Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows (techcrunch.com)

Posted by BeauHD on from the safety-first dept.

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.

90 comments

  1. And how do they know? by Anonymous Coward · · Score: 0

    Oh, right, "analytics."

  2. Well done! by duke_cheetah2003 · · Score: 2

    Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

    As a side effect, this action they've promoted and encouraged mitigates the new WPA2 insecurity quite nicely. Not such a big deal if WPA2 is broken into, only to expose lots of HTTPS and/or VPN tunneling, and you're back to the drawing board. You just can't have enough security and layers of encryption.

    1. Re: Well done! by Anonymous Coward · · Score: 2, Insightful

      Yeah, its not like letsencrypt offering automated certificates for free had anything to do with it.
      It was google showing a message about http being insecure.

    2. Re:Well done! by AHuxley · · Score: 1

      Keeps other ads out. All that information that has so much added value is kept extra safe until to gets to its real destination.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Well done! by arth1 · · Score: 5, Insightful

      Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

      You're too quick go give them credit. Follow the money trail. HTTPS and SPDY makes it far easier to ensure that ads are transmitted, and to whom. That HTTPS largely defeats anonymous proxy caching and other techniques that makes counting ad impressions harder is why Google pursues it; security is how they sell it, despite it being slower, to a high degree defeats bandwidth saving techniques, and requires extra resources on both server and client endpoints.

      There's little reason why publicly available non-controversial information should be encrypted, and that makes up the majority of the web. Snooping traffic generally doesn't happen mid-transfer, but at the end point, by companies like Google and their partners. HTTPS does nothing to prevent that.

    4. Re:Well done! by FrankHaynes · · Score: 1

      I'm less worried about the interception of data in transit and more worried about the security of my data in many, many disparate databases at the far end. Nobody has yet addressed that to my satisfaction.

      --
      slashdot: A failed experiment.
    5. Re:Well done! by Anne+Thwacks · · Score: 2
      You can keep your thumbs up, but, while anyone can implement HTTPS, few can do so without paying well over the odds for a cert. A cert is issued by a computer after a trivial amount of computing time, on the basis of the most trivial of investigation (probably only a check of the domain registry). This is about $0.1 worth of service, for which you are charged over $50, but there is no competition. various attempts at not for profit cert issuing have been stifled by the big boys.

      This is a big time scam.

      To promote this scam, Google et al have been deprecating sites with actual information on, in favour of shopping sites and their "affiliates" to the extent that Google searches are massively less useful than in 1997 unless you are a shopper.

      Something must be done - I don't care if governments or blockchains are involved, but if everyone is forced to have a cert, they should bloody well be free! If someone is allowed to run a registry, they should be required by law (on pain of billion dollar fines, pitchforks or nuking from high orbit as required) to issue certs to all the domains they register to whoever registered them. The payment card operator is required to verify who owns the card - so the registry, who knows who paid, knows the identity of the domain's owner.

      --
      Sent from my ASR33 using ASCII
    6. Re:Well done! by thegarbz · · Score: 1

      There's little reason why publicly available non-controversial information should be encrypted

      We live in a world where the consumption of publicly available information is criminal. This isn't even limited to shithole dictator regimes, but now we are starting to see it in the west too.

      The only person who can decide if it is important for the information to be encrypted is the person who stands to be persecuted for consuming it.

    7. Re:Well done! by johnjones · · Score: 1

      yes certificate authorities are the high risk and consolidate control neither of which you would want in a "secure" system

    8. Re:Well done! by duke_cheetah2003 · · Score: 1

      You're too quick go give them credit. Follow the money trail. HTTPS and SPDY makes it far easier to ensure that ads are transmitted, and to whom. That HTTPS largely defeats anonymous proxy caching and other techniques that makes counting ad impressions harder is why Google pursues it; security is how they sell it, despite it being slower, to a high degree defeats bandwidth saving techniques, and requires extra resources on both server and client endpoints.

      I'm ok with this. Computing power is cheap and only getting cheap and better. Also don't like having third-party intermediaries caching my stuff. Bandwidth is cheap too. Who cares? Besides you.

      There's little reason why publicly available non-controversial information should be encrypted, and that makes up the majority of the web.

