxxJonBoyxxx · · Score: 1

      >> Dreamhost

      Thanks for the referral. Perhaps it's time I ditched my ISP then...

  14. Let's Encrypt is for domain owners by tepples · · Score: 2

    The one weakness of Let's Encrypt is sites on a home LAN that don't have a fully qualified domain. To pass the DNS challenge of Let's Encrypt, you first have to buy a domain. Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?

    1. Re:Let's Encrypt is for domain owners by sydbarrett74 · · Score: 1

      Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?

      You're griping about $15 annually? Seriously?

      --
      'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
    2. Re:Let's Encrypt is for domain owners by sydbarrett74 · · Score: 1

      There are far fewer than 7 billion households on the planet.

      --
      'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
  15. Re:What browser isn't as invasive? It isn't Firefo by tepples · · Score: 2

    Telemetry in pre-release builds of Firefox defaults on.
    Telemetry in release builds of Firefox defaults off.
    I imagine that most users of web browsers are not developers.
    I imagine that most non-developer end users of web browsers use release builds.

  16. Re:Worse than that, it hides the malware on WordPr by tepples · · Score: 1

    The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS

    If a site has a comment section, you are providing at least some personal information every time you post a comment.

  17. A lot of sites use Google services by tepples · · Score: 1

    the sites they are visiting independently use Google services in some sort of hosting capacity

    This is in fact the case. One possible reason for this is that Google's AdSense was the one of the first major ad networks (if not the first) to support HTTPS, beginning in September 2013. Other sites are hosted on Blogspot or Google App Engine, or they include YouTube embeds, Google "+1" buttons, jQuery from Google's CDN, Google Fonts, reCAPTCHA, or Google Analytics.

    1. Re:A lot of sites use Google services by Anonymous+Brave+Guy · · Score: 1

      Sure, but how would any of that give rise to the original statistic?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  18. Re:Worse than that, it hides the malware on WordPr by grumpy_old_grandpa · · Score: 1

    HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days.
    Relying on a firewall to do virus / malware scanning (as opposed to IP / site blocking) also seems terribly inefficient. And even if the firewall does the scanning, you'd have to re-do it on the local device anyway, since there's always a way to get around the firewall.

  19. Re:Giant waste of time is what it is. by rklrkl · · Score: 1

    WordPress, Joomla and pretty well every CMS out there have a login page for at least the site administrator (if not for other non-admin users that have been created) - at least that login page needs to be in https otherwise the creds go across the network in the clear. If you've installed an https cert just for the login page, you may as well extend it to the entire site for no real extra effort.

  20. Re:Anyone who cares would already notice. by michelcolman · · Score: 1

    I have a couple of websites about games I made. There's some text info, some screenshots, and a link to the App Store. No information entry boxes, no cookies, no tracking, no ads, nothing.

    Why exactly should I be forced to "upgrade" those sites to https?

  21. Re:good by jez9999 · · Score: 1

    I will never accept a 3 month expiration. Never. I manually renew my certs and I am not putting some shitty software on my box to do it. Let's Encrypt can fuck off with their short expiries, I'd rather go with COMODO.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  22. Re:Worse than that, it hides the malware on WordPr by tepples · · Score: 2

    Shirley anyone posting in a forum uses a thow away email and fake name.

    That's not my name, and more and more sites are using blacklist services to identify and reject throw-away e-mail domains, such as Block Disposable Email.

  23. Billion dollar windfall by tepples · · Score: 2

    If there are 67 million home LANs in a country, activating TLS on all of them would represent a $1 billion windfall for the domain registrar industry just for that country.

  24. Re: good by TechyImmigrant · · Score: 1

    actually I truly understand trust chains! Let's encrypt has a valid root and yes, they have short life time server trust keys - that's a good thing and ACME isn't hard to deal with.

    PKI and X.509 is still a turd no matter how hard you polish it.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.