Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Pushes For User Protection With 'Not secure' Label (axios.com)

Posted by msmash on from the up-next dept.

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.

14 of 85 comments (clear)

  1. Entire internet doesn't need to be https by iamhassi · · Score: 4, Insightful

    This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https

    --
    my karma will be here long after I'm gone
    1. Re:Entire internet doesn't need to be https by ArchieBunker · · Score: 3, Funny

      Don't the fed have all the SSL master keys anyhow?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:Entire internet doesn't need to be https by nitehawk214 · · Score: 3, Insightful

      So you don't mind a 3rd party knowing the content of each webpage you have visited?

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    3. Re:Entire internet doesn't need to be https by Richard_at_work · · Score: 3, Informative

      Every site has *something* to lose - if it's not user credentials or personally identifiable information, then it's reputation or simply the ability for a third party to inject ads or crypto mining scripts into the page.

      We have all seen the fall out of ISPs injecting ads into pages - Comcast and others have done it - so if you want to be *certain* your page reaches your audience as you intend them to receive it, http is no longer good enough (and hasn't been for years).

    4. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 2, Informative

      Short answer; Yes.

      Long answer; hell Yes... except all those self-signed certs chrome/google seem dead set on crippling even more for browser use.

    5. Re: Entire internet doesn't need to be https by Anonymous Coward · · Score: 3, Insightful

      With your browser trusting 600 CAs by default it certainly has absolutely no value without DNSSEC and DANE.

    6. Re:Entire internet doesn't need to be https by Anonymous Coward · · Score: 3, Interesting

      HTTPS security doesn't matter if I don't trust the content anyway. (I could be looking at https://sloashdot.org/ for example. Or even the genuine slashdot.org and it could still be utter nonsense. It really only matters for the small handful of sites that I visit where the identity of that site would make a material difference to me (bank, tax dept).

      Given that, manipulation is a non-issue. I could be looking at manipulated version of slashdot and I wouldn't trust it any more or less. Snooping is a bit of a concern; but I suspect they get that anyway. (Besides, knowing the IP is 90% of it.)

      Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.
      They absolutely ARE implying that every site needs to be 'secure'. By having 'secure' (and I suspect it will have some big red text or something) they will imply that it is a bad thing. They are wrong, it's far more nuanced than that.

      Finally, https doesn't guarantee security. https://www.enteryourcreditcardscam.biz/ is "secure" - all that https protects is you talking to the web server. From there, who knows, it could be uploading your CC data to dropbox for all the web browser knows. It's not good that Chrome gives users a false sense of security.

      As for snooping, well, it's a bit rich of Google -- who the hell runs Google AdSense and analytics? All those javascript files 'secure' under https? They (Google) are already snooping on you - just with consent of the web site owners.

      Maybe that's it... Google doesn't want ISPs getting their hands on their juicy advertising revenue? Or they think security is "user to site" without realising it's the site itself?

    7. Re:Entire internet doesn't need to be https by tlhIngan · · Score: 4, Interesting

      It isn't even an issue of money either. Let's Encrypt offers free certificates so I don't want to hear that it is a time and money issue.

      It's a reputation issue. Given Let's Encrypt has issued over 14,000 paypal phishing certificates, one would think you should revoke Let's Encrypt certificates. After all, if Symantec, Comodo or others issued those, we'd be calling for blood.

      The only reason we aren't is because Let's Encrypt has big names like EFF and Mozilla behind them. But all the scammers are basically dragging them through the mud - are your EFF donations being used to scam poor old ladies out of their money? Is scamming people really the goal of EFF and Mozilla?

      Heck, it's actually kind of funny because a new exploit opened up on sites using Let's Encrypt, because they have a well-known directory that's being used to hide cryptocurrency miners and other things, too.

      Maybe if there was a way to grade the quality of a certificate - Let's Encrypt can be made low, sites that charge with a real valid billing address (i.e., used a credit card, as opposed to bitcoin) can be higher rated because there is accountability down the line - including down to a real name and address.

    8. Re:Entire internet doesn't need to be https by amorsen · · Score: 2

      I generate my own key and use letsencrypt to certify it. The key does not leave my server.

      The feds can force any number of certificate authorities to generate a certificate that matches mine, with a new private key. They can do exactly the same if I had a self-signed certificate.

      They cannot, without doing a targeted attack and breaking into my server, get the actual private key that my site uses. Again, precisely the same as a self-signed certificate.

      There is no security advantage to using a self-signed certificate.

      --
      Finally! A year of moderation! Ready for 2019?
    9. Re:Entire internet doesn't need to be https by amorsen · · Score: 2

      There is a way to grade. If you want actual validation, you need an extended validation certificate.

      Any other type of certificate is just a way to scam you out of your money -- they do not verify anything except the fact that you aren't piss-poor. If you think a car charge provides any verification, I give you How to use prepaid debit cards.

      If anything, it should be forbidden to charge money for a certificate that isn't extended validation. However, with Let's Encrypt available, the market hopefully sorts it out.

      --
      Finally! A year of moderation! Ready for 2019?
    10. Re:Entire internet doesn't need to be https by Actually,+I+do+RTFA · · Score: 2

      Sniffing is a minor concern. The bigger problem, by far, are third party tackers. This is more an attempt by Google to monopolize tracking data than preventing it.

      Also, it only protects knowing which specific page I visit on a site (they can tell from the IP address what website I'm visiting, right?). And that's unnecessary on many or most sites. On , WebMD pages matter, but when you go to XKCD?

      --
      Your ad here. Ask me how!
    11. Re:Entire internet doesn't need to be https by AmiMoJo · · Score: 2

      The certs that Let's Encrypt issues don't certify identity. If you are assuming that they verify the identity of the site owner you made a mistake.

      Let's Encrypt check that the key belongs to a person with the ability to edit the site. That's it. You can be reasonably sure your communications with that she can only be read by people who can edit the site, that's it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. That's the problem, it's a lie. Totally false by raymorris · · Score: 2

    If it said "not encrypted" that would at least be *true*.

    Marking sites as "not secure" vs "secure" based on using HTTPS is simply a lie. The usage of HTTPS is only slightly correlated with security. It's the equivalent of labeling people "tall" if they're black, and "short" if they are Hispanic. In general, the average height of Hispanic people tends to be lower than the average height of black people, but assuming someone is tall because they are black is stupid, and the label would be misleading almost as often as it would be accurate.

    Many, many sites infected with all sorts of malware are served up via HTTPS, and many perfectly safe sites have are just fine with http.

    Labeling one "not secure" is a falsehood, but worse is that it implies those without the "not secure" label must be "secure", which is a *dangerous* lie.

  3. Re:Only if a server has a FQDN by LesFerg · · Score: 2

    It gets annoying whenever I access a local device on my network and chrome presents it's warning page, then I have to click on a link to expand some extra text, which has a link to let me continue to the intended destination.

    They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.

    My Octoprint service is one example. It runs on a raspberry pi on my workbench and I use it's web interface from my PC or phone frequently. I would rather not have to fuck about with chrome warnings when I just want to see my printer status.

    The sad thing is I am starting to prefer other browsers which don't have these annoying features.

    --
    If I had a DeLorean... I would probably only drive it from time to time.