In Encryption Push, Chrome Flags HTTP Sites as 'Not Secure'

On Tuesday, Chrome started marking sites that don't use HTTPS as "not secure." From a report: First announced two years ago, Google said it would flag any site that still uses unencrypted HTTP to deliver its content in the latest version of Chrome, out Tuesday. It's part of the company's years-long effort effort to gradually nudge more webmasters and site owners into adopting HTTPS, a secure encryption standard for data in transit. Any site that doesn't load with green padlock or a "secure" message in the browser's address bar will be flagged -- and shamed -- as insecure.

[...] According to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure." Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP. Of the top million sites, a little over half do not redirect to HTTPS. Chrome 68 also brings with it Page Lifecycle API, and the Payment Handler API. From a report: The Payment Handler API builds on the Payment Request API, which helped users check out online. The new API enables web-based payment apps to facilitate payments directly within the Payment Request experience, as seen above. As with every version, Chrome 68 includes an update to the V8 JavaScript engine: version 6.8. It reduces memory consumption as well as includes improvements to array destructuring, Object.assign, and TypedArray.prototype.sort. Check out the full list of changes for more information.

Re: Baked in financial transactions?

Some of us remember when the web was for the interchange of ideas and knowledge, not some glorified shopping cart for mouth breathers.

Thanks Google!

Thanks, Google, for breaking the internet.

Misusing your power (client & server) to push people around and to shape a landscape favoring your business and nothing else. You are finishing the nightmare Microsoft tried to realize.

Assholes.

Re:Thanks Google!

[squiggleslash]

I'm failing to see how an unobtrusive warning that the webpage you're looking at wasn't served securely is "breaking the Internet".

Re:Thanks Google!

[Khyber]

The warning isn't fucking unobtrusive, that's the problem.

Any time you do something Google doesnt' like, it makes sure to make a big fucking fuss about it.

And that's going to give people the idea that the age they're trying to visit has been hijacked or otherwise when it has not.

It's going to pretty much result in digital libel and defamation of the site as idiots who don't know better start spreading word that "site x is hacked because Google Said So."

Too bad nerds like you quite often have shorter sight than your coke-bottle glasses lets on.

This is stupid garbage

Most web sites don't need https. Most web sites don't take payments, don't transmit user data, etc.

Bbc.com doesn't need encryption. My business site which doesn't take payments or allow user accounts does not need encryption. It's a wall of text and pictures.

Google acting like the entire world needs this is incredibly stupid.

I already have to use Firefox to access firewalls because Google decided that "go to the site anyway goddammit" just means "allow traffic for 2 minutes, and then complain about the certificate again. And again. And again"

Now it's going to scare people for no reason. Screw them

Re:This is stupid garbage

Bbc.com doesn't need encryption.

You visit bbc.com. The great firewall inserts javascript to DoS attack another website.

You visit bbc.com. You read a simple article about foreign policy. In between you and the BBC, the text of the article has been replaced, changing your knowledge of facts, your opinion, and ultimately your vote.

You visit bbc.com. To preserve your privacy, you use a VPN or Tor. Your HTTP request has a BBC-UID cookie. Anyone snooping the connection can tell which link is yours as opposed to someone else's, and can track when you're there using the internet and which pages you go to.

You visit bbc.com. You're an activist in a country which would like to not have you around. Instead of receiving bbc.com, you receive child porn. It only takes a minute for the police to be signalled and break down your door and confiscate your computer. In court, experts testify that you hid the CP in a clever place (the browser cache). Not only do you go away for life, but you're discredited to the public and the court, police and experts don't have to be in on it.

Explain why it is essential to have bbc.com not be encrypted.

Why encrypt LOLcats?

[XXongo]

I'd be very concerned if any site I used for monetary purposes wasn't using HTTPS. On the other hand, sites providing data services like streaming or news probably don't need to encrypt anything.

Yes!

for 90% of the stuff I browse on the web, I don't need https. I really don't care who sees the cat pictures I look at.

https should be saved for pages that actually need encryption

Re:Why encrypt LOLcats?

for 90% of the stuff I browse on the web, I don't need https. I really don't care who sees the cat pictures I look at.

Because it's none of the NSA's or any other sniffing scumbag's damned business what you're viewering, full stop. If you only establish encrypted connections for things that you want private, then the snoops know what to focus on. If everything is encrypted, you offer them no clue.

Re:Why encrypt LOLcats?

Honestly, I want encryption so my ISP *can't* inject adds into the pages. Need has nothing to do with it.

Re:To be honest

[flink]

Do you not want any guarantees that your news is unaltered from the source?

Nobody is doing that. It's the source itself that is usually subverted.

Re:MitM https proxies should be flagged too

[Wrath0fb0b]

All of this is pointless as long as we encourage corp IT firewall admins to completely break https with their MitM proxies that use fake wildcard certs and bogus CAs as part of a GP push.

It's not "breaking" HTTPs, any more that distributed authorized_keys "break" SSH. The owner of Group Policy on a machine has (by definition) the authority to set HTTPs policies, read files, spy on the screen and plant furry porn in your home directory. That's literally what it means to be in group policy.

As I see it, the IT admins should be absolutely transparent with employees that all content touching the machine is subject to being recorded and have clear policies on whose approvals are necessary to go read the logs.