Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com)

Posted by msmash on from the no-need-anymore dept.

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.

102 comments

  1. It will be back by asackett · · Score: 2, Insightful

    Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

    --

    Warning: This signature may offend some viewers.

    1. Re:It will be back by SomeWhiteGuy · · Score: 1

      It seems that this is more removing that annoying ding when you don't put on your seatbelt and just leave the light on your dashboard, but make it dimmer.

    2. Re:It will be back by Anonymous Coward · · Score: 3, Informative

      The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

    3. Re:It will be back by Anonymous Coward · · Score: 2, Informative

      I was confused by the summary and so I RTFA.

      The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

      They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.

      Overall, I approve, the "everything's OK alarm" can go.

    4. Re: It will be back by bobmajdakjr · · Score: 1

      nobody has walked into my apt uninvited guess i can take the door off now

    5. Re:It will be back by Hognoxious · · Score: 0

      they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

      It might do. It rather depends what the lock icon looks like - Donald Sinden, a turnip, a Mandelbrot set...

      You never know with Google.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    6. Re:It will be back by thegarbz · · Score: 1

      Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

      Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

      What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status, focus the user on Extended Validation credentials, and maybe we can undo the horrible screwup of teaching users shitty security practices we started in the 90s that have exposed so many people to fraud.

    7. Re:It will be back by HiddenL · · Score: 3, Insightful

      Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.

    8. Re:It will be back by AvitarX · · Score: 1

      This is hardly new, but a continuation of the trend from all browsers to push people away from sites that don't use HTTPS.

      with HTTPS being essentially free now, this makes sense.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    9. Re:It will be back by viperidaenz · · Score: 1

      A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian.
      If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"

    10. Re: It will be back by Bing+Tsher+E · · Score: 1

      And with Google having their hooks inro so many webpages now, they feel nobody but them should be able to monitor.

    11. Re:It will be back by Hallux-F-Sinister · · Score: 1

      Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

      Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

      What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status, focus the user on Extended Validation credentials, and maybe we can undo the horrible screwup of teaching users shitty security practices we started in the 90s that have exposed so many people to fraud.

      Bumpers DO save lives, actually. You're mistaken.

      (A crash that ALMOST kills someone but doesn't because the impact in a crash was sufficient to total the car, compress the crumple zones, etc., WOULD have been sufficient to kill the occupants if it had had less energy-absorbing capability, part of which is in fact provided by the bumper, the bumper mounts, etc. Now of course, I realize that MOST crashes don't fall into the Goldilocks Zone of being energetic enough to kill withOUT the bumper, but NOT energetic enough to kill BECAUSE of the presence of the bumper, but SOME do, or I should say statistically, given how many crashes there are, some logically must. Personally, I'm glad they're there, and plan to keep mine. Also let's not forget that not all bumpers are created equal, so even if yours strike you as insubstantial, some are quite beefy, and also if you let SOME people get rid of theirs, many other people will be clamoring to eliminate THEIRS as well, including commercial tractor-trailers "DOT" bumpers, which DO most DEFINITELY save lives, in that they prevent passenger cars and trucks from going UNDER them, and causing the first part of such a vehicle rear-ending one to strike the back of the trailer to be the dashboard, right about at the height of the windshield, resulting in decapitations of front-seat drivers and passengers, or having them take almost the full brunt of the force of their car going into the back of the other vehicle, at or near chest height... either way, not survivable at speed. Just use your preferred search engine to look up images of "car crash semi trailer no DOT bumper" if you'd like to see what happens when either the bumper isn't present, or isn't strong enough, and then imagine being IN one of those at the time of the crash. They are... pretty horrific.) Just saying.

      Now that the analogy has been properly torpedoed, the original issue was that removing "secure" is tantamount to taking the bumpers off a car, which is a silly analogy, and would be even if bumpers were fundamentally useless under all circumstances. They are not eliminating the security features, they are simply removing the WORD and leaving the icon. A better analogy would be that in cars dating from the 70s, the words "FASTEN SEAT-BELTS" would appear on the dashboard for the first ten minutes of driving, and by the 1990s or 2000s, they started having cars only show a seat-belt icon for the first few seconds, so you know it actually works, then extinguish unless you take the seat-belt OFF while driving, at which point it immediately lights up RED, and chimes at you until you refasten it. I think it kind of goes without saying that this is the way things should be, given how most people know now, not to drive around without their seat-belts fastened.

