Slashdot Mirror

← Back to Stories (view on slashdot.org)

In Encryption Push, Chrome Flags HTTP Sites as 'Not Secure' (zdnet.com)

Posted by msmash on from the it's-finally-happening dept.

On Tuesday, Chrome started marking sites that don't use HTTPS as "not secure." From a report: First announced two years ago, Google said it would flag any site that still uses unencrypted HTTP to deliver its content in the latest version of Chrome, out Tuesday. It's part of the company's years-long effort effort to gradually nudge more webmasters and site owners into adopting HTTPS, a secure encryption standard for data in transit. Any site that doesn't load with green padlock or a "secure" message in the browser's address bar will be flagged -- and shamed -- as insecure.

[...] According to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure." Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP. Of the top million sites, a little over half do not redirect to HTTPS. Chrome 68 also brings with it Page Lifecycle API, and the Payment Handler API. From a report: The Payment Handler API builds on the Payment Request API, which helped users check out online. The new API enables web-based payment apps to facilitate payments directly within the Payment Request experience, as seen above. As with every version, Chrome 68 includes an update to the V8 JavaScript engine: version 6.8. It reduces memory consumption as well as includes improvements to array destructuring, Object.assign, and TypedArray.prototype.sort. Check out the full list of changes for more information.

36 of 268 comments (clear)

  1. MitM https proxies should be flagged too by nyet · · Score: 5, Interesting

    All of this is pointless as long as we encourage corp IT firewall admins to completely break https with their MitM proxies that use fake wildcard certs and bogus CAs as part of a GP push.

    1. Re:MitM https proxies should be flagged too by Wrath0fb0b · · Score: 4, Insightful

      All of this is pointless as long as we encourage corp IT firewall admins to completely break https with their MitM proxies that use fake wildcard certs and bogus CAs as part of a GP push.

      It's not "breaking" HTTPs, any more that distributed authorized_keys "break" SSH. The owner of Group Policy on a machine has (by definition) the authority to set HTTPs policies, read files, spy on the screen and plant furry porn in your home directory. That's literally what it means to be in group policy.

      As I see it, the IT admins should be absolutely transparent with employees that all content touching the machine is subject to being recorded and have clear policies on whose approvals are necessary to go read the logs.

  2. Re: Baked in financial transactions? by Anonymous Coward · · Score: 3, Insightful

