Google Warns Webmasters About Insecure HTTP Web Forms

In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand: Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."

HTTPS is stupid

Let's separate authentication of websites from encryption for privacy. Then there's no reason not to encrypt everything.

Re:HTTPS is stupid

[Gaygirlie]

What the hell are you babbling about? SSL-certificates aren't tied to IP-addresses, they're tied to domain-names! Hell, you can have hundreds of HTTPS-sites served by a single Apache-server with a single IP-address, all with different SSL-certificates, by using SNI!

Re: HTTPS is stupid

SNI - server name indication - fixes this problem for HTTPS. We host multiple SSL-enabled sites with different certs on single IP addresses.

Re:HTTPS is stupid

[beelsebob]

And why do you give a shit about that. XP is an EOL, insecure operating system. There's litterally no reason to support it any more.

And no - don't give my bullshit about "but my company runs critical systems on it" - THEY FUCKING SHOULDN'T BE RUNNING CRITICAL SYSTEMS ON AN OPERATING SYSTEM THAT'S KNOWN TO BE INSECURE.

Re:HTTPS is stupid

[i.r.id10t]

And if you absolutely MUST run XP for something super critical, why the hell are you allowign that machine to browse the internet?

Re:HTTPS is stupid

[thegarbz]

Good. Your XP system should be forced off the internet. You're a threat to yourself and everyone else.

Chrome copies Firefox ... Again

[narcc]

Firefox added a warning a while ago. It's no surprise Google would follow suit.

Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.

Re:Chrome copies Firefox ... Again

[Gravis+Zero]

Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.

Yeah, just like that time Chrome copied the Firefox layout and then dropped support for it's own extensions in favor Firefox extensions. Oh wait. ;)

Re:Chrome copies Firefox ... Again

[williamyf]

I think the parent should habve been modded +5 funny, instead of +5 Informative...

Re:Chrome copies Firefox ... Again

[thegarbz]

Wow those people who modded you Informative are humourless or clueless.

I laughed though :-)

Re:Chrome copies Firefox ... Again

[tepples]

How many, realistically, are willing to carry a second computer or second phone just to run Safari?

Re:Chrome copies Firefox ... Again

[Z00L00K]

You spelled Lynx wrong.

There is a lot that doesn't need encryption..

[toonces33]

This seems like overkill to me.

Re:There is a lot that doesn't need encryption..

[Chai+T.+Rex]

This isn't requiring encryption, so I don't see what the problem is.

Re:There is a lot that doesn't need encryption..

[rklrkl]

I think the problem here is that while you can easily identify a password field in a form (type=password), it's not so easy to identify other form fields that might contain personal information (you don't have to call the e-mail field "email" for example). Google is probably right at blanket-covering http forms with a warning that that they aren't https.

The warning in Incognito Mode is on a bit less of a justifiable footing though, but it's the next logical step to warning about all http sites regardless of Incognito Mode or if they're forms or not. That latter step, though, would hit billions of pages, but might force a big adoption of https by the remaining http-only holdouts.

A big shout-out to Let's Encrypt here, without whom I suspect this https-only tightening couldn't be been undertaken by any of the major browsers.

Re:There is a lot that doesn't need encryption..

This seems like overkill to me.

Are you unaware that some ISPs and "public" wireless hotspots tamper with packets in-transit in order to inject ads?

I want zero percent of my packets to be tampered with in-transit. We prevent that with encryption.

Re:There is a lot that doesn't need encryption..

[tlhIngan]

It's an annoying pain the butt.

I mean, internal web applications don't need HTTPS, and yes, we can self-sign and force CA root to be distributed, but it's really just a pain in what is perfectly functioning software.

The only way to hit them requires you to either be on the the local network, or VPN in.

Firefox's warning is less than useful - the only way to disable it disables it for all sites, not just intranet ones. Chrome is probably going to be the same - disable it for all, or none, with no option to designate sites as intranet where the warning is suppressed and still have public internet sites have it.

Yes, we can upgrade our systems, though the current web applications work well enough that justifying spending thousands to upgrade doesn't seem worth it. Especially since it works (though looks a bit dated)

Re:There is a lot that doesn't need encryption..

