Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com)

Posted by msmash on from the no-need-anymore dept.

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.

68 of 102 comments (clear)

  1. It will be back by asackett · · Score: 2, Insightful

    Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

    --

    Warning: This signature may offend some viewers.

    1. Re:It will be back by SomeWhiteGuy · · Score: 1

      It seems that this is more removing that annoying ding when you don't put on your seatbelt and just leave the light on your dashboard, but make it dimmer.

    2. Re:It will be back by Anonymous Coward · · Score: 3, Informative

      The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

    3. Re:It will be back by Anonymous Coward · · Score: 2, Informative

      I was confused by the summary and so I RTFA.

      The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

      They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.

      Overall, I approve, the "everything's OK alarm" can go.

    4. Re: It will be back by bobmajdakjr · · Score: 1

      nobody has walked into my apt uninvited guess i can take the door off now

    5. Re:It will be back by thegarbz · · Score: 1

      Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

      Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

      What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status, focus the user on Extended Validation credentials, and maybe we can undo the horrible screwup of teaching users shitty security practices we started in the 90s that have exposed so many people to fraud.

    6. Re:It will be back by HiddenL · · Score: 3, Insightful

      Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.

    7. Re:It will be back by AvitarX · · Score: 1

      This is hardly new, but a continuation of the trend from all browsers to push people away from sites that don't use HTTPS.

      with HTTPS being essentially free now, this makes sense.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    8. Re:It will be back by viperidaenz · · Score: 1

      A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian.
      If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"

    9. Re: It will be back by Bing+Tsher+E · · Score: 1

      And with Google having their hooks inro so many webpages now, they feel nobody but them should be able to monitor.

    10. Re:It will be back by Hallux-F-Sinister · · Score: 1

      Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

      Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

      What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status, focus the user on Extended Validation credentials, and maybe we can undo the horrible screwup of teaching users shitty security practices we started in the 90s that have exposed so many people to fraud.

      Bumpers DO save lives, actually. You're mistaken.

      (A crash that ALMOST kills someone but doesn't because the impact in a crash was sufficient to total the car, compress the crumple zones, etc., WOULD have been sufficient to kill the occupants if it had had less energy-absorbing capability, part of which is in fact provided by the bumper, the bumper mounts, etc. Now of course, I realize that MOST crashes don't fall into the Goldilocks Zone of being energetic enough to kill withOUT the bumper, but NOT energetic enough to kill BECAUSE of the presence of the bumper, but SOME do, or I should say statistically, given how many crashes there are, some logically must. Personally, I'm glad they're there, and plan to keep mine. Also let's not forget that not all bumpers are created equal, so even if yours strike you as insubstantial, some are quite beefy, and also if you let SOME people get rid of theirs, many other people will be clamoring to eliminate THEIRS as well, including commercial tractor-trailers "DOT" bumpers, which DO most DEFINITELY save lives, in that they prevent passenger cars and trucks from going UNDER them, and causing the first part of such a vehicle rear-ending one to strike the back of the trailer to be the dashboard, right about at the height of the windshield, resulting in decapitations of front-seat drivers and passengers, or having them take almost the full brunt of the force of their car going into the back of the other vehicle, at or near chest height... either way, not survivable at speed. Just use your preferred search engine to look up images of "car crash semi trailer no DOT bumper" if you'd like to see what happens when either the bumper isn't present, or isn't strong enough, and then imagine being IN one of those at the time of the crash. They are... pretty horrific.) Just saying.

      Now that the analogy has been properly torpedoed, the original issue was that removing "secure" is tantamount to taking the bumpers off a car, which is a silly analogy, and would be even if bumpers were fundamentally useless under all circumstances. They are not eliminating the security features, they are simply removing the WORD and leaving the icon. A better analogy would be that in cars dating from the 70s, the words "FASTEN SEAT-BELTS" would appear on the dashboard for the first ten minutes of driving, and by the 1990s or 2000s, they started having cars only show a seat-belt icon for the first few seconds, so you know it actually works, then extinguish unless you take the seat-belt OFF while driving, at which point it immediately lights up RED, and chimes at you until you refasten it. I think it kind of goes without saying that this is the way things should be, given how most people know now, not to drive around without their seat-belts fastened.

      --
      Our reign has gone on long enough. Indeed. Summon the meteors.
    11. Re:It will be back by asackett · · Score: 1

      What? Did your analogy not got the way you wanted it to?

      What? Does conceptual thinking evade you?

      --

      Warning: This signature may offend some viewers.

    12. Re:It will be back by asackett · · Score: 1

      The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

      Those who are accustomed to looking for the word "Secure" because thousands of web pages told them to are going to be astonished by this change. Emphasize both conditions and the typical user will make the wise choice.