      You don't get it? Privacy. I really don't give a flying f if I'm looking a recipe for peanut butter cookies, it's no one elses business and HTTPS means you have no idea what I'm looking at, just which server.

    9. Re: Well done! by duke_cheetah2003 · · Score: 1

      Yeah, its not like letsencrypt offering automated certificates for free had anything to do with it.
      It was google showing a message about http being insecure.

      We might not like to admit that, but that is the truth of it. Sure Let's Encrypt is great, use it myself. But you can bet your wallet Let's Encrypt had little to do with this shift. People don't like being branded 'insecure.' It looks bad. It looks inferior. It looks... uhh.. Insecure. Google pushing that had a huge effect. A visible indication your site is a security risk. That is the motivator right there, not freebie certs, though they didn't hurt.

    10. Re:Well done! by arth1 · · Score: 1

      You don't get it? Privacy. I really don't give a flying f if I'm looking a recipe for peanut butter cookies, it's no one elses business and HTTPS means you have no idea what I'm looking at, just which server.

      Privacy is indeed the worry. With HTTPS, those who run the recipe site and their "partners" like Google knows who looked at the recipe for peanut butter cookies.
      The biggest privacy problem isn't people sitting in the middle snooping on the traffic, but the remote endpoints collecting data on you. HTTPS makes that easier, which is why Google is all for it. It's not out of the goodness of their hearts and concern for anything but the advertising dollars.

    11. Re: Well done! by sound+vision · · Score: 1

      "resources are cheap" was never a good excuse for inefficiency, but there are plenty of bandwidth-metered or battery-limited scenarios where the overhead does matter. SSL can also fail when, for example, the date is misconfigured on either end. Considering the majority of tracking of your internet usage isn't done using MitM methods anyway, and will continue unabated... I don't see who the principle of "security where it's needed, convenience and resilience where it isn't" is failing. Except maybe Google.

    12. Re:Well done! by dromgodis · · Score: 1

      the remote endpoints collecting data on you. HTTPS makes that easier

      I am honestly curious: How does HTTPS make that easier?

  3. Re:Surprised by Anonymous Coward · · Score: 0

    When I see someone using an Android phone I assume they’re some destitute poorfag who couldn’t afford a real phone.

  4. Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 2, Interesting

    If everyone needs a certificate, you can hold them back from people or invalidate them.

    It just seems like the real reason for this, why should a cat meme site need https for example.

    1. Re:Is this to control who is allowed a Web site? by Desler · · Score: 1

      You can get free certs...

    2. Re:Is this to control who is allowed a Web site? by DaveM753 · · Score: 1, Troll

      For how long? A year? Two years? Then how much will they cost?

      Sorry, but this whole thing smacks of a corporate-induced tax. Google plays the part of the police here.

    3. Re: Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      It's not about the money. I can get a free cert from let's encrypt, until they're forced to banish me.

    4. Re: Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      This whole thing looks like a giant sham and everyone's falling for it.

    5. Re:Is this to control who is allowed a Web site? by AHuxley · · Score: 1

      The pipe is secure from a site, to the user and anyone else who is "trusted".
      Some ads are more trusted than others :)

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re:Is this to control who is allowed a Web site? by swillden · · Score: 3, Informative

      why should a cat meme site need https for example

      To protect the users of the cat meme site from malicious parties on the network between their browser and the cat meme site. I don't mean to keep the cat memes secret, obviously that doesn't matter much. The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

      For lots of sites we could use a TLS cipher suite that doesn't actually encrypt anything. It's the authenticity and integrity properties of TLS that are valuable for every site. Encryption only matters for some.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re: Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      The cat meme site doesn't need to run javascript.

      Now, that truth might seem threatening to 'Web Developers' but it's true.

    8. Re:Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      Yes, https is not for user security. It is a tracking and remote shutdown device.* Being able to opt out is essential.

      *It is also yet another reason that DNS should be abolished.

    9. Re:Is this to control who is allowed a Web site? by Hentes · · Score: 1

      You can self sign.

    10. Re:Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      Is it possible for a browser to only load content from the url in the address bar and reject everything else? I assume you're talking about malicious ads and content loaded from other sites.