      --
      Our reign has gone on long enough. Indeed. Summon the meteors.
    12. Re:It will be back by asackett · · Score: 1

      What? Did your analogy not got the way you wanted it to?

      What? Does conceptual thinking evade you?

      --

      Warning: This signature may offend some viewers.

    13. Re:It will be back by asackett · · Score: 1

      The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

      Those who are accustomed to looking for the word "Secure" because thousands of web pages told them to are going to be astonished by this change. Emphasize both conditions and the typical user will make the wise choice.

      --

      Warning: This signature may offend some viewers.

    14. Re:It will be back by jrumney · · Score: 1

      The norm has been successfully moved from insecure to secure. Even slashdot, which in 2018 is still way behind on ÃUÃnÃiÃcÃoÃdÃe adoption, is using https. Originally the Secure indicator was indicating that the site you were on was abnormally safe. Now they need to mark the abnormally unsafe (and hopefully still mark the Extended Validation sites as abnormally safe), since the default is now safe.

    15. Re:It will be back by rtb61 · · Score: 0
      People are starting to learn with Google, their new Youtube security method, https://www.theguardian.com/te..., want to secure it, hah hah, well just break it in fucking purpose, now it's secure and tough luck for the suckers who bought it, what a pack of dick bags. They have become just as ridiculously unreliable as M$.

      New reality from Google don't trust it. Forever in Beta, they will scrap it after selling, break it to suit them with total disregard to the people who already bought it, delete features and just invade your privacy like there is no tommorow and just for total dick baggedness, corrupt democracy and censor news, 'lets be evil' has to be their new motto.

      PS google want to hunt and kill people with drones, here's a hint, do not hunt them passively but use active visual pattern recognition by projecting a digital visual pattern using specific frequencies of light and monitor and decipher the change of that pattern as it reflects of the environment and the AI analyse for targeting. See Google, no problem to be able to hunt down and execute all the women and children you want, perhaps you can charge a patent fee for each one you kill, better long term returns (have the AI automatically return 'SEARCH' and kill result higher points for children they are smaller targets), Google 'Evil is as Evil does'.

      --
      Chaos - everything, everywhere, everywhen
    16. Re:It will be back by Anonymous Coward · · Score: 0

      A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian. If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"

      Pedestrian's don't count, what driver worries about them?

    17. Re:It will be back by thegarbz · · Score: 1

      Now that the analogy has been properly torpedoed

      Writing things in ALL CAPS does not torpedo anything. You effectively admitted yourself that there's a very very narrow set of cases where this will make a difference... kind of like the very narrow set of cases where the word "Secure" makes a difference.

      Point is, bumpers mattered in the 60s, just like DV certificates and the word secure mattered in the 90s. However when we made crumple zones, bumpers effectively ceased mattering, and when we moved to EV certification in 2005 combined with the fact that it is now rare to not access a secure site with even fraudsters happily getting DV certificates, the word Secure ceases mattering too.

    18. Re:It will be back by thegarbz · · Score: 1

      What? Does conceptual thinking evade you?

      Given the way the conversation went I would postulate precisely the opposite.

    19. Re: It will be back by Anonymous Coward · · Score: 0

      How exactly does HTTPS make it so only Google can monitor a webpage?

    20. Re:It will be back by Anonymous Coward · · Score: 0

      Overall, I think this is better. They should likewise treat self-signed certs the same way as HTTP. HTTPS without a valid cert is no worse than HTTP, and just putting up an "insecure" notification that blinks red when you start to enter data into it is a pretty good compromise between security and usability.

    21. Re: It will be back by Anonymous Coward · · Score: 0

      Sorry, but your precious Microsoft don't get to hold on to their monopoly forever, son.

    22. Re:It will be back by AvitarX · · Score: 1

      Why are self signed certs as bad as HTTP?

      I'd think they gaurentee that you're at the correct size after your first visit (protecting from MITM), and prevent snooping from non MITM parties always.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    23. Re:It will be back by lerxstz · · Score: 1

      Safari already treats self-signed certs as second class citizens. Websockets (for example) will not work with self signed certs in Safari.