      --

      Warning: This signature may offend some viewers.

    13. Re:It will be back by jrumney · · Score: 1

      The norm has been successfully moved from insecure to secure. Even slashdot, which in 2018 is still way behind on ÃUÃnÃiÃcÃoÃdÃe adoption, is using https. Originally the Secure indicator was indicating that the site you were on was abnormally safe. Now they need to mark the abnormally unsafe (and hopefully still mark the Extended Validation sites as abnormally safe), since the default is now safe.

    14. Re:It will be back by thegarbz · · Score: 1

      Now that the analogy has been properly torpedoed

      Writing things in ALL CAPS does not torpedo anything. You effectively admitted yourself that there's a very very narrow set of cases where this will make a difference... kind of like the very narrow set of cases where the word "Secure" makes a difference.

      Point is, bumpers mattered in the 60s, just like DV certificates and the word secure mattered in the 90s. However when we made crumple zones, bumpers effectively ceased mattering, and when we moved to EV certification in 2005 combined with the fact that it is now rare to not access a secure site with even fraudsters happily getting DV certificates, the word Secure ceases mattering too.

    15. Re:It will be back by thegarbz · · Score: 1

      What? Does conceptual thinking evade you?

      Given the way the conversation went I would postulate precisely the opposite.

    16. Re:It will be back by AvitarX · · Score: 1

      Why are self signed certs as bad as HTTP?

      I'd think they gaurentee that you're at the correct size after your first visit (protecting from MITM), and prevent snooping from non MITM parties always.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    17. Re:It will be back by lerxstz · · Score: 1

      Safari already treats self-signed certs as second class citizens. Websockets (for example) will not work with self signed certs in Safari.

      --
      I chose to end my comments, not with a rim shot, but a long decaying F#7sus4
  2. How about ... by PPH · · Score: 4, Insightful

    ... an insecure indicator?

    --
    Have gnu, will travel.
    1. Re:How about ... by bondsbw · · Score: 1

      To keep going with the car analogy... why am I only warned when the stop sign is 4-way? That's the only time I don't want to be warned.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:How about ... by thegarbz · · Score: 1

      ... an insecure indicator?

      You mean like the exclamation mark that is drawn on an insecure webpage, the one which when you click says in bright red "Your connection to this site is not secure" Is that the insecure indicator you are talking about?

    3. Re:How about ... by wonkey_monkey · · Score: 1

      Why would you not want to be warned?

      (Disclaimer: we don't really have stop signs here, not the way they do in the US. They've always seemed a bit condescending to me...)

      --
      systemd is Roko's Basilisk.
    4. Re:How about ... by bondsbw · · Score: 1

      Here we have a small sign attached that says 4-WAY.

      But what I need to know is who doesn't have to stop. That is much more important than knowing that everybody has to stop. We are effectively trained to look at the sign, and in the absence of a 4-WAY indicator, look around to see which other directions have stop signs. Except we are looking at the silver backing which is much less visible in many cases, particularly in the dark or where trees/bushes may be overgrown.

      Bad UI.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    5. Re:How about ... by AmiMoJo · · Score: 1

      They have that. If you go to an insecure site there is a red maker now. Things like password auto-fill are disabled.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:How about ... by novakyu · · Score: 1

      Um, maybe it's different where you live, but where I live, you do get a warning when the cross traffic doesn't stop. Something like this. 4-WAY stop is a useful indicator letting me know that, after having come to a stop, I can start moving without waiting for the other guy to go, because if I came to a stop first, now I have the right-of-way. Without the 4-WAY stop indicator, I would have to try to look for the other guy's stop sign, before I feel safe to go after having stopped for my own stop sign.

    7. Re:How about ... by bondsbw · · Score: 1

      We have (to my knowledge) just one sign like that in our metro area, full of stop sign intersections which are not 4-WAY.

      I still maintain that knowing who doesn't stop is a safety concern, making it much more important than knowing that everyone stops for convenience. Besides, if you know that there aren't any who don't stop, you have the same info.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    8. Re:How about ... by novakyu · · Score: 1

      So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

      My neighborhood is similar (very few intersections where one road that is not larger than the other does not have stop signs), and I would not wish my 4-WAY signage away if I could---it gives me useful information when I drive.

    9. Re:How about ... by bondsbw · · Score: 1

      So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

      I never said that. We have MANY intersections between two streets of equal size which are not 4-WAY. Only one of those has the yellow sign you linked previously.

