Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Pushes For User Protection With 'Not secure' Label (axios.com)

Posted by msmash on from the up-next dept.

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.

85 comments

  1. Entire internet doesn't need to be https by iamhassi · · Score: 4, Insightful

    This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https

    --
    my karma will be here long after I'm gone
    1. Re:Entire internet doesn't need to be https by XanC · · Score: 1

      First, I think yes, it does. Otherwise it will be snooped or manipulated.

      Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.

    2. Re:Entire internet doesn't need to be https by ArchieBunker · · Score: 3, Funny

      Don't the fed have all the SSL master keys anyhow?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:Entire internet doesn't need to be https by nitehawk214 · · Score: 3, Insightful

      So you don't mind a 3rd party knowing the content of each webpage you have visited?

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    4. Re:Entire internet doesn't need to be https by Baton+Rogue · · Score: 0

      a waste of money and time to make every site https

      Let's Encrypt makes it easy and free for every website to be https.

    5. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      google (and other 3rd parties) can already track you securely everywhere

    6. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      requires always restarting nginx because the certificates can't live a reasonable time

    7. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      HTTPS means: encrypted traffic AND identity verification.
      The encrypted traffic part is great, and is only math.
      The identity part still requires a trusted third party that can (and will ) fail you, which sucks.
      The two concepts can and should be kept separate.

    8. Re:Entire internet doesn't need to be https by Richard_at_work · · Score: 3, Informative

      Every site has *something* to lose - if it's not user credentials or personally identifiable information, then it's reputation or simply the ability for a third party to inject ads or crypto mining scripts into the page.

      We have all seen the fall out of ISPs injecting ads into pages - Comcast and others have done it - so if you want to be *certain* your page reaches your audience as you intend them to receive it, http is no longer good enough (and hasn't been for years).

    9. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 1

      nope... except for pages where I actually log in I couldn't care less. There should rather be a warning if there is any 3rd party content, like AdWords or Analytics...

    10. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 2, Informative

      Short answer; Yes.

      Long answer; hell Yes... except all those self-signed certs chrome/google seem dead set on crippling even more for browser use.

    11. Re: Entire internet doesn't need to be https by Anonymous Coward · · Score: 3, Insightful

      With your browser trusting 600 CAs by default it certainly has absolutely no value without DNSSEC and DANE.

    12. Re:Entire internet doesn't need to be https by thegarbz · · Score: 1, Insightful

      This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https

      They are doing nothing of the sort, they are only finally putting HTTP in the correct light: It's not frigging secure and never has been. The fact that so far we have put more effort into poorly encrypted but none the less far more secure than HTTP.

      It made no sense. This finally does.

    13. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 3, Interesting

      HTTPS security doesn't matter if I don't trust the content anyway. (I could be looking at https://sloashdot.org/ for example. Or even the genuine slashdot.org and it could still be utter nonsense. It really only matters for the small handful of sites that I visit where the identity of that site would make a material difference to me (bank, tax dept).

      Given that, manipulation is a non-issue. I could be looking at manipulated version of slashdot and I wouldn't trust it any more or less. Snooping is a bit of a concern; but I suspect they get that anyway. (Besides, knowing the IP is 90% of it.)

      Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.
      They absolutely ARE implying that every site needs to be 'secure'. By having 'secure' (and I suspect it will have some big red text or something) they will imply that it is a bad thing. They are wrong, it's far more nuanced than that.

      Finally, https doesn't guarantee security. https://www.enteryourcreditcardscam.biz/ is "secure" - all that https protects is you talking to the web server. From there, who knows, it could be uploading your CC data to dropbox for all the web browser knows. It's not good that Chrome gives users a false sense of security.

      As for snooping, well, it's a bit rich of Google -- who the hell runs Google AdSense and analytics? All those javascript files 'secure' under https? They (Google) are already snooping on you - just with consent of the web site owners.

      Maybe that's it... Google doesn't want ISPs getting their hands on their juicy advertising revenue? Or they think security is "user to site" without realising it's the site itself?

    14. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      To be fair http isn't secure. https isn't much of an improvement all things considered, but at least it's an attempt.