    11. Re:Is this to control who is allowed a Web site? by Anonymous+Brave+Guy · · Score: 1

      If you don't have an authenticated source for whatever you're receiving, you don't even know that the site you're seeing at a well-known URL is really the one you think it is. Your ISP, whoever is providing the WiFi you're borrowing at the coffee shop or on the train, your employer, or just some guy with the right gear to spoof the relevant infrastructure on whatever otherwise legitimate network you're connected to could be playing silly games.

      As swillden says, in order to prevent this you need to be able to verify that what you're seeing came from who you think it came from and that it hasn't been modified along the way. Those are actually quite independent of encryption, although in practice on the web we usually use the same infrastructure to provide both functions.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    12. Re:Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      why should a cat meme site need https for example

      To protect the users of the cat meme site from malicious parties on the network between their browser and the cat meme site. I don't mean to keep the cat memes secret, obviously that doesn't matter much. The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

      For lots of sites we could use a TLS cipher suite that doesn't actually encrypt anything. It's the authenticity and integrity properties of TLS that are valuable for every site. Encryption only matters for some.

      How about not block any sites, but disable javascript on non-secure sites? That is more fair. It is not good to require more "papers" to be allowed on the internet.

    13. Re:Is this to control who is allowed a Web site? by Anonymous+Brave+Guy · · Score: 1

      Until self-signed certificates are also deemed a security threat by the mighty Google and sites using them are auto-blocked in Chrome.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    14. Re:Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      Why is it when I upgraded "wireshark" on my PC, the system proceeded to upgrade every other network service as well, requiring me to sped hours deactivating everything I don't use, especially Amazon Web Services.

    15. Re: Is this to control who is allowed a Web site? by Bing+Tsher+E · · Score: 1

      It's about controlling the flow of Fake News and Hate Speech. Eventually Google wants to make it difficult to not connect to websites that are 'disapproved.' It migh be dangerous to go to that site Google doesn't like. Are you sure you want to connect to it?

    16. Re: Is this to control who is allowed a Web site? by Bing+Tsher+E · · Score: 1

      That is important for secure e-commerce. But troubling for simple communications. There should not be authentication being performed on plain communications.

    17. Re: Is this to control who is allowed a Web site? by Anonymous+Brave+Guy · · Score: 1

      Why not? Any communication over an untrusted network is potentially a source of malware if nothing else.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    18. Re: Is this to control who is allowed a Web site? by arth1 · · Score: 1

      Why not? Do you speak in code to other people? Do you watch billboards where you have to decrypt the message?

      Information needs to be free. Not subject to logging who saw it, requiring extra resources on the sending and receiving end, and disappearing when certificates expire and the one to renew them is dead.

    19. Re: Is this to control who is allowed a Web site? by Anonymous+Brave+Guy · · Score: 1

      I'm sorry, but you appear to be confused about how this all works.

      Authentication means proving the identity of the party you're communicating with. It has nothing to do with encryption, other than the fact that certain tools can be useful for both purposes.

      There are multiple strategies for authentication that do not require that any third party be involved in or aware of the communication. No-one need be any more able to log your communications just because you authenticated the source.

      There are also various strategies for authentication that do not rely on the continued existence of specific third parties in order to function. Indeed, if you are able to exchange information out of band initially, there is no requirement for any third party to exist at all.

      And finally, on typical modern systems and assuming we're talking about communicating over the Internet, the overhead of authentication is likely to be negligible on both sides.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    20. Re: Is this to control who is allowed a Web site? by tepples · · Score: 2

      The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

      The cat meme site doesn't need to run javascript.

      Then let me restate the spirit of swillden's comment for the noscript case:

      The purpose is to ensure that the HTML markup, CSS code, image data, audio data, and video data interpreted by the user's browser is the HTML markup, CSS code, image data, audio data, and video data sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

    21. Re:Is this to control who is allowed a Web site? by swillden · · Score: 1

      How about not block any sites, but disable javascript on non-secure sites?

      Because that wouldn't work.

      All of the various forms of content downloaded by web browsers can be malformed in ways designed to exploit browser vulnerabilities. HTML, CSS, images, video, audio, PDFs... you name it, there have been vulnerabilities related to it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    22. Re: Is this to control who is allowed a Web site? by arth1 · · Score: 1

      Authentication means proving the identity of the party you're communicating with. It has nothing to do with encryption, other than the fact that certain tools can be useful for both purposes.