      Several streets have drainage dips in the directions that do not stop, but flat grade in the directions with stop signs. It's backwards from the way that seems natural. It makes it easy for someone who notices the big concrete dips instead of the stop sign which is behind a van parked on the curb to make the wrong decision.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    10. Re:How about ... by wonkey_monkey · · Score: 1

      With our more organcailly-developed road system we just don't seem to ever have this issue. There's usually a main road, with a white dotted line down the middle, and any adjoining roads have a yellow line across them which is "yield." Signs are usually just for speed limits, everything else seems to be conveyed through road markings.

      Then again I live on a small island so it's not even much like the UK itself.

      --
      systemd is Roko's Basilisk.
  3. If anyone from Mozilla is here. by xack · · Score: 1

    Please make sure that Firefox dosen't do this.

    1. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      You do know they're only talking about getting rid of the word "Secure", right? Chrome is keeping the green lock icon, which is all that Firefox displays now as well.

      --
      systemd is Roko's Basilisk.
    2. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 2

      Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.

      There'll still be a warning indicator on non-HTTPS sites.

      --
      systemd is Roko's Basilisk.
    3. Re:If anyone from Mozilla is here. by AHuxley · · Score: 1

      Dont GUI like google is the way to stay away from getting an evil GUI

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:If anyone from Mozilla is here. by PrimaryConsult · · Score: 1

      So how would I view the cert info once they take that away? Right now it's a quick two clicks starting with that "secure" lock to see if the cert is real or a proxy's man in the middle cert (they usually don't MitM on financial and shopping sites, but how do I know the particular one I am going to is on the whitelist?).

    5. Re:If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      They're phasing out the lock eventually, too.

      --
      systemd is Roko's Basilisk.
    6. Re: If anyone from Mozilla is here. by wonkey_monkey · · Score: 1

      What do you get out of this?

      --
      systemd is Roko's Basilisk.
  4. lol by bobmajdakjr · · Score: 1

    âoeit's not necessary to draw the user's attention to the Secure indicator anymoreâ hope they make it red when its not secure then rofl

    1. Re:lol by thegarbz · · Score: 1

      Not secure already shows an exclamation mark which when clicked gives you a big red warning text about the connection not being secure.

  5. Stupid move by DaMattster · · Score: 1

    It's an abjectly stupid move but leave it to corporations to do dumb shit just for some manager to justify their jobs. As another poster wrote, "It will be back."

    1. Re:Stupid move by thegarbz · · Score: 2

      So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat! /sarcasm

      HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.

    2. Re:Stupid move by sexconker · · Score: 2

      We should be focusing on indications of proper EV certificates rather than confusing users.

      The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.

      Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.

      HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs so badly in 2020 the clowns decide we need EV+ or EV2 certs you'll realize this.

    3. Re:Stupid move by Ksevio · · Score: 1

      They're removing the "Secure" indicator, but not the "Insecure" indicator which is arguably more important to know these days

    4. Re:Stupid move by thegarbz · · Score: 1

      We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

      I think what you are upset about is that the CAs are a note arbiter of good character. There have been very few cases of certificates miss issued or trust problems with CAs. The fact that these issues where CAs have been miss trusted have been dealt with quickly and efficiently through revocation processes is a testament to just how well it has worked. However that doesn't stop someone issuing a DV certificate to www.paiypal.com and really it shouldn't.

      It was never about ensuring the host on the other end is who you think it is, and it never will be.

      Actually it has been precisely about that since 2005.

      Maybe when CAs fuck up EV certs so badly in 2020 the clowns decide we need EV+ or EV2 certs you'll realize this.

      Or maybe everything will work fine and you can stop running around flapping your undersized wings shouting the sky is falling.

    5. Re:Stupid move by sexconker · · Score: 1

      We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

      We should be focusing on indications of proper EV certificates rather than confusing users.

      EV certs require CAs to do more work. Hint: They won't. They'll do the bare minimum, and eventually less than that, just as they did for standard certs.

      I think what you are upset about is that the CAs are a note arbiter of good character.

      I'm not quite sure what you mean by this, but what I'm upset with is the fact that CAs exist, are "trusted" by browsers, and do nothing to earn that trust. To the contrary, they have shown they are completely untrustworthy. Even with a trustworthy CA, a state actor can compromise them without anyone else knowing. The entire concept of having an authority you defer your trust decisions to is foolish from the start.

      There have been very few cases of certificates miss issued or trust problems with CAs.

      You haven't been paying attention. How many major certs were revoked in the past 5 years? How many CAs were reprimanded?

      The fact that these issues where CAs have been miss trusted have been dealt with quickly and efficiently through revocation processes is a testament to just how well it has worked.