    15. Re:Entire internet doesn't need to be https by DaMattster · · Score: 0

      This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https

      I completely disagree. Companies that run websites should already be serving their websites via https. This will probably push companies who aren't using encryption to start or face backlash from users. It is very easy to make use of https! Any competent website administrator should already know how to do this. It isn't even an issue of money either. Let's Encrypt offers free certificates so I don't want to hear that it is a time and money issue.

    16. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 1

      that's really an nginx flaw (it shouldn't have to restart to update certs).

    17. Re:Entire internet doesn't need to be https by XanC · · Score: 1

      It doesn't. It can gracefully reload.

    18. Re:Entire internet doesn't need to be https by tlhIngan · · Score: 4, Interesting

      It isn't even an issue of money either. Let's Encrypt offers free certificates so I don't want to hear that it is a time and money issue.

      It's a reputation issue. Given Let's Encrypt has issued over 14,000 paypal phishing certificates, one would think you should revoke Let's Encrypt certificates. After all, if Symantec, Comodo or others issued those, we'd be calling for blood.

      The only reason we aren't is because Let's Encrypt has big names like EFF and Mozilla behind them. But all the scammers are basically dragging them through the mud - are your EFF donations being used to scam poor old ladies out of their money? Is scamming people really the goal of EFF and Mozilla?

      Heck, it's actually kind of funny because a new exploit opened up on sites using Let's Encrypt, because they have a well-known directory that's being used to hide cryptocurrency miners and other things, too.

      Maybe if there was a way to grade the quality of a certificate - Let's Encrypt can be made low, sites that charge with a real valid billing address (i.e., used a credit card, as opposed to bitcoin) can be higher rated because there is accountability down the line - including down to a real name and address.

    19. Re:Entire internet doesn't need to be https by amorsen · · Score: 2

      I generate my own key and use letsencrypt to certify it. The key does not leave my server.

      The feds can force any number of certificate authorities to generate a certificate that matches mine, with a new private key. They can do exactly the same if I had a self-signed certificate.

      They cannot, without doing a targeted attack and breaking into my server, get the actual private key that my site uses. Again, precisely the same as a self-signed certificate.

      There is no security advantage to using a self-signed certificate.

      --
      Finally! A year of moderation! Ready for 2019?
    20. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      I think it is a good thing. In the past, you might have to only worried about Phorm if you were in the UK, but if one uses Wi-Fi connections and no VPN, there are a ton of them that will MITM HTTP traffic and insert shit. For example, I was getting ads (full screen takeover stuff) on my own WordPress site (which has no ads, period) through one Wi-Fi connection, when nobody else was (I spent some time to check if it were hacked), and it was only that one connection that was doing that. So in-flight attacks do happen. Plus, it is highly profitable to do such a thing since swapping affiliates out is good cash, and can't be caught.

    21. Re:Entire internet doesn't need to be https by amorsen · · Score: 2

      There is a way to grade. If you want actual validation, you need an extended validation certificate.

      Any other type of certificate is just a way to scam you out of your money -- they do not verify anything except the fact that you aren't piss-poor. If you think a car charge provides any verification, I give you How to use prepaid debit cards.

      If anything, it should be forbidden to charge money for a certificate that isn't extended validation. However, with Let's Encrypt available, the market hopefully sorts it out.

      --
      Finally! A year of moderation! Ready for 2019?
    22. Re:Entire internet doesn't need to be https by KixWooder · · Score: 1

      It prevents your ISP from injecting crap into your pages, like Comcast has been known to do.

      --
      I hate fat people.
    23. Re:Entire internet doesn't need to be https by Actually,+I+do+RTFA · · Score: 2

      Sniffing is a minor concern. The bigger problem, by far, are third party tackers. This is more an attempt by Google to monopolize tracking data than preventing it.

      Also, it only protects knowing which specific page I visit on a site (they can tell from the IP address what website I'm visiting, right?). And that's unnecessary on many or most sites. On , WebMD pages matter, but when you go to XKCD?

      --
      Your ad here. Ask me how!
    24. Re: Entire internet doesn't need to be https by Anonymous Coward · · Score: 1

      Extended validation is a sham too. I got an EV code signing certificate recently for signing windows drivers. The only verification was that the CA called my prepaid phone number to ask if I am indeed a hardware engineer working for xxx. I said yes, and got the certificate. I could easily have lied.