[Gavagai80]

The real danger here is that people are going to be so used to seeing "not secure" in their browser and being told "oh just go ahead and use it, this isn't important" that soon enough they'll start typing their credit cards into insecure forms again.

Re:There is a lot that doesn't need encryption..

[thegarbz]

Who decides if someone needs encryption or not? Do you know what all your visitors are being persecuted for? You're privileged enough to not need encryption for your specific data in your specific geo-political area. The same can not be applied universally.

Re:There is a lot that doesn't need encryption..

[BradMajors]

Google is supping all their data to the government. No change in privacy.

Re:There is a lot that doesn't need encryption..

[swillden]

This seems like overkill to me.

I'd say it's insufficient. Everything should be encrypted and authenticated end to end, not just forms and form responses. Actually, it's really more important that data coming to your browser be authenticated than that data you send be encrypted. Why? Because unless your browser and OS are perfectly secure (they're not) then you have to trust every network hop between the server and you not to inject malware. With authentication, you only have to trust the server.

And as long as you're authenticating all of the data, you might as well encrypt it, too, because some stuff does need to be protected and (a) it's not always obvious what does and what does not and (b) there's no reason not to just encrypt it all.

Not worth the extra cost to buy a certificate

My site has a contact page. I'm not going to spend the extra money to get a certificate just so Chrome won't kvetch about my site. I'll put verbage on the site explaining the error message in Chrome and if people don't want to contact me, I can live with that. Worst comes to worst, I can code the site to complain that Chrome isn't supported. I already do that with Internet Exploder.

Re:Not worth the extra cost to buy a certificate

[BlueKitties]

Actually, it's free to set up HTTPS if you use letsencrypt.org. It takes roughly an hour of research to get it working, give or take depending on your current server setup. There are only a couple of gotchas: one, you have to make a certificate signing request file, .csr, which is easier on Linux than Windows. IIRC you can do it with Docker on a Windows machine. The second catch is, there are actually two files you have to put on your webserver, one is the private key, but the other is some "security key history" file that says where the security key came from. I can't for the life of me remember how that was setup, but it gave me some ugly unexplained "not secure" error in Chrome until some furious Googling surfaced the issue.

Oh, and the third catch is, try to make the links embedded in your site use https, since an http frame embedded in an https frame isn't secure by virtue of the parent frame. Anyway, if you take the dive, expect a few headaches and unexplained "this page is not secure" experiences before you hammer out the bugs. But it's doable in a single weekend for free, and you get a nice professional looking https bar as a bonus.

Also, some managed cloud services can turn on https for you with the push of a button, so it could be worth digging around in your settings if you're using a high level CMS / cloud host.

Re:Not worth the extra cost to buy a certificate

You can get a free certificate from letsencrypt.

Re:Stop flagging self signed certs insecure

[Todd+Knarr]

That or if Google supported CERT records in DNS properly. Then sites could publish their own issuing certs and, as long as they use DNSSEC, you could at least verify that the certificates belong to the entity that owns the domain (which is all that's needed for most purposes).

Re:Stop flagging self signed certs insecure

[green1]

We could also work on getting some of the registrars to actually support DNSSEC.... it's been "coming soon" to my registrar for several years now and I'm considering switching just because of it.

False sense of security

[tepples]

Self signed means false sense of security. The HTTP scheme without S means a true sense of insecurity. True sense is better than false sense.

Re:Stop flagging self signed certs insecure

[tepples]

end the end a self signed cert means that the traffic between your browser and the web server has been encrypted.

And decrypted and reencrypted by a man in the middle.

Manage your devices

[tepples]

Install device configuration management software on your clients, and deploy the proxy's root certificate through that.

Re:Manage your devices

[Z00L00K]

The problem is that many sites serving over http only will be listed as insecure even if they aren't serving anything that would need encryption, and may not even have a login - or a login only for the webmaster. That covers many hobbyist sites.

This essentially makes it more cumbersome to run a small website for hobbyist purposes.

https only protects the data channel between server and client, it doesn't make a site more trustworthy today.

Re: Manage your devices

deploy the proxy's root certificate

Until you're not given that option.

"Oh, I'm sorry. Snapd won't support that because that might compromise security."