      --
      I chose to end my comments, not with a rim shot, but a long decaying F#7sus4
    24. Re:It will be back by Anonymous Coward · · Score: 0

      This change is happening at the same time that they will begin the process of explicitly marking HTTP pages as "insecure"

    25. Re:It will be back by Anonymous Coward · · Score: 0

      No, that's not it at all. It only means that HTTPS is no more 'secure' than anything else. HTTPS is a cake!

  2. How about ... by PPH · · Score: 4, Insightful

    ... an insecure indicator?

    --
    Have gnu, will travel.
    1. Re:How about ... by bondsbw · · Score: 1

      To keep going with the car analogy... why am I only warned when the stop sign is 4-way? That's the only time I don't want to be warned.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:How about ... by Anonymous Coward · · Score: 0

      The indicator in most instances is Chrome just puking up that "ER MAH GERD! NO!" page every time you try to enter something in a form on a non-secure site. Most annoying damn thing ever since I have to set it every morning for my development server.

      And the first person to jump in telling me how easy it is to create a secure certificate authority on an internal network that Chrome will actually recognize gets a good swift kick right in the jigglers.

    3. Re:How about ... by thegarbz · · Score: 1

      ... an insecure indicator?

      You mean like the exclamation mark that is drawn on an insecure webpage, the one which when you click says in bright red "Your connection to this site is not secure" Is that the insecure indicator you are talking about?

    4. Re:How about ... by wonkey_monkey · · Score: 1

      Why would you not want to be warned?

      (Disclaimer: we don't really have stop signs here, not the way they do in the US. They've always seemed a bit condescending to me...)

      --
      systemd is Roko's Basilisk.
    5. Re:How about ... by bondsbw · · Score: 1

      Here we have a small sign attached that says 4-WAY.

      But what I need to know is who doesn't have to stop. That is much more important than knowing that everybody has to stop. We are effectively trained to look at the sign, and in the absence of a 4-WAY indicator, look around to see which other directions have stop signs. Except we are looking at the silver backing which is much less visible in many cases, particularly in the dark or where trees/bushes may be overgrown.

      Bad UI.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    6. Re:How about ... by Anonymous Coward · · Score: 0

      You're warned about the non-default case. Most stop signs work one way, but four-way stops work differently.

    7. Re:How about ... by Anonymous Coward · · Score: 0

      Both Secure and Insecure are a complete misnomer. One cannot guarantee 100% security, or to say that http page is insecure without inspecting the page for data types. It could be that http page is using java scriptlets with encrypted technology where it matters. The rest of the http may be junk data. As long as the server knows what it is serving.

      But the browser just checks for CA and arbitrarily applies the lock.

      Bypassing the CA's is losing money for them. It is important for the browsers to jump in bed with the CA's.

      This carries across to self signed certs. ARPITA. I find better security in the knowledge of my wares then relying on a government spooked CA to keep my data secure.

    8. Re:How about ... by AmiMoJo · · Score: 1

      They have that. If you go to an insecure site there is a red maker now. Things like password auto-fill are disabled.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:How about ... by novakyu · · Score: 1

      Um, maybe it's different where you live, but where I live, you do get a warning when the cross traffic doesn't stop. Something like this. 4-WAY stop is a useful indicator letting me know that, after having come to a stop, I can start moving without waiting for the other guy to go, because if I came to a stop first, now I have the right-of-way. Without the 4-WAY stop indicator, I would have to try to look for the other guy's stop sign, before I feel safe to go after having stopped for my own stop sign.

    10. Re:How about ... by bondsbw · · Score: 1

      We have (to my knowledge) just one sign like that in our metro area, full of stop sign intersections which are not 4-WAY.

      I still maintain that knowing who doesn't stop is a safety concern, making it much more important than knowing that everyone stops for convenience. Besides, if you know that there aren't any who don't stop, you have the same info.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    11. Re:How about ... by novakyu · · Score: 1

      So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

      My neighborhood is similar (very few intersections where one road that is not larger than the other does not have stop signs), and I would not wish my 4-WAY signage away if I could---it gives me useful information when I drive.

    12. Re:How about ... by bondsbw · · Score: 1

      So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

      I never said that. We have MANY intersections between two streets of equal size which are not 4-WAY. Only one of those has the yellow sign you linked previously.