    25. Re:Entire internet doesn't need to be https by hawkinspeter · · Score: 1

      systemctl reload nginx does the trick for me.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    26. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https

      If you run a website, and lack the skills, resources, and knowledge to implement https ... then you have no business running something on the internet and I want to be warned of this.

      Because I assume that level of incompetence and laziness pervades everything else to do with your crap, and I'm going to treat you accordingly.

    27. Re:Entire internet doesn't need to be https by Cajun+Hell · · Score: 1

      One of the obvious problems with this whole thing, is that what https does is somewhat more technical than the kinds of things laymen know about, and Google wants to "dumb down" the distinction in the UI to something succinct. So they chose one single word, "secure" instead of "this conversation is believed (to a somewhat degree of confidence) to be though party X's webserver (or with them plus other parties that they consented to be included), and oh by the way, we also encrypted it too."

      It's "wrong" but such is the cost of brevity. Some people will get the wrong idea what it means, but Google's betting that overall, on average, laymen users will be generally better informed by the change.

      --
      "Believe me!" -- Donald Trump
    28. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      I completely disagree. Companies that run websites should already be serving their websites via https.

      This may come as a surprise, but there are websites on the Internet that aren't run by companies.

    29. Re:Entire internet doesn't need to be https by lactose99 · · Score: 1

      Nope, reload, and it can be done online

      --
      Fully licensed blockchain psychiatrist
    30. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 1

      Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.

      Then what was the point of phrasing it as "Not Secure"? That you should feel good knowing the site is "insecure"? That you shouldn't think that Clueless Users won't suddenly say "why isn't it secure" and start demanding "security"?

      They phrased it that way precisely to make users do that. Encrypt All Of The Things!!!! Never mind that doing so renders using an alternative DNS utterly impossible what with altering the domain at all would break the TLS verification, and ICANN deciding to basically allow any TLD to be registered. (No blank TLD could be used by the alt DNS servers.) Breaks interop with older equipment, (have fun getting that old appliance to use modern TLS), creates a massive need of cert issuing for services that never used nor needed it previously, and will futher segment and isolate the internet as a whole for very little gain, that most people won't even notice, let alone know how to take advantage of. (Hence the branding by Google, $10.00 says we get a story in the future about how much Google has "helped" internet security advance by doing this.)

      Also: HTTPS != Secure

      Yes, I know what the 'S' in HTTPS means, No, that definition is wrong. It should be 'HTTPE' (Encrypted) not HTTPS (Secure). There is no security in the underlying certs. They are all signed by a bunch of third parties that most people will never verify. The certs are all so convoluted that determining if it's changed, is a non-starter for the general public. The certs rely on being installed automagicly to the point most people don't even know they exist, and therefore can't even begin to make a decision on, let alone one about trust. The certs all depend on DNS, which can be intercepted and changed. (Never mind someone wanting to use an alternative DNS. So yay, more net segmentation and isolation.) The whole thing is broken from start to finish as far as trust is considered, and without trust, there can be no security.

      Also, this is Google messing around again. The same Google that loves changing the meaning of "Trusted Certificate" every 5 seconds, rendering the idea impossible to keep up with, (and costly), for both site operators and users alike. The same Google that loves not trusting anyone, especially their users, and constantly making "improvements" that break the user's input on the decision of trust. The same Google that decided SSL/TLS interception of user data (banking, government, medical, personal, etc.) was perfectly fine, but intercepting the user's search queries, or the system's updates was a non-starter. The same Google that decided that Android apps should be able to ignore administrator-installed certs, and even not need to allow the user to even SEE what was considered trusted by them.

      So no, Google is the last idiot I want being backed on this issue. They are in no position to be dictating what is secure and what isn't, they've abused that power to a ridiculous level and have proven that they cannot be trusted themselves.

    31. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      Your ignorance of the encryption issue is common.

      You are thinking "A talks to B". But what C has intercepted, and "A" is really doing the SSL handshake with "C"; and "C" is then doing a separate SSL handshake with "B"?

      How would "A" know? There's no clues in the SSL handshake. And "C" is going to pretend to be "B" in every way it can.

      With an authority (CA) in the mix, it's obvious ("C" doesn't have a private key that "A" knows to be associated with "B").