"Chromebooks only support changing the cert store at the user level. It won't work with your federally mandated content filter because we protect our users."

Apparently the people in charge of this crap have confused "trusted" with "authority". I.e. It's their authority that is to be trusted, NOT the system administrator's authority. Which defeats the entire purpose of TLS. (Nevermind it's a flawed system to begin with.) If the system admin wants their system to trust a specific certificate, but the system refuses to trust it, then the system itself has lost the trust of it's owner. Which means that there is no trust period over anything that passes through it. You can't establish a "secure" connection on a system that the owner doesn't trust.

This isn't just an issue with proxies, but intranet sites too. I've had network appliances that were rendered inaccessible because a modern web browser wouldn't allow me to connect to it's management interface to upload a renewed certificate after the previous one expired. I had to actually install an older browser just to upload the renewed cert, all because the browser vendors up and decided that the user shouldn't be able to override the faulty cert and connect anyway.

This crap is beyond broken, and for what? "Trust"? Where's the trust? It seems like, if anything, the developers don't trust the users, but demand the users trust the developers without question. Where I come from, that's not trust, it's blind faith.

Re: Manage your devices

[tepples]

That's because the person to whom you later sell on your phone doesn't trust the CA you added.

Re: Manage your devices

[tepples]

The issue is the current owner of the device does not have the final say as to what is trusted and what isn't. It's the current owner's trust that is important, not the device manufacturer's.

Then the current owner does have the final say. The interstitial mentioned by Anonymous Coward (#55051981) reminds the user that the current owner has exercised his final say.

Re:Stop flagging self signed certs insecure

[ls671]

SSH doesn't use certificates as far as I know.

I have a form on my site.

[rew]

They flagged my public wiki as falling under the new policy. So someone who posts something on this wiki runs the risk of having their contribution changed by a man-in-the middle. (besides running the risk of someone just going to the wiki and changing their contribution the proper way).

Let's Encrypt issue on Playstation browser

[billmarrs]

I got this warning from Google about my site. A couple years ago, I got https working using Let's Encrypt. So, you'd think I could switch over 100% to https as Google is pushing me to do. But, what I've found is that there are a few odd browser/devices that don't work. A notable one is the PS3/4 web browser (my site is video-game related, so this is not entirely rare). Sony hasn't updated their root certs to include the one used by Let's Encrypt. So, my https does not work on a PS3 or PS4. Thus, I'd prefer to keep the site indexed with the http version, despite Google's pressure. I do have links up for the secure site and have tried to motivate people to switch (even use HSTS to make the switch sticky). About 28% of my signed-on users still use http. It's their choice.

Re:Version 62 Also Include Hate Site Warning...

[BradMajors]

By "hate", you mean non-SJW.

MITM has to intercept more connections for DV

[tepples]

Self-signed means the man in the middle (MITM) who intercepted the connection is decrypting what the server sends, storing it and/or altering it, and re-encrypting it to send to the client. CA-signed means the same MITM also had to intercept the CA's connection to the DNS when the server operator obtained the certificate, which is a bit harder to do for actors smaller than a nation-state. And it's even harder if the server operator regularly checks Certificate Transparency and/or Convergence.

I don't see how Let's Encrypt, an automated domain-validated CA, is a "racket". DNS is more of a "racket", as people who operate an internally reachable server on a LAN have to buy a domain in order to qualify for a certificate.

Re:Stop flagging self signed certs insecure

[ls671]

It isn't a certificate, it is a public key that you accept. Again, ssh doesn't use certificates.

SSH warns that no fingerprint is stored

[tepples]

Https could have been designed to work the same way as ssh, store a fingerprint, if it changes then throw up alarms.

It does work that way. The warning you see when visiting an HTTPS site whose certificate has an unknown issuer, such as a self-signed certificate, is analogous to SSH's warning that no fingerprint is stored for that hostname. A domain-validating CA is just a way to skip that warning. If you think that's a racket, then answer me this: How do you verify that no MITM is altering the fingerprint the first time you connect to an SSH server?