      You are a good example of why a little knowledge is dangerous.
      The problem isn't authentication, but that an unintercepted endpoint-to-endpoint connection tells you who requests an URL.

      When a user goes through a caching proxy server (which can very well be transparent and at the ISP) with a http request, all the remote web server sees is the IP address of the proxy server, and when others access the same resource while it is still fresh, the remote web server sees nothing at all because it's served from cache. This is a thorn in the side for Google, whose money making model relies on knowing who accesses which pages and sees which ads.
      Enforcing https helps them achieve that. While users can use https through proxies, it requires hoops like importing and maintaining CA certificates which no regular user is going to go through, and lowers security in that what should be secure like banking information can also get cached along with the kitty pics.
      So leave the kitty pics and weather reports on http, and banking and political discussions on https.
      The best of both worlds. Choice. Yours, not Google's.

    23. Re:Is this to control who is allowed a Web site? by Desler · · Score: 1

      For ever from let’s encrypt unless your domain expires.

    24. Re: Is this to control who is allowed a Web site? by FrankHaynes · · Score: 1

      Are you speaking of cases where the user always Googles EVERYTHING and then clicks the resulting link?

      Because in my desktop browser (and whenever possible on my Android) I click links in my Bookmarks or just type the URL into Firefox (not Chrome) and go direct to the site. How could Google intercept that?

      --
      slashdot: A failed experiment.
    25. Re: Is this to control who is allowed a Web site? by arth1 · · Score: 1

      Because in my desktop browser (and whenever possible on my Android) I click links in my Bookmarks or just type the URL into Firefox (not Chrome) and go direct to the site. How could Google intercept that?

      Web bugs and scripts. Like on this very page:

      _gaq.push(['_trackPageview']);
        _gaq.push(['b._trackPageview']);
        _gaq.push(['_trackPageLoadTime']);
        _gaq.push(['b._trackPageLoadTime']);
       
        (function() {
          var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
          ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
          var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
        })();

      No prize for guessing where the google-analytics.com request goes to. When using https, the request will go directly to Google, who will know your IP and browser fingerprint. When using http, Google can't know whether it's you or someone on behalf of you, and may not even get a hit, because it's cached in a proxy.

    26. Re: Is this to control who is allowed a Web site? by Bing+Tsher+E · · Score: 1

      So the malware all comes from the main web domain, not scattered from all over. Okay.

      The browser vulns still are the main problem. Massively restricting what the browser can connect to is a chickenshit kludge of a solution.

    27. Re: Is this to control who is allowed a Web site? by Bing+Tsher+E · · Score: 1

      Do people really browse without Google Analytics blocked with NoScript?

      I suppose they must.

      We need fuzzing browser plug-ins. It's time to make the data miners work for a living.

    28. Re: Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      The spirit of swilldens comment is to meet his Google mandated quota of shilling for his bosses. CONGRATS fine sir, you have earned your October gold level lap dog service award. Your plaque for you cubicle will be shipped next week.

    29. Re: Is this to control who is allowed a Web site? by Anonymous+Brave+Guy · · Score: 1

      My "little knowledge" comes from about ten years working in relevant areas professionally and knowing how these protocols work down to the bit, but whatever.

      The subject of this thread was authentication as a defence against malware injection. Obviously you're welcome to discuss other things, but they're not really on topic in this part of the discussion, and so far you appear to be trying to make some sort of dogmatic point rather than addressing the issue that everyone else is talking about.

      In any case, nothing about authentication precludes the use of proxies, only the ability for proxies to silently pretend to be someone they are not. Those transparent proxies you seem so keen on are exactly the kind of threat the rest of us are considering, because a transparent proxy with access to unauthenticated traffic with no integrity controls can modify that traffic covertly to inject anything from ads to drive-by downloads. And as you point out yourself, if you are willing to trust a proxy, you can still set it up to work transparently if you're willing to install a new CA.

      As you might have put it, the best of both worlds: choice, but yours and not your ISP's, your WiFi provider's or your local network impersonation artist's.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    30. Re: Is this to control who is allowed a Web site? by FrankHaynes · · Score: 1

      Except that I block google-analytics.com and its ilk from executing their scripts via NoScript.