      Problem being for local network use, it's a right PITA to mess around with certificate authorities.

    32. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      My site does not need HTTPS.

      Not mine, but I agree with all of the points.

    33. Re:Entire internet doesn't need to be https by AmiMoJo · · Score: 2

      The certs that Let's Encrypt issues don't certify identity. If you are assuming that they verify the identity of the site owner you made a mistake.

      Let's Encrypt check that the key belongs to a person with the ability to edit the site. That's it. You can be reasonably sure your communications with that she can only be read by people who can edit the site, that's it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    34. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      There is no security advantage to using a self-signed certificate.

      Running a non-public web service, using your own known to be trusted certs, to secure the link between your server and you. (Think whistleblowers, political activists, journalists, etc.)

      Exercising full control over what is considered "trusted" vs. "untrusted" on your own equipment. (Company intranets, Personal servers, people you've met, software that should be executed with privilege, etc.)

      Just because you choose to use a cert someone else granted you for trust purposes doesn't mean that others will, or are even able to. Quit bashing other people's freedom just because you chose "security".

    35. Re:Entire internet doesn't need to be https by DCFusor · · Score: 1

      No point modding up a +5. How about the 30 or so websites on my LAN of things? No internet involved at all. Faking certs for that would be just plain stupid. Seems the whole world is set up for stupid consumers only - no one creates content, right? That's why asymmetric DSL is such a hit, right?

      --
      Why guess when you can know? Measure!
    36. Re: Entire internet doesn't need to be https by Kjella · · Score: 1

      With your browser trusting 600 CAs by default it certainly has absolutely no value without DNSSEC and DANE.

      All it takes is a few webmasters to take note of their security certificate fingerprint and check it from a random home/mobile connection or proxy and you'd see alarm bells go off if someone was trying to MITM the world. With HTTP they can just snoop on a fiber optic cable and nobody would know. So when it comes to protecting everyday people visiting everyday sites I think it has an effect.

      --
      Live today, because you never know what tomorrow brings
    37. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      > It's a reputation issue. Given Let's Encrypt has issued over 14,000 paypal phishing certificates, one would think you should revoke Let's Encrypt certificates.

      LE issues DV certs and actually validates that it's issuing its certs to someone who controls the domain.

      > After all, if Symantec, Comodo or others issued those, we'd be calling for blood.

      Issuing a DV cert to someone who can demonstrate that they control the domain covered by the cert is _exactly_ what CAs are expected to do.

      CAs are not expected to do things like

      * Putting their cert signing key on the web for anyone to steal

      * Issuing EV certs to people who failed to provide even enough information for DV validation

      * Issuing certs that cover generic names like "localhost" or "mail"

      LE has demonstrated the two things that _everyone_ already knew: DV certs can be safely issued _entirely_ automatically, and their market value is exactly zero. "Traditional" CAs are mad that their cash cow is gone and the only thing that's left to charge for is a product that actually takes effort and diligence to produce. Boo hoo.

    38. Re:Entire internet doesn't need to be https by amorsen · · Score: 1

      Someone did not grant me a certificate. They simply signed my public key, certifying that they believe that my public key belongs to me. Whether you choose to believe them or not is immaterial. No one is able to make my security WORSE by signing my public key -- that is pretty much the basis of public key cryptography.

      (TLS is broken in that it only allows one entity to sign a given key in a certificate. It is incredible that no one has fixed that yet.)

      --
      Finally! A year of moderation! Ready for 2019?
    39. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      And even if you do know enough, removing the certificate authorities you don't trust just breaks the web, it doesn't fall back to http or switch to a certificate from one you do trust.

      If anyone wants to try, I suggest they start with Symantec (Blue Coat spy certificates) and Verisign (if they are willing to break DNS for profit, they are willing to break https for profit).

    40. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      Let's Encrypt makes it easy and free

      Easy? How?

      As far as I can tell from their documentation, you have two options:

      A: Download random software from untrusted web sites[1], buy expensive antivirus software, find out the antivirus software does more harm than most viruses, format, reinstall, never touch Let's Encrypt again.

      B: Spend a ton of time (= money) to study the protocols that have been deliberately designed to be impossible to implement as a simple curl script, then hire someone to develop your own tools.