      Several streets have drainage dips in the directions that do not stop, but flat grade in the directions with stop signs. It's backwards from the way that seems natural. It makes it easy for someone who notices the big concrete dips instead of the stop sign which is behind a van parked on the curb to make the wrong decision.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    13. Re:How about ... by Anonymous Coward · · Score: 0

      You're using a browser made by the world's largest advertising agency. The fact that chrome.exe or chrome-browser is in your process list is the best indicator of insecurity you could ask for.

    14. Re:How about ... by Anonymous Coward · · Score: 0

      With the latest chrome update (66.0.3359.181), the insecure indicator for a static http page is a lowercase letter "i" with a circle around it
      (I've always called that the "Informational" icon re: dialog boxes)

      This compared to the colored lock icon with the word "secure" next to it for an https page.

      I was under the impression for some reason that there would be a different insecure indicator if the http page used signins, javascript, or form submission elements.
      But this doesn't appear to be the case, they still show the same "i" icon.

      Note that I don't think any of my internal http using web servers use javascript.
      I also run the ScriptSafe extension so that may change the javascript situation.

    15. Re:How about ... by wonkey_monkey · · Score: 1

      With our more organcailly-developed road system we just don't seem to ever have this issue. There's usually a main road, with a white dotted line down the middle, and any adjoining roads have a yellow line across them which is "yield." Signs are usually just for speed limits, everything else seems to be conveyed through road markings.

      Then again I live on a small island so it's not even much like the UK itself.

      --
      systemd is Roko's Basilisk.
  3. If anyone from Mozilla is here. by xack · · Score: 1

    Please make sure that Firefox dosen't do this.

    1. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      You do know they're only talking about getting rid of the word "Secure", right? Chrome is keeping the green lock icon, which is all that Firefox displays now as well.

      --
      systemd is Roko's Basilisk.
    2. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 2

      Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.

      There'll still be a warning indicator on non-HTTPS sites.

      --
      systemd is Roko's Basilisk.
    3. Re:If anyone from Mozilla is here. by AHuxley · · Score: 1

      Dont GUI like google is the way to stay away from getting an evil GUI

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:If anyone from Mozilla is here. by PrimaryConsult · · Score: 1

      So how would I view the cert info once they take that away? Right now it's a quick two clicks starting with that "secure" lock to see if the cert is real or a proxy's man in the middle cert (they usually don't MitM on financial and shopping sites, but how do I know the particular one I am going to is on the whitelist?).

    5. Re: If anyone from Mozilla is here. by Anonymous Coward · · Score: 0

      You have a giant warning indicator in your home, too. It reminds you to do one thing each day.

      Eat a dick.

    6. Re:If anyone from Mozilla is here. by Anonymous Coward · · Score: 0

      So how would I view the cert info once they take that away?

      "Oh, don't worry you can still see that in the security tab in the developer's console."

      Most people don't care about the actual security or know what a "cert" is. Much less be able to spot a malicious cert in use. So the Almighty Google is making it "easier" for those people. Now that everything important is HTTPS, they are removing the indicators so the users will stop looking for it. This is important for when they decide to block HTTP access completely in Chrome 97, as people will just say: "If chrome doesn't open it, it's probably bad anyway. Quit complaining and thank them."

      Fun how after such a big push for "security", they are removing all traces of it. I guess they want the new normal to be "If Chrome opens it, then it's a safe site. If Chrome doesn't open it, then it's an unsafe site." No way that could be abused, nope no sirreee.....

    7. Re:If anyone from Mozilla is here. by Anonymous Coward · · Score: 0

      The lock will still be there, just the word "secure" after will be omitted.

      The idea being that you don't need a warning when things are good, just when they are bad.

      Its like they said, we'll take the "4 way" signs off the STOP sign posts, but the other streets are getting the "Cross traffic does not stop" signs added.

    8. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      They're phasing out the lock eventually, too.

      --
      systemd is Roko's Basilisk.
    9. Re: If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      What do you get out of this?

      --
      systemd is Roko's Basilisk.
  4. lol by bobmajdakjr · · Score: 1

    âoeit's not necessary to draw the user's attention to the Secure indicator anymoreâ hope they make it red when its not secure then rofl

    1. Re:lol by Anonymous Coward · · Score: 0

      aoeoh is that aoeso?

      aoe

    2. Re:lol by thegarbz · · Score: 1

      Not secure already shows an exclamation mark which when clicked gives you a big red warning text about the connection not being secure.