      Which was just fine and dandy until Firefox decided to hide the NoScript UI element as "legacy" until they click their heels and salute to the Firefox New Order of Add-Ons. Still works, though.

      --
      slashdot: A failed experiment.
    31. Re:Is this to control who is allowed a Web site? by Anonymous Coward · · Score: 0

      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.

      ACs can't see your signature, remember?

  5. How does Google get this? by Anonymous Coward · · Score: 0

    Is anyone else vaguely perturbed that we are getting information on this increase in a privacy-enhancing technology by Chrome apparently watching every website that a wide variety of users go to and sending that information back to Google? It seems like somewhat of a mixed bag, to say the least.

    1. Re:How does Google get this? by mikael · · Score: 1

      Remember that Google also performs a security check of every web address to make sure it is not a malware site. Be more concerned about how Firefox is embedding all sorts of prefetching services for Facebook, Amazon and other websites, even if you don't use them. A web browser shouldn't be sending a constant stream of data out to the internet while it's on a blank page.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re: How does Google get this? by Anonymous Coward · · Score: 0

      Remember that Google also performs a security check of every web address to make sure it is not a malware site.

      You have that enabled? Why?

    3. Re:How does Google get this? by swillden · · Score: 1

      Is anyone else vaguely perturbed that we are getting information on this increase in a privacy-enhancing technology by Chrome apparently watching every website that a wide variety of users go to and sending that information back to Google?

      In Chrome, go into Settings. Click "Advanced", then look under "Privacy" for "Automatically send usage statistics and crash reports to Google". If that is enabled, it's because you approved it. If it's disabled, Chrome is not sending the information.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:How does Google get this? by swillden · · Score: 2

      Remember that Google also performs a security check of every web address to make sure it is not a malware site.

      Only if you agreed to turn that on.

      It's actually a really good idea from a security perspective, assuming you're comfortable with Google receiving that information. I am... but then I browse logged in to a Google account, and have Web History turned on. I find it very useful to be able to search and review my own browsing history. YMMV, and you have to make the privacy vs security/convenience tradeoff yourself. The controls are there to allow you to do it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:How does Google get this? by Anonymous Coward · · Score: 0

      If that is enabled, it's because you approved it.

      Um, no, it's on by default.

      If it's disabled, Chrome is not sending the information.

      Are you sure? Like how Bluetooth and WiFi data are really turned off on iOS when you've turned them off from the lock screen?

    6. Re: How does Google get this? by Bing+Tsher+E · · Score: 1

      The default should be opt-out. But Google gives away this free and shiney candy they call Chrome.

      I guess it keeps grandma safer.

    7. Re: How does Google get this? by Bing+Tsher+E · · Score: 1

      If it's checked, it's because you didn't know well enough to uncheck it during those smooth "let's get you started, now" screens when you first use the browser.

      The best part is when it actually gets kinda sulky when you don't make all the correct choices. The Microsoft 'appoval of defaults' process goes the same way.

      Make no mistake about it, a LOT of design effort goes into making that a 'smooth experience' for 'the user.'

    8. Re:How does Google get this? by Anonymous Coward · · Score: 0

      In Chrome, go into Settings. Click "Advanced", then look under "Privacy" for "Automatically send usage statistics and crash reports to Google". If that is enabled, it's because you approved it.

      According to: https://www.google.com/chrome/......

      Chrome has a feature to automatically send usage statistics and crash reports to Google in order to help improve Chrome’s feature set and stability.

      Usage statistics contain information such as system information, preferences, user interface feature usage, responsiveness and memory usage. This feature is enabled by default for Chrome installations of version 54 or later. You can enable or disable the feature in the 'Privacy' section of Google Chrome's settings.

    9. Re: How does Google get this? by swillden · · Score: 1

      The best part is when it actually gets kinda sulky when you don't make all the correct choices

      In what way?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re: How does Google get this? by swillden · · Score: 1

      The default should be opt-out.

      As I recall, there is no default. You have to make a choice.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    11. Re: How does Google get this? by Bing+Tsher+E · · Score: 1

      Nope, there are boxes pre-checked, and a 'continue forward' type button on the corner of the screen to provide a smooth user experience.

  6. Google Scroogle by Anonymous Coward · · Score: 1

    Yes, let's all thank Google for raising the energy and operations costs of servers and lowering the battery life of our devices.