      If you insist on using Let's Encrypt, the easiest way ends up being putting a separate machine outside the firewall and use it for method A, moving the certificate requests and certificates back and forth on non-autorun-able media. And as Let's Encrypt certificates expire very quickly, end up hiring someone to do it.

      Either way, the cheapest solution becomes a paid certificate, and the easiest solution becomes giving up on running a personal server and moving everything to Facebook.

      [1] By recommending that you download random software from untrusted web sites, letsencrypt.org has placed themselves squarely in the untrusted web sites category.

    41. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      It's not frigging secure and never has been.

      So comparable to the horribly broken CA model that https depends on. Got it.

    42. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      Only until your ISP decides to become a CA of their own. Mine already is... Then they can just have their injection points auto-generate certificates for whatever you request.

      Yeah, it would be against the rules, in fact it would be just as large a breach of the rules as when Symantec gave a root certificate to Blue Coat for use in their surveillance devices, and not a single browser vendor has removed Symantec from the list of trusted CAs as a result.

    43. Re:Entire internet doesn't need to be https by TheRaven64 · · Score: 1

      You don't seem to understand how TLS certs work. The encryption and the signing are different parts of the security model. If I want to provide TLS connections, I generate public and private key pair. The private key is basically a random number that only I know. The certificate is a combination of the public key and some information (for example, my organisation name, the relevant domain name, and so on). When I ask a CA to sign the certificate, the create a cryptographic signature from their private key and my certificate.

      The encryption happens using my key pair. The client receives my public key and uses this to encrypt traffic to my domain. The decision to trust the certificate rests with the client, not with me. The fact that a CA has signed the certificate says that the CA believes that it applies to my domain (and, with an EV cert, to my organisation), but the client doesn't have to trust that: it's just another piece of information that they have available.

      For a corporate Intranet, you probably want to set up your own CA and install its public signing certificate on all corporate machines, so that you know that no one can forge the certificates.

      --
      I am TheRaven on Soylent News
    44. Re:Entire internet doesn't need to be https by TheRaven64 · · Score: 1

      The two concepts are separate in TSL. The encryption and the certificate verification are entirely separable concepts within the protocol and within most implementations.

      In use, they are usually conflated because encryption by itself is meaningless. As a client, I care that I have a secure connection to a specific server. A secure connection to somewhere random, which may or may not be the server that I expected, is not a secure connection in any meaningful sense.

      --
      I am TheRaven on Soylent News
    45. Re: Entire internet doesn't need to be https by Maritz · · Score: 1

      has absolutely no value without DNSSEC and DANE.

      "If it isn't perfect, it's worthless" - This AC

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    46. Re:Entire internet doesn't need to be https by TheRaven64 · · Score: 1
      Let's Encrypt implements the ACME protocol. You are free to choose any client for the ACME protocol that you wish. If you don't trust any of the third-party implementations then you are free to either use theirs or write your own, but unless you're using your own implementation of the HTTP, TLS, and TCP/IP protocols for the rest of your web server then you really can't complain that you need to use an implementation of another protocol from a third party.

      I prefer to use acme-client than the certbot (the EFF / Let's Encrypt recommended client), because it's written by paranoid people and runs as a bunch of processes with privilege separation between them. It has fairly simple configuration, including a deploy script that is run after fetching the new certificates, so you can move them to the correct locations and restart the relevant services.

      --
      I am TheRaven on Soylent News
    47. Re: Entire internet doesn't need to be https by PhYrE2k2 · · Score: 1

      LetsEncrypt is not a low-grade certificate. It is a domain validated certificate. It offers the exact same encryption option as any other certificate does. If anything, a shorter renewal period is an improvement to turn over a compromised certificate faster. It does not offer low security, and labeling it as such is incorrect.

      EV certificates are a way to sell trust, but they sadly do very little to actually verify the company. A fake document later and you have your certificate. Plus youâ(TM)re assuming you trust all of the 20+ companies issuing those certificates. Business model of any paid certificate is a Total waste of money for businesses and individuals.

      And what about individuals and small businesses. Why should a small online store or a personal website with a contact form or a payment page of a small contractor be any less trusted than a banks web site who paid $1000usd/yr for someone to look at their website or article of incorporation?