  5. Stupid move by DaMattster · · Score: 1

    It's an abjectly stupid move but leave it to corporations to do dumb shit just for some manager to justify their jobs. As another poster wrote, "It will be back."

    1. Re:Stupid move by thegarbz · · Score: 2

      So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat! /sarcasm

      HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.

    2. Re:Stupid move by sexconker · · Score: 2

      We should be focusing on indications of proper EV certificates rather than confusing users.

      The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.

      Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.

      HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs so badly in 2020 the clowns decide we need EV+ or EV2 certs you'll realize this.

    3. Re:Stupid move by Ksevio · · Score: 1

      They're removing the "Secure" indicator, but not the "Insecure" indicator which is arguably more important to know these days

    4. Re:Stupid move by thegarbz · · Score: 1

      We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

      I think what you are upset about is that the CAs are a note arbiter of good character. There have been very few cases of certificates miss issued or trust problems with CAs. The fact that these issues where CAs have been miss trusted have been dealt with quickly and efficiently through revocation processes is a testament to just how well it has worked. However that doesn't stop someone issuing a DV certificate to www.paiypal.com and really it shouldn't.

      It was never about ensuring the host on the other end is who you think it is, and it never will be.

      Actually it has been precisely about that since 2005.

      Maybe when CAs fuck up EV certs so badly in 2020 the clowns decide we need EV+ or EV2 certs you'll realize this.

      Or maybe everything will work fine and you can stop running around flapping your undersized wings shouting the sky is falling.

    5. Re:Stupid move by sexconker · · Score: 1

      We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

      We should be focusing on indications of proper EV certificates rather than confusing users.

      EV certs require CAs to do more work. Hint: They won't. They'll do the bare minimum, and eventually less than that, just as they did for standard certs.

      I think what you are upset about is that the CAs are a note arbiter of good character.

      I'm not quite sure what you mean by this, but what I'm upset with is the fact that CAs exist, are "trusted" by browsers, and do nothing to earn that trust. To the contrary, they have shown they are completely untrustworthy. Even with a trustworthy CA, a state actor can compromise them without anyone else knowing. The entire concept of having an authority you defer your trust decisions to is foolish from the start.

      There have been very few cases of certificates miss issued or trust problems with CAs.

      You haven't been paying attention. How many major certs were revoked in the past 5 years? How many CAs were reprimanded?

      The fact that these issues where CAs have been miss trusted have been dealt with quickly and efficiently through revocation processes is a testament to just how well it has worked.

      The standard revocation process doesn't work. CRL's simply aren't used in most cases. The typical revocation process for an end user is for Chrome, Firefox, Windows, or Java to issue an update that revokes a bad cert. These updates aren't published promptly enough to handle the situation nor are the guaranteed to be installed by users in a timely fashion.

      Even when Google gets their panties in a twist over a bad CA, the action isn't immediate. If the problem is found on day 0, (and is known to have started X days prior), Google announces ahead of time that they'll be blacklisting certain certs in the future, then more certs, then all certs from that CA issued prior to a cutoff date.

      That's ridiculous. If you know a CA has fucked up, you need to IMMEDIATELY blacklist all of their certs. Yes, sites will show as having invalid certs. Too fucking bad. Further, I would never trust that CA again. For trust to be automatic it must be absolute. You can't absolutely repair trust that was previously broken.

      Are we talking about security or theater? The current situation is theater. The proposed "solutions" are more theater.

      Or maybe everything will work fine and you can stop running around flapping your undersized wings shouting the sky is falling.

      Like how it worked fine in the first place? Why do we need CRLs at all? Why are we moving to EV certs? Answer: CAs are trash.

      However that doesn't stop someone issuing a DV certificate to www.paiypal.com and really it shouldn't.

      That has nothing to do with anything.

      Actually it has been precisely about that since 2005.

      No, it hasn't. You can get a cert today without proving who you are to anyone. It's harder to buy time at the batting cages than it is to get a "trusted" CA to issue you a cert.

  6. What is the purpose? by Anonymous Coward · · Score: 0

    What purpose is it supposed to serve? Do they not have room in the URL bar? Is showing the word secure somehow causing pain otherwise? What is the issue for removing this?

    1. Re:What is the purpose? by gumpish · · Score: 2

      Get with the times.

      All UI must now be compatible with the lowest common denominator: a smartphone in portrait orientation.