      The standard revocation process doesn't work. CRL's simply aren't used in most cases. The typical revocation process for an end user is for Chrome, Firefox, Windows, or Java to issue an update that revokes a bad cert. These updates aren't published promptly enough to handle the situation nor are the guaranteed to be installed by users in a timely fashion.

      Even when Google gets their panties in a twist over a bad CA, the action isn't immediate. If the problem is found on day 0, (and is known to have started X days prior), Google announces ahead of time that they'll be blacklisting certain certs in the future, then more certs, then all certs from that CA issued prior to a cutoff date.

      That's ridiculous. If you know a CA has fucked up, you need to IMMEDIATELY blacklist all of their certs. Yes, sites will show as having invalid certs. Too fucking bad. Further, I would never trust that CA again. For trust to be automatic it must be absolute. You can't absolutely repair trust that was previously broken.

      Are we talking about security or theater? The current situation is theater. The proposed "solutions" are more theater.

      Or maybe everything will work fine and you can stop running around flapping your undersized wings shouting the sky is falling.

      Like how it worked fine in the first place? Why do we need CRLs at all? Why are we moving to EV certs? Answer: CAs are trash.

      However that doesn't stop someone issuing a DV certificate to www.paiypal.com and really it shouldn't.

      That has nothing to do with anything.

      Actually it has been precisely about that since 2005.

      No, it hasn't. You can get a cert today without proving who you are to anyone. It's harder to buy time at the batting cages than it is to get a "trusted" CA to issue you a cert.

  6. Re:What is the purpose? by gumpish · · Score: 2

    Get with the times.

    All UI must now be compatible with the lowest common denominator: a smartphone in portrait orientation.

  7. Google's taking over where Microsoft left off by llamalad · · Score: 1

    MS was infamous for Embrace, Extend, Extinguish

    First thing that comes to mind is RSS. Built a killer infrastructure for apps to use, then killed it, killing apps and nuking unwary folks' subscriptions.

    Now this. Let's make security better... ok, it's better? Let's pretend it'll stay that way without further attention and reduce or remove its visibility.

    popcorn.

  8. Only show/show only by wonkey_monkey · · Score: 2

    and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

    "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

    --
    systemd is Roko's Basilisk.
    1. Re:Only show/show only by WallyL · · Score: 1

      and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

      "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

      Show only a lock sign? How would a person be able to tell what URL the browser is showing? Oh, that's right, people are already scared of URLs...

    2. Re:Only show/show only by wonkey_monkey · · Score: 1

      Show only a lock sign instead in a lock sign plus the word secure.

      If you're going to pedantic, why not go the whole hog and say "What, so every website will be just a giant lock sign?"

      --
      systemd is Roko's Basilisk.
  9. It's a start by Sigma+7 · · Score: 1

    Because the less attention you can bring to the fact that "apple.com" is "secure", there'll be less people getting confused.

    For the context, an old version of chrome displayed that url as apple.com, and the user would be unaware of the difference. It also displayed "secure", thus visitors would have a false feeling of being connected to the correct site.

    The only reason to draw attention to a "secure" site is if it's got one of those "verified" certificates that show something special in the address bar. And even then, there's still room for caution cause certain computers in a corporate environment may have their own security certificates that allows the company to MITM employees.

  10. Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

    Geez, this summary totally missed the entire point here and linked story only gets to it, well down on the page. If the connection is insecure, the browser is going to notify you of that with either a "insecure message" if there is no input controls (web forms) and a red icon and red text if there is a web form on the page.

    The entire thing is that there's no need to highlight the default, and damn it if your site isn't using HTTPS by default now you should just resign from your damn job, which is HTTPS.

    And yes, I'm sure I'll hear folks say, "well XYZ doesn't use HTTPS by default and my job requires it." Well then your company is full of idiots then. We're at a point that there's zero reasons to not have a production site HTTPS by default, full f'ing stop. It's literally insulting to your company if this isn't the case. /rant

    1. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      wrong, autism boy.

      plenty of sensors and controllers need http to configure, and no one is going to scrap an HVAC unit to make you happy.

      that has nothing to do with IQ of employers. I'm worried about yours though

    2. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      plenty of sensors and controllers need http to configure

      If a place has a bare Internet facing HVAC controller with no in-between, then there's a ton of problems that no level of "a green icon in the corner" is going to fix. I did said "Production Site" and if you have a brain cell left in you, you know exactly what that means. But yeah, go ahead and put a insecure HVAC directly on the Internet, I'm sure that will pan well for you.

    3. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      who said it was internet facing?

      the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny. that kind of goody-goody attitude can go to hell

    4. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      who said it was internet facing?