      --

      when you see the word 'Linux', drink!
    48. Re: Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      It's worthless. It is an attempt to control who may be allowed to run a website and banish people from the web who have not been approved by a questionable company such as verisign or letsencrypt.

    49. Re:Entire internet doesn't need to be https by houghi · · Score: 1

      One I really visit often is http://dataserver/ with the IP address 192.168.1.27. So please tell me how I should turn that into https without Google Chrome yelling at me that it is insecure.

      Sure, I could try to use a name like https://dataserver.example.com... and use the external address instead of the internal one, but that makes it LESS secure.

      Not possible with https://certbot.eff.org/ and I am not going to pay for it, if it is possible at all. Yes, I know I cab create my own signature, but Choogle Chrome does not trust it.

      --
      Don't fight for your country, if your country does not fight for you.
    50. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 0

      nginx can, sure. But Let's Encrypt can not trigger a nginx reload after a cert update. You have to do it manually - or modify the letencrypt cron job to do it for you after an update. Fuck knows why they haven't done this upstream.

  2. Not going to help by DarkRookie · · Score: 1

    Normal users are not going to see nor are they going to care.

    --
    The millennial that doesn't like most of the stuff designed for millennials.
    1. Re:Not going to help by Richard_at_work · · Score: 0, Troll

      They might not care about https specifically, but when your site traffic drops off and users start to complain about the undue weight of ads or how your page slows their browser to a crawl, you might start investigating and seeing how third parties are injecting ads and crypto mining scripts into your page...

      Every site has something to lose.

    2. Re:Not going to help by Richard_at_work · · Score: 1

      Why have I been modded as a troll? Examples of both of these issues have been shown in the wild - Comcast has injected ads and other things into third party web pages before, and crypto miners have been included on pages via ads or third party scripts, so it's only a matter of time before they are injected directly.

      So why the troll mod? Every site has something to lose - reputation and users. HTTPS prevents your ISP or VPN provider from doing this.

  3. This is about advertising. by Anonymous Coward · · Score: 0

    The only reason google is forcing this is to stop isps from injectibg ads. I support the effort I just wish they were transparent as to the why

  4. blue skies by Anonymous Coward · · Score: 0

    It would be nice if that was all there was to security, wouldn't it?

  5. yes by Anonymous Coward · · Score: 0

    yes, they do. But they have to use parallel construction to convict you... that is, if you are an American they do (for now.) They won't admit they are recording more than just metadata in that massive new NSA data center. I doubt they share much more with the FBI than before (which was basically nothing.)

  6. Back to Internet Explorer for enterprises by Anonymous Coward · · Score: 0

    This will just cause enterprises to go back to Internet Explorer, who don't care about "security" as they stick with old versions for years. Still 4% XP usage in 2018!

  7. Firefox Did It First (???) by Anonymous Coward · · Score: 0

    Someone just copy & paste the arguments from Dec. 2017 and we'll call this a DUPE, Ok?

    https://it.slashdot.org/story/17/12/20/2137251/firefox-prepares-to-mark-all-http-sites-not-secure-after-https-adoption-rises

  8. Dingbatz by Anonymous Coward · · Score: 0

    in the belfrey. Googlie is like my last cellmate. She thought she could fuck me all day, every day. And you know what. She did.

  9. It will be snooped and manipulated anyway by Anonymous Coward · · Score: 0

    HTTPS doesn't prevent snooping, merely hardens a small part of the path. It certainly doesn't prevent manipulation, as most websites trust ads from elsewhere anyway. This is largely a drive to centralize control of the internet by slowly forcing everyone to register with a (google) approved registrar.

  10. Including Local Gateway by Anonymous Coward · · Score: 0

    What I love is that this extends to the local network gateway. One can load the security cert for it into the trusted pool but that doesnt discourage Chrome from complaining about it anyhow. I guess the problem is its not a Google product...

  11. That's a bug in DNS policy, not CA policy by tepples · · Score: 1

    Someone who shouldn't be allowed to have a certificate for bankofarnerica.com shouldn't even be allowed to own the domain bankofarnerica.com in the first place. Typosquatting is in the bailiwick of the UDRP.

  12. Only if a server has a FQDN by tepples · · Score: 1

    Let's Encrypt makes it easy and free for every website to be https.