    2. Re:What is the purpose? by AHuxley · · Score: 1

      So the user can enjoy the site and approved ads without distracting terms like "secure"

      --
      Domestic spying is now "Benign Information Gathering"
  7. Chrome, the Phisherman's friend. by Anonymous Coward · · Score: 0

    Thank's for making our job's easier, making Chrome the new idiot's browser after the fall of IE.

    1. Re:Chrome, the Phisherman's friend. by Anonymous Coward · · Score: 0

      Which browser would you recommend then?

    2. Re:Chrome, the Phisherman's friend. by Anonymous Coward · · Score: 0

      Any of the Firefox spin offs like Pale Moon or Waterfox. They tend to take security more seriously.

    3. Re:Chrome, the Phisherman's friend. by Zontar+The+Mindless · · Score: 2

      In a just universe, it'd be one that administers an electric shock in response to using an apostrophe for the plural.

      --
      Il n'y a pas de Planet B.
  8. I got a new idea by Anonymous Coward · · Score: 0

    Put HTTPS: at the beginning of the URL.

  9. Mixed content WAS ALREADY flagged by Anonymous Coward · · Score: 0

    That is until the boneheads at Mozilla and Google disabled the damn warning, it used to be a popup even.

    I cannot believe the utter stupidity in tech companies atm. I can only conclude this was done to intentionally confuse users because I swear to god if it was part of some art majors minimalist wet dream......

  10. Google's taking over where Microsoft left off by llamalad · · Score: 1

    MS was infamous for Embrace, Extend, Extinguish

    First thing that comes to mind is RSS. Built a killer infrastructure for apps to use, then killed it, killing apps and nuking unwary folks' subscriptions.

    Now this. Let's make security better... ok, it's better? Let's pretend it'll stay that way without further attention and reduce or remove its visibility.

    popcorn.

  11. Only show/show only by wonkey_monkey · · Score: 2

    and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

    "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

    --
    systemd is Roko's Basilisk.
    1. Re:Only show/show only by WallyL · · Score: 1

      and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

      "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

      Show only a lock sign? How would a person be able to tell what URL the browser is showing? Oh, that's right, people are already scared of URLs...

    2. Re:Only show/show only by wonkey_monkey · · Score: 1

      Show only a lock sign instead in a lock sign plus the word secure.

      If you're going to pedantic, why not go the whole hog and say "What, so every website will be just a giant lock sign?"

      --
      systemd is Roko's Basilisk.
  12. It's a start by Sigma+7 · · Score: 1

    Because the less attention you can bring to the fact that "apple.com" is "secure", there'll be less people getting confused.

    For the context, an old version of chrome displayed that url as apple.com, and the user would be unaware of the difference. It also displayed "secure", thus visitors would have a false feeling of being connected to the correct site.

    The only reason to draw attention to a "secure" site is if it's got one of those "verified" certificates that show something special in the address bar. And even then, there's still room for caution cause certain computers in a corporate environment may have their own security certificates that allows the company to MITM employees.

    1. Re:It's a start by Anonymous Coward · · Score: 0

      there's still room for caution cause certain computers in a corporate environment may have their own security certificates that allows the company to MITM employees.

      You mean "proxy servers"?

      Guess what? It's the company's right to do that. They own the equipment and the network infrastructure. The solution to that is simple: If you don't want your porn / banking to be spied on by them, don't do such browsing on their network. The same is true for any other network provider you have.

      People need to get off of this "It's my user account so they shouldn't spy on me" crap. Unless you are also providing the hardware and infrastructure in addition to that user account, you have no reason to complain. Hell, it's not even "their" user account. It's the providers. The provider provisioned the account for you. You may access it, under the terms and conditions they have given you, but you do not own it. Anything less is a fundamental misunderstanding of how computers work; to the point that such a person is endangering themselves when using them.

  13. Please RTFA by Anonymous Coward · · Score: 0

    There are people posting without reading the article. The summary they posted is terrible, as usual.

    From the article:

    Google will be marking all HTTP sites as "Not Secure" starting with Chrome 68, set for release in July

    It would have been simple for Slashdot editors to add this.

    Anyway it makes sense for Google to do this. If most traffic is now secure, only unsecured traffic should be indicated.

