Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com)

Posted by msmash on from the tightening-the-bolts dept.

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.

15 of 67 comments (clear)

  1. Oh Please! Let's stop pretending here by Anonymous Coward · · Score: 2, Insightful

    The entire internet is 'non-secure', by design. Your silly https is a fucking joke, worse it's a lie.

    1. Re:Oh Please! Let's stop pretending here by Anonymous Coward · · Score: 2, Interesting

      I assume you haven't heard the old joke about how fast you have to run to outrun a lion? The answer is: faster than the other guy. Think about it.

    2. Re:Oh Please! Let's stop pretending here by grumpy_old_grandpa · · Score: 2

      Security is not an absolute, or a single point target.

      HTTPS everywhere protects against the mass surveillance and mass man-in-the-middle attacks which have become all too common these days. It will not protect against a targeted attack by the CIA, but it will challenge the NSA dragnet programs and Phorm ad injections.

      Security is always a cat and mouse game ad infinitum. The attacker comes up with a better weapon, so you raise your fence, so he brings a trebuchet...

    3. Re:Oh Please! Let's stop pretending here by edtice1559 · · Score: 2

      In most cases, the goal is to protect the data from garden variety criminals not state-sponsored actors. My house is insecure as well since the police could bust the door down. But having locks on the door still goes a long way. The NSA doesn't need to impersonate a certificate to get my credit card number, they could just send a national security letter to the issuer!

  2. Do I really want to know by WaffleMonster · · Score: 2

    "Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. "

    How they know this?

    1. Re:Do I really want to know by Afty0r · · Score: 4, Informative

      How they know this?

      From all the browsing activity conducted through Google Chrome by people who have agreed to let them use anonymised browsing data for statistical purposes.

  3. Is "Krystalo" actually Emil Protalinski? by Anonymous Coward · · Score: 4, Interesting

    Is "Krystalo", the submitter of this submission, actually Emil Protalinski? All three of the articles linked to by this submission are on this "VentureBeat" site, and all three list "Emil Protalinski" as the author.

    A cursory glance at the submission history for this "Krystalo" Slashdot user shows other submissions linking to this "VentureBeat" site.

    So perhaps this is a case of self-promotion, where this "Emil Protalinski" fellow is submitting his own articles to Slashdot as "Krystalo"? Or perhaps it's a colleague doing it?

    Emil Protalinski, can you please confirm what is happening in this case?

    This "VentureBeat" situation is starting to look a lot like the "BetaNews" situation. There appears to be about one "VentureBeat" submission that gets on the Slashdot front page each week.

    Now this isn't as bad as the "BetaNews" submissions, which end up on the Slashdot front page almost daily. Sometimes there are even multiple submissions in a single day linking to "BetaNews" articles!

    The Slashdot editors should really be careful about accepting submissions from people who may have written the articles being submitted. It starts to make Slashdot look sketchy when there's a submission from "BetaNews" on the Slashdot front page almost every day, and one from "VentureBeat" almost every week.

    We should get a variety of news here, and it should not come from the same sources again and again and again and again, especially if it may be the sources themselves that are submitting submissions that link back to their own sites.

  4. Re:But will it mark gmail and google.com as spywar by Anonymous+Brave+Guy · · Score: 2, Insightful

    Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop.

    Just ask yourself how Google can possibly know that and you can get a pretty good idea of where it really stands on the spyware/privacy issue.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. Re:good by Anonymous Coward · · Score: 3, Informative

    The cert expires after 3 months, not the key. I use Let's Encrypt with key pinning and have had the same key pinned for over a year. The verification of domains by Let's Encrypt is similar to that of other CAs. A cert means control over a domain, nothing more.

  6. Re:But will it mark gmail and google.com as spywar by Anonymous+Brave+Guy · · Score: 2

    Why would Google have any control or visibility of anyone's connections, unless either that person also independently uses Google services in some sort of ISP capacity or the sites they are visiting independently use Google services in some sort of hosting capacity?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. SNI (TLS virtual hosting) works in all browsers by tepples · · Score: 2

    ISPs will often charge dedicated IP and/or certificate maintenance fees

    That hasn't been the case since April 2014, when extended support for Internet Explorer on Windows XP ended. Since then, all supported web browsers in wide use have supported Server Name Indication (SNI), which allows the TLS client to specify for which hostname the server should try to present a certificate. WebFaction, for instance, has offered TLS+SNI hosting at no additional charge.

    "But I want to support 3-year-old unpatched IE/XP!"
    I don't recommend this, because a browser that neither receives security updates nor has been formally proven secure is presumed vulnerable to man-in-the-browser attacks.

  8. Let's Encrypt is for domain owners by tepples · · Score: 2

    The one weakness of Let's Encrypt is sites on a home LAN that don't have a fully qualified domain. To pass the DNS challenge of Let's Encrypt, you first have to buy a domain. Or is every head of household who owns a router, printer, or NAS supposed to spend $15 per year on a domain?

  9. Re:What browser isn't as invasive? It isn't Firefo by tepples · · Score: 2

    Telemetry in pre-release builds of Firefox defaults on.
    Telemetry in release builds of Firefox defaults off.
    I imagine that most users of web browsers are not developers.
    I imagine that most non-developer end users of web browsers use release builds.

  10. Re:Worse than that, it hides the malware on WordPr by tepples · · Score: 2

    Shirley anyone posting in a forum uses a thow away email and fake name.

    That's not my name, and more and more sites are using blacklist services to identify and reject throw-away e-mail domains, such as Block Disposable Email.

  11. Billion dollar windfall by tepples · · Score: 2

    If there are 67 million home LANs in a country, activating TLS on all of them would represent a $1 billion windfall for the domain registrar industry just for that country.