    This is true of public websites. It is not true of private websites hosted by web servers on a home local area network. Examples include the configuration interface of your router or printer. These have no certificate because they have no fully-qualified domain name (FQDN).

    Or is everyone who operates a LAN at home expected to already own a domain?

    1. Re:Only if a server has a FQDN by kqs · · Score: 1

      I'm confused: are you saying that it is a problem if your printer config page says "not secure" in the browser bar?

      GP should have said "every website that Google will index" rather than "every website", but that seemed understood to me.

    2. Re:Only if a server has a FQDN by LesFerg · · Score: 2

      It gets annoying whenever I access a local device on my network and chrome presents it's warning page, then I have to click on a link to expand some extra text, which has a link to let me continue to the intended destination.

      They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.

      My Octoprint service is one example. It runs on a raspberry pi on my workbench and I use it's web interface from my PC or phone frequently. I would rather not have to fuck about with chrome warnings when I just want to see my printer status.

      The sad thing is I am starting to prefer other browsers which don't have these annoying features.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    3. Re:Only if a server has a FQDN by tepples · · Score: 1

      They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.

      The latter leads to security failure, as your browser would trust "local network devices" operated by an attacker on the open WLAN at a coffee shop.

      The sad thing is I am starting to prefer other browsers which don't have these annoying features.

      Which might these be? The same features you decry in Google Chrome are likely to show up in other derivatives of Chromium, and Firefox is implementing the same features.

  13. Can phishing be stopped at the domain level? by tepples · · Score: 1

    GoDaddy, Gandi, Namecheap, and other registrars have registered over 14,000 paypal phishing certificates. Should we call for registrars' blood too?

  14. Trusted computing by Impy+the+Impiuos+Imp · · Score: 1

    "WARNING! Secure label is inaccurate and does not apply to google.com, facebook.com, youtube.com, or any other giant site with backdoors for government monitoring as part of the Prism panopticon."

    "WARNING! Does not apply to any website run on computers with Windows, with backdoors for government."

    "WARNING! Does not apply to any computer with hardware from the US or China, with special chips or standard chips with backdoors for government."

    "Don't worry, they won't abuse it, even though human history has no examples where it isn't abused by those in power against their political opponents to remain in power."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Trusted computing by kqs · · Score: 1

      When you say "they won't abuse it", are you talking about some specific "they"? Or just a general whining that there is no perfect security plus everyone in power sometimes acts like shit? Cause I think we all agree with the second one already.

  15. Then who offers the free domains? by tepples · · Score: 1

    It isn't even an issue of money either. Let's Encrypt offers free certificates

    Only to a domain owner. Neither Let's Encrypt nor any other CA included in the browsers' default certificate store offers any certificates for use with (say) .local, the TLD reserved for use with multicast DNS. What certificate should (say) the configuration interface of your home NAS use?

  16. WWw by Cajun+Hell · · Score: 1

    Perhaps the best way to explain this would be to say that Chrome is merely a World Wide Web browser, not a general web browser. ;-)

    --
    "Believe me!" -- Donald Trump
  17. Other Lame Protests by Anonymous Coward · · Score: 0

    Hey, why stop there with the excuses? Let's add more to the pile!

    1). Encryption is a 'crippling burden' on web server CPU's;
    2). Encryption is no good because the NSA has all the keys anyways;
    3). Encryption is no good because quantum computers are going to break it all wide open;
    4). Everything is already cracked. It's all broken and there's no point in fixing any of it. Despair rules!
    5). If you have nothing to hide, you have nothing to fear!
    6). You cannot perform intelligent routing without packet content inspection;
    7). The web was designed around a trust and openness model. Default encryption is 'culturally and morally wrong'.

    Hey, you can play too kids! Can you think up more dumb reasons why encryption is bad? I'll get you started!

    "Encryption is a long word with a lot of syllables! It's scary and contains that suspicious 'y' in the middle. What's that 'y' doing there anyways? It's up to no good and that's for sure!"

  18. That's the problem, it's a lie. Totally false by raymorris · · Score: 2

    If it said "not encrypted" that would at least be *true*.