      If it's not then shut the fuck up as I already pointed out that entire case in the first comment.

      the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny

      When the majority of folks using web browsers are morons, yes, yes we do. Your edge case can go to hell. No one took away your precious http, you still have, it just has a red icon now. That's because you and your fucking HVAC system, can't speak a pretty basic fucking protocol and apparently it was made to be completely unupdatable, which also sounds brilliant. So for your corner case, the the millions of other corner cases out there, you all get red icons. Compare that to the literal billions who will use it on the actual Internet, which is the thing I pointed out that you, I guess, didn't give two fucks about to read. So ya know what, I'll be sure to cry you a river for your red icon. Idiot.

    5. Re:Bloody hell what a horrible synopsis. by iggymanz · · Score: 1

      no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

    6. Re:Bloody hell what a horrible synopsis. by slack_justyb · · Score: 1

      no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

      If you're heading down that road, let me just go ahead and cut to the chase. All traffic on the Internet should be secure, thinking otherwise is dumb. The content of that traffic doesn't matter, **all traffic** on the **Internet** should be **secure**. Full stop. Whatever, reason a person thinks that "this content" shouldn't be secure, usually boils down to subjective logic and lack of any clear rationale argument. Now you can sit there and conjure up reasons, why this content "could" be sent insecure. But that doesn't cover why "it is better to send it insecure versus secure." There exists zero "good" reasons why any content is better to send insecure rather than secure. People moan about the "technical difficulties for making the switch from HTTP to HTTPS" and the reality is that you can self cert in seconds, you can use an open cert service in just a few minutes, you can purchase a full blown well trusted cert in no time. I mean literally there are hundreds of HOWTOs, hundreds of cert services, and so on all developed around the sole notion that "Hey! You should secure your damn traffic." Hesitation for moving from HTTP to HTTPS boils down to one thing. Developers being insanely lazy. If you can be bothered to secure your traffic on a production server, regardless of the content, then the developer is a lazy fuck. 100 out of 100 times I've seen folks not secure their production server, it has always been "we're getting around to it..." Doesn't take more than 30 - 40 seconds to do the bare minimum, there is just zero reasons why it shouldn't be secured.

  11. A sad and weird turn for the web by tirnacopu · · Score: 1

    I would have welcomed any option of sending plain text packets+signature (and there are many) so as to keep the Web open and allow people managing it to gain insights from its contents. Sadly, tech news I read makes it look like everybody is under attack and the only solution is end-to-end encryption. Until you reach Facebook's servers, that is.

  12. Re:Chrome, the Phisherman's friend. by Zontar+The+Mindless · · Score: 2

    In a just universe, it'd be one that administers an electric shock in response to using an apostrophe for the plural.

    --
    Il n'y a pas de Planet B.
  13. Re:What is the purpose? by AHuxley · · Score: 1

    So the user can enjoy the site and approved ads without distracting terms like "secure"

    --
    Domestic spying is now "Benign Information Gathering"
  14. Re:Complete Design Failure by AHuxley · · Score: 1

    The approved ads are now secure so the site is working. Let the user view the ads.

    --
    Domestic spying is now "Benign Information Gathering"
  15. http blocked within 5 years by THE_WELL_HUNG_OYSTER · · Score: 2

    It's only a matter of time until Chrome either blocks http or users are forced to click a security exception button before an http site will load (like sites with invalid SSL certs today).

    1. Re:http blocked within 5 years by geekymachoman · · Score: 1

      That's stupid. Let's hope they will not do that.

      Not everything deserves or has to be encrypted.. especially not in LANs, etc..

    2. Re:http blocked within 5 years by novakyu · · Score: 1

      Um, you were on the right track up until you said "especially not in LANs". How often do you load up stuff in your Web browser from your LAN?

      The correct response is "Not everything deserves or has to be encrypted." (Just end with the period; no further qualification needed.)

    3. Re:http blocked within 5 years by novakyu · · Score: 1

      No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.

    4. Re:http blocked within 5 years by Pieroxy · · Score: 1

      No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.

      What https does is twofold: 1. Encrypt, 2. Prevent MITM attacks.

      Even your anonymous FTP download could be MITMed and you have no guarantee that you're even talking to the right server.

      --
      Write boring code, not shiny code!
    5. Re:http blocked within 5 years by novakyu · · Score: 1

      What if I'm downloading (or making available) a content (like some text material) that I don't care if it was MITM'd? Should I still be forced to use SFTP? Just because I don't want (because I don't need) encryption doesn't mean I need to be STFU'd.

  16. Good move by Chrisq · · Score: 1

    Warn about insecure instead of giving a "well done" to normal practice. As long as EV certificates still show in green it's fine with me.