    This was a huge fuck-up by a big company who decided to double-down on trying to control the web. They only got away with it because Firefox was onboard with this screwing everyone.

    Ever wonder why the advertised 12 hour battery life of your mobile device has dropped to 8 or 6 hours? This is why.

    1. Re:Google Scroogle by mikael · · Score: 1

      I have an old smartphone with no SIM card or Wi-Fi connection. Battery life is about 10 days. With Wi-Fi or network SIM card, it's a day.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re: Google Scroogle by Bing+Tsher+E · · Score: 1

      What do you do for ten days on an old smartphone with no simcard or wifi?

      I have a favorite Solitaire app. I suppose I could play Angry Birds. Otherwise, if I had a smartphone with no connection to the outside world, I'd rather just use my old Palm III instead.

    3. Re:Google Scroogle by tepples · · Score: 1

      Ever wonder why the advertised 12 hour battery life of your mobile device has dropped to 8 or 6 hours? This is why.

      On which device, and with which websites, have you benchmarked a battery life difference of this magnitude between cleartext HTTP and HTTPS? Because otherwise, I'm more inclined to blame the growth in both lithium dendrites and ad display script complexity for reduced battery capacity.

    4. Re: Google Scroogle by Oligonicella · · Score: 1

      What do you do for ten days on an old smartphone with no simcard or wifi?

      Uses it as a phone?

  7. That's interesting? by hcs_$reboot · · Score: 2

    That's interesting because, at first glance, the http(s) traffic has nothing to do with the user's computer OS, would it be a Mac or Windows. On average, Windows users tend to visit less secure websites than Mac users. OTOH, people usually don't really choose a website based on if it's https or not - except if it's for a payment, login, or subscription. Or would Windows users be a bit less security sensitive than Mac users, when it comes to performing these private transactions?

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:That's interesting? by arth1 · · Score: 3, Interesting

      Look for the simplest solutions. Like Mac users visiting shopping sites more. i.e. a correlation between being a consumerist and using a Mac.

  8. Re:Surprised by jonwil · · Score: 1

    Considering how expensive a Galaxy or other high-end Android device is, I doubt anyone using such a thing is using one because they can't afford a "real phone" (by which I assume you mean Apple)

  9. what's truly scary here is.. by Anonymous Coward · · Score: 0

    the feds aren't crying over this trend.

    1. Re: what's truly scary here is.. by Anonymous Coward · · Score: 0

      Fedz luv https because of a long standing 0day...... HEH.

  10. Now stop breaking https by mattr · · Score: 2

    Now we just need public wifi to stop breaking https!

    1. Re:Now stop breaking https by tepples · · Score: 1

      Visit http://example.com/ through cleartext HTTP first in order to trigger the captive portal redirect.

    2. Re:Now stop breaking https by thegarbz · · Score: 1

      It doesn't. This is the combination of two things:

      a) Your HTTPS connections appear broken and insecure due to HSTS demanding an SSL certificate for a site previously visited securely and the public wifi login page being unable to provide the correct one.
      b) Your browser not recognising the need to redirect because of the SSL error.

      This isn't the public wifi's fault. All you need to do is open a know non-https page that will force the redirect to the login page. Sometimes this won't work if you force your DNS settings.

  11. ISP ad injection by tepples · · Score: 1

    There's little reason why publicly available non-controversial information should be encrypted

    For one thing, what you find non-controversial a third party may find controversial. For another, home ISPs such as Comcast can and do inject their own ads and other malware into cleartext HTTP connections.

    1. Re:ISP ad injection by johnjones · · Score: 1

      yes they specifically inject adverts and show that your stream is not secure at all from MITM, the only way is to get rid of the Certificate Authorities who compromise everything...

       

  12. For domain owners only by tepples · · Score: 1

    Per the CA/Browser Forum Baseline Requirements, Let's Encrypt is forced to banish you for either of the following reasons:

    • A. Your domain isn't fully qualified, such as multicast DNS names under .local.
    • B. Your domain has expired.
  13. And get rate-limited by Let's Encrypt by tepples · · Score: 2

    There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue.

    One reason is that your web server is private, and you don't own a domain.