    Marking sites as "not secure" vs "secure" based on using HTTPS is simply a lie. The usage of HTTPS is only slightly correlated with security. It's the equivalent of labeling people "tall" if they're black, and "short" if they are Hispanic. In general, the average height of Hispanic people tends to be lower than the average height of black people, but assuming someone is tall because they are black is stupid, and the label would be misleading almost as often as it would be accurate.

    Many, many sites infected with all sorts of malware are served up via HTTPS, and many perfectly safe sites have are just fine with http.

    Labeling one "not secure" is a falsehood, but worse is that it implies those without the "not secure" label must be "secure", which is a *dangerous* lie.

    1. Re:That's the problem, it's a lie. Totally false by RonVNX · · Score: 1

      That's Google. Google has a huge problem with facts and truth, and dumbing everything down to the point of being counter-productive.

  19. More work for IT professionals by Anonymous Coward · · Score: 0

    now you have to deal with all the complaints about your internal websites being "not secure", You know like the majority of business apps that run on company intranets (like ERP or PLM software)

      thanks google!

  20. Agreed it can be tepples... apk by Anonymous Coward · · Score: 0

    See subject: Entire classes of threats can be stalled by stopping e.g. $1 per domain w/ unlimited subdomains beneath it hosting.

    * I am personally AMAZED this is allowed - it removes a MAJOR CONSTRAINT on phishers/botnet herders/malware makers of cost of domain/subdomain registration & helps promote a MAJOR THREAT in DGA botnets...

    APK

    P.S>=> Everyone KNOWS that what you complain of is a ROOT CAUSE but they do ZERO vs. it - why? Imo, to keep up the 'cat & mouse' whack-a-mole 'security-theater' game going (big money in it, especially for 'security companies')... apk

    1. Re:Agreed it can be tepples... apk by Anonymous Coward · · Score: 0

      > ...it removes a MAJOR CONSTRAINT on phishers/botnet herders/malware makers... ...It's almost as if you think that it's not possible to make something Internet accessible without a corresponding entry in DNS...

  21. W3C Candidate Recommendation: Secure Contexts by tepples · · Score: 1

    are you saying that it is a problem if your printer config page says "not secure" in the browser bar?

    I'm saying it's a problem if I can't, for example, view media that I have stored on my NAS box because its presentation in the browser relies on JS APIs that are reserved for secure contexts.

  22. Overstated by Ungrounded+Lightning · · Score: 1

    "Don't worry, they won't abuse it, even though human history has no examples where it isn't abused by those in power against their political opponents to remain in power."

    While this may be true, it is something of an overstatement - because you can't show it to be true for recent stuff. It take a while for info to leak out.

    Make it something like:

    Don't worry, they won't abuse it, even though human history has no examples (more than 30 years old) where it wasn't shown, within 30 years after the event, that it had been abused by those in power against their political opponents to remain in power.

    and it might work.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  23. Untrue... apk by Anonymous Coward · · Score: 0

    You can use IP addresses but I know from decades of experience populating hosts files vs. threats most = hostname based (like 99%)...

    APK

    P.S.=> Ask any security researcher you like on that much & he will bear out what I stated is true... apk

  24. Grocery shopping with armoured guards ? by Anonymous Coward · · Score: 0

    This finally does.

    No, it doesn't.

    Are you shopping for your groceries using an armoured truck with a set of guards carrying heavy weapons ? If not, why ?

    A lot of what is done on the web is rather trivial - including visiting and responding here on slashdot - and does not warrant the usage of a secure connection any more than some shopping warrants armoured guards.

    1. Re:Grocery shopping with armoured guards ? by thegarbz · · Score: 1

      Are you shopping for your groceries using an armoured truck with a set of guards carrying heavy weapons ? If not, why ?

      I'll tell you what I'm doing. I am shopping for my groceries with a truck and security detail that is expressly made clear to me.

      When I go grocery shopping in my armoured truck I know it's secure like a Secure HTTPS certificate.
      If I go grocershopping and someone in my security detail is on the take the security company will make that known to me and inform me when I'm insecure, just like a breached HTTPS trust.
      When I go grocery shopping in my minivan without security I know about that too completely fucking unlike how current browsers handle HTTP.

  25. LOL at "meddlers"... by Anonymous Coward · · Score: 0

    Why, that's the word the controlled, Jewish media has been using for the past year to describe "Russians" who allegedly interfered with the American Election... those damn "meddlers" again...