  14. Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

    Geez, this summary totally missed the entire point here and linked story only gets to it, well down on the page. If the connection is insecure, the browser is going to notify you of that with either a "insecure message" if there is no input controls (web forms) and a red icon and red text if there is a web form on the page.

    The entire thing is that there's no need to highlight the default, and damn it if your site isn't using HTTPS by default now you should just resign from your damn job, which is HTTPS.

    And yes, I'm sure I'll hear folks say, "well XYZ doesn't use HTTPS by default and my job requires it." Well then your company is full of idiots then. We're at a point that there's zero reasons to not have a production site HTTPS by default, full f'ing stop. It's literally insulting to your company if this isn't the case. /rant

    1. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      wrong, autism boy.

      plenty of sensors and controllers need http to configure, and no one is going to scrap an HVAC unit to make you happy.

      that has nothing to do with IQ of employers. I'm worried about yours though

    2. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      plenty of sensors and controllers need http to configure

      If a place has a bare Internet facing HVAC controller with no in-between, then there's a ton of problems that no level of "a green icon in the corner" is going to fix. I did said "Production Site" and if you have a brain cell left in you, you know exactly what that means. But yeah, go ahead and put a insecure HVAC directly on the Internet, I'm sure that will pan well for you.

    3. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      who said it was internet facing?

      the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny. that kind of goody-goody attitude can go to hell

    4. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      who said it was internet facing?

      If it's not then shut the fuck up as I already pointed out that entire case in the first comment.

      the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny

      When the majority of folks using web browsers are morons, yes, yes we do. Your edge case can go to hell. No one took away your precious http, you still have, it just has a red icon now. That's because you and your fucking HVAC system, can't speak a pretty basic fucking protocol and apparently it was made to be completely unupdatable, which also sounds brilliant. So for your corner case, the the millions of other corner cases out there, you all get red icons. Compare that to the literal billions who will use it on the actual Internet, which is the thing I pointed out that you, I guess, didn't give two fucks about to read. So ya know what, I'll be sure to cry you a river for your red icon. Idiot.

    5. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

    6. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

      If you're heading down that road, let me just go ahead and cut to the chase. All traffic on the Internet should be secure, thinking otherwise is dumb. The content of that traffic doesn't matter, **all traffic** on the **Internet** should be **secure**. Full stop. Whatever, reason a person thinks that "this content" shouldn't be secure, usually boils down to subjective logic and lack of any clear rationale argument. Now you can sit there and conjure up reasons, why this content "could" be sent insecure. But that doesn't cover why "it is better to send it insecure versus secure." There exists zero "good" reasons why any content is better to send insecure rather than secure. People moan about the "technical difficulties for making the switch from HTTP to HTTPS" and the reality is that you can self cert in seconds, you can use an open cert service in just a few minutes, you can purchase a full blown well trusted cert in no time. I mean literally there are hundreds of HOWTOs, hundreds of cert services, and so on all developed around the sole notion that "Hey! You should secure your damn traffic." Hesitation for moving from HTTP to HTTPS boils down to one thing. Developers being insanely lazy. If you can be bothered to secure your traffic on a production server, regardless of the content, then the developer is a lazy fuck. 100 out of 100 times I've seen folks not secure their production server, it has always been "we're getting around to it..." Doesn't take more than 30 - 40 seconds to do the bare minimum, there is just zero reasons why it shouldn't be secured.

  15. A sad and weird turn for the web by tirnacopu · · Score: 1

    I would have welcomed any option of sending plain text packets+signature (and there are many) so as to keep the Web open and allow people managing it to gain insights from its contents. Sadly, tech news I read makes it look like everybody is under attack and the only solution is end-to-end encryption. Until you reach Facebook's servers, that is.

  16. Complete Design Failure by Anonymous Coward · · Score: 0

    It seems people have stopped learning about effective design. You can't ever trust a message about the lack of security or lack of anything. If there's some bug preventing the indicator from triggering, then you by default assume the worst possible outcome: That the site is secure since it doesn't say it isn't. It's completely backwards!

    Get rid of the "Secure" text next to the lock icon? Sure. It wasn't even there a few years ago. It isn't needed. But to plan on removing the lock icon too and only indicating insecure sites? Those people should be fired.

    1. Re:Complete Design Failure by AHuxley · · Score: 1

      The approved ads are now secure so the site is working. Let the user view the ads.