    In order to set up HTTPS traffic to the owner of a home router, printer, or NAS, its owner would first have to acquire a domain and a certificate for said device. But as I understand it, most providers of dynamic DNS on a subdomain without charge still aren't in the Public Suffix List. And if the domain in which your subdomain is registered hasn't completed the process to be added to the Public Suffix List, and 20 other customers on the same subdomain have already obtained a certificate from Let's Encrypt in the past week, Let's Encrypt will refuse to issue you a certificate on rate limit grounds. This means that even if you do buy a router, printer, and NAS with Let's Encrypt integration, you'll need to buy a domain for your home LAN and continue to renew it.

    1. Re: And get rate-limited by Let's Encrypt by Anonymous Coward · · Score: 0

      No you don't. You can set up https from your ISP DNS name. (If it has one) mine is $ip.$isp

      Works with letsencrypt because I own the IP and the server running from that ip

    2. Re:And get rate-limited by Let's Encrypt by SuricouRaven · · Score: 1

      If the webserver is for your own personal use - which, if it's on a residential connection and without domain name, is likely true - then you may as well just use self-signed.

  14. Secure us from Google by Anonymous Coward · · Score: 1

    Google is helping secure the web with HTTPS; great. Now we have to talk about securing the web from Google. Rather than Chrome, at least run open source Chromium, if not Brave or Firefox. Run Google searches with Startpage. Run CopperheadOS rather than stock Android to strip out all the proprietary Google code and secure the OS.

  15. Re:Surprised by Anonymous Coward · · Score: 0

    Most Android users don’t own such phones so, yes, in general they look like poorfags.

  16. Re: Surprised by Bing+Tsher+E · · Score: 1

    Are you sure you're not somebody trying to make iPhone users seem like shitheads?

  17. WPA2 broken recently? HTTPS will be too by Anonymous Coward · · Score: 0

    WPA2 been broken recently - HTTPS will be if it isn't already & we just don't know it. Slow us down encryption = broken constantly!

    * What good is it other than slowing us down terribly WHEN ALL IT DOES IS SHOW BUGS THAT GET EXPLOITED or IT GETS PENETRATED?

    APK

    P.S.=> Mod me down ALL YOU LIKE as you did last time I posted this here https://apple.slashdot.org/comments.pl?sid=11256405&cid=55407507/ - but am I bs'ing anyone here? I KNOW NOT - History proves me correct!)... apk

  18. http:// is always INSECURE by Anonymous Coward · · Score: 0

    Any one along the way can inject MiTM JavaScript attacks to benign html. They can replace images. They can replace content itself. They can do anything, and in many places they actually are doing it.

    1. Re:http:// is always INSECURE by arth1 · · Score: 1

      Any one along the way can inject MiTM JavaScript attacks to benign html. They can replace images. They can replace content itself. They can do anything, and in many places they actually are doing it.

      Sure, and I find that much less of a privacy problem than Google (and anyone who can serve Google a letter) building a complete dossier on what we surf. The difference between obtaining one datum and obtaining all data.

  19. TXT editing; carrier-grade NAT by tepples · · Score: 1

    You can set up https from your ISP DNS name. (If it has one) mine is $ip.$isp

    I thought you needed to be able to set up TXT records in order to use the ACME DNS challenge. I doubt an ISP lets a residential subscriber edit the domain's TXT records.

    ACME also has an HTTP challenge, but you need to forward a port for that. This in turn means you need your own IP address, as opposed to carrier-grade NAT, and ISPs in less IPv4-rich countries tend to put residential subscribers behind carrier-grade NAT unless they're paying substantially more per month for "home business" service that includes a static IP.

  20. Bad for free speech and experimentation by iamacat · · Score: 1

    In not so distant past, you could code your own web server on a home desktop and make it available to any browser worldwide. With https you have to get a domain name and a certificate, adding ongooing expenses and implying someone needs to give you permission for what you want to serve to the world. Plus SSL is not something you can code from scratch on top of the OS as a hobby. We ought to at least establish a strong hobby Internet if commercial one has to be locked down.

  21. breaking the web by Anonymous Coward · · Score: 0

    Every day, I can't connect to web sites that do not need to be encrypted but use https along with some wrong certificate, either because some script didn't run, or because of some other fuckup. https everywhere is breaking the web.