Sites could have stored their current fingerprint as a record in their DNS entry to automate validation

That's called DANE. It's not implemented in browsers because until less than a year ago, DNSSEC keys were 1024-bit RSA, and 1024-bit RSA is too short for current safety margin expectations. In addition, several registrars appear to charge extra for DNSSEC. There is a Chrome extension to run a DANE check on a certificate, but I don't know whether that or a similar Firefox legacy extension will survive the WebExtensions cutover.

Re:SSH warns that no fingerprint is stored

[tepples]

The possibility that a man in the middle is intercepting an HTTP request whose URL specifically requested encryption should scare users. That's why OpenSSH's SSH and SFTP clients require the exact 3-character string yes when a fingerprint isn't stored instead of just letting the user press Enter. I'd prefer to go further, requiring the user to retype the first two and last two characters of the fingerprint.

So let me repeat the question: How do you verify that no MITM is altering the fingerprint the first time you connect to an SSH server?

Re: Stop flagging self signed certs insecure

[ls671]

again, my sshd doesn't use certificates, only public/private key pairs:

  # ls
moduli ssh_host_ecdsa_key ssh_host_rsa_key sshd_config~
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub
ssh_host_dsa_key ssh_host_ed25519_key sshd_config
ssh_host_dsa_key.pub ssh_host_ed25519_key.pub sshd_config.new
# grep -i cer *
#

Shut up you WUS

[presidenteloco]

Warrior promoting Unjust Society (or is that, Warrior for Unequal Statuses).

Playing chicken with national censors works

[tepples]

"Oh, I'm sorry. Snapd won't support that because that might compromise security."

Use the --dangerous flag, or use the SNAPPY_FORCE_CPI_URL root environment variable to switch the machine to a different store. Or what am I missing?

"Chromebooks only support changing the cert store at the user level. It won't work with your federally mandated content filter because we protect our users."

Then perhaps Google should be playing chicken with a national government as a means of showing that said government's communications policy is harmful to its citizens' well-being by weakening security. When Wikipedia played chicken in June 2015, censorship dropped.

It seems like, if anything, the developers don't trust the users

Given how prevalent PEBKAC is, it saves the support department money not to have to trust the users.

Re:Playing chicken with national censors works

[tepples]

Recompiling snaps everytime an update comes out just to change the CA bundle, renders snaps utterly pointless. I may as well just run a bunch of VMs

If you have determined that snaps fail Debian's desert island test by making internal deployment of private applications unnecessarily difficult, then use --dangerous, or don't use snaps in your organization and write a blog post about why you chose to use something other than snaps in your organization.

Because we all want to whitelist a search engine in a setting where content filtering is federally mandated, and any "objectionable" content is our liability.

If you have determined that your country's laws prohibit use of a Chromebook, have you opened a support case with each Chromebook manufacturer to make them aware of this prohibition? If so, what was their reply?

They could just as easily save money by removing the keyboard, touchscreen, and mouse, and doing everything themselves to ensure no-one will mess up.

I can tell this is hyperbole because a product with no functionality will produce zero revenue. Let me rephrase: Taking away the user's ability to do dangerous things without explicitly acknowledging that they are dangerous strikes what a company has determined to be the appropriate balance among functionality, security, and support costs.

Hell, employers could just as easily save money by hiring someone who is competent enough to follow directions.

Good luck finding such an employee locally.

Hell, the previous owner should wipe it to protect themselves and their personal information before selling it

You sure love a certain town in Michigan, don't you?

Anyway, the design protects the buyer who buys a used device from a seller who has wiped it to protect himself and then installed dubious software onto the freshly wiped device to spy on the buyer who is using a device that appears to have still been freshly wiped.

A failure that should be addressed directly through education

Who foots the bill for said "education"?

and legal liability (if needed), not indirectly by removing chances for screw up.

And who foots the bill for monopoly or oligopoly rents once "legal liability (if needed)" causes the market to contract as businesses go out of business on grounds that the cost of doing business has become prohibitive?

Slightly misguided

[presidenteloco]

A page which was served by unencrypted HTTP but which posts its form data to an https url is secure.

It just doesn't look secure to non-technical users.

Of course if the site then sends the form data back up unencrypted (e.g. after server side value validation fails) that is then insecure, but no one with a brain sends the password value back up anyway.