      --
      Domestic spying is now "Benign Information Gathering"
  17. You Must Register to Post by Anonymous Coward · · Score: 0

    This is part of a concer\ted effort to make sure that every website is authenticated. No more self-publishing.

  18. green goes away - that's it by Anonymous Coward · · Score: 0

    headline is awful

  19. http blocked within 5 years by THE_WELL_HUNG_OYSTER · · Score: 2

    It's only a matter of time until Chrome either blocks http or users are forced to click a security exception button before an http site will load (like sites with invalid SSL certs today).

    1. Re:http blocked within 5 years by geekymachoman · · Score: 1

      That's stupid. Let's hope they will not do that.

      Not everything deserves or has to be encrypted.. especially not in LANs, etc..

    2. Re:http blocked within 5 years by novakyu · · Score: 1

      Um, you were on the right track up until you said "especially not in LANs". How often do you load up stuff in your Web browser from your LAN?

      The correct response is "Not everything deserves or has to be encrypted." (Just end with the period; no further qualification needed.)

    3. Re:http blocked within 5 years by Anonymous Coward · · Score: 0

      I take it you're one of those telnet users who only uses ssh if they have to...

    4. Re:http blocked within 5 years by novakyu · · Score: 1

      No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.

    5. Re:http blocked within 5 years by Pieroxy · · Score: 1

      No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.

      What https does is twofold: 1. Encrypt, 2. Prevent MITM attacks.

      Even your anonymous FTP download could be MITMed and you have no guarantee that you're even talking to the right server.

      --
      Write boring code, not shiny code!
    6. Re:http blocked within 5 years by Anonymous Coward · · Score: 0

      What's the point of using FTP when you can just use SFTP instead? Even if only being used for anonymous file access and ignoring security issues, SFTP is easier to set up and does a better job in just about every way.

    7. Re:http blocked within 5 years by Anonymous Coward · · Score: 0

      I work inside a corporate environment. They have a DNS server that adds a TLD `.company`. A lot of external contractors work here (such as myself). All of us external contractors have to access secure stuff outside this corporate network. We'll happily use their DNS server (it is auto-configured over DHCP, of course), but we will _not_ install their CA, for obvious reasons.

      So for all the not-public-but-not-really-secret information that they have that they want to expose to us contractors (mock web service servers for testing, software documentation...), there is no SSL. And this is fine.

      I _do_not_ want my browser to prevent me from working like this.

    8. Re:http blocked within 5 years by Anonymous Coward · · Score: 0

      "How often do you load up stuff in your Web browser from your LAN?"

      the correct response to you is quite often actually and more than you would think! more specifically anyone working for a company which has an ERP or CRM system, most options for ERP or CRM systems are web based and hosted within the company intranet. The amusing thing is that in their efforts to force encryption on all websites they are actually making people less secure. What happens is that people learn how to make the security exceptions while at work and take that knowledge home with them and create exceptions because the website they are trying to visit has content that they really want to see. Now people will say, why cant you issue certs to those ERP and CRM systems, well do you really want your employees web browsers reaching out of the companies secure intranet to check a cert and possibly providing internal information externally? probably not.

      The only way to secure the internet is to actually teach people how it works, unfortunately that will lead to reduced revenue for the goog and that is definitely not what they want.

    9. Re:http blocked within 5 years by novakyu · · Score: 1

      What if I'm downloading (or making available) a content (like some text material) that I don't care if it was MITM'd? Should I still be forced to use SFTP? Just because I don't want (because I don't need) encryption doesn't mean I need to be STFU'd.

  20. Good move by Chrisq · · Score: 1

    Warn about insecure instead of giving a "well done" to normal practice. As long as EV certificates still show in green it's fine with me.

  21. Skip it all together by Anonymous Coward · · Score: 0

    All we need is a warning when a site is not secure. The seat belt example is good because we don't get a indicator all the time when we are buckled just when we are not.

  22. Google removed userful features like certificate by Anonymous Coward · · Score: 0

    view and other smartly designed things/UI to present us with a more:

    1. Unusable, stupidly non-intuitive UI that was designed by a snowflake millenal
    2. Removing good features such as viewing certificates (Go ahead try it, it's not where it was)
    3. Removing user choice
    4. Increasing spying / telemetry / data theft.

    Pretty simple - large companies should never be trusted as they offer products that only benefit them = doing evil