Google Chrome Pushes For User Protection With 'Not secure' Label

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.

Re:Entire internet doesn't need to be https

HTTPS security doesn't matter if I don't trust the content anyway. (I could be looking at https://sloashdot.org/ for example. Or even the genuine slashdot.org and it could still be utter nonsense. It really only matters for the small handful of sites that I visit where the identity of that site would make a material difference to me (bank, tax dept).

Given that, manipulation is a non-issue. I could be looking at manipulated version of slashdot and I wouldn't trust it any more or less. Snooping is a bit of a concern; but I suspect they get that anyway. (Besides, knowing the IP is 90% of it.)

Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.
They absolutely ARE implying that every site needs to be 'secure'. By having 'secure' (and I suspect it will have some big red text or something) they will imply that it is a bad thing. They are wrong, it's far more nuanced than that.

Finally, https doesn't guarantee security. https://www.enteryourcreditcardscam.biz/ is "secure" - all that https protects is you talking to the web server. From there, who knows, it could be uploading your CC data to dropbox for all the web browser knows. It's not good that Chrome gives users a false sense of security.

As for snooping, well, it's a bit rich of Google -- who the hell runs Google AdSense and analytics? All those javascript files 'secure' under https? They (Google) are already snooping on you - just with consent of the web site owners.

Maybe that's it... Google doesn't want ISPs getting their hands on their juicy advertising revenue? Or they think security is "user to site" without realising it's the site itself?

Re:Entire internet doesn't need to be https

[tlhIngan]

It isn't even an issue of money either. Let's Encrypt offers free certificates so I don't want to hear that it is a time and money issue.

It's a reputation issue. Given Let's Encrypt has issued over 14,000 paypal phishing certificates, one would think you should revoke Let's Encrypt certificates. After all, if Symantec, Comodo or others issued those, we'd be calling for blood.

The only reason we aren't is because Let's Encrypt has big names like EFF and Mozilla behind them. But all the scammers are basically dragging them through the mud - are your EFF donations being used to scam poor old ladies out of their money? Is scamming people really the goal of EFF and Mozilla?

Heck, it's actually kind of funny because a new exploit opened up on sites using Let's Encrypt, because they have a well-known directory that's being used to hide cryptocurrency miners and other things, too.

Maybe if there was a way to grade the quality of a certificate - Let's Encrypt can be made low, sites that charge with a real valid billing address (i.e., used a credit card, as opposed to bitcoin) can be higher rated because there is accountability down the line - including down to a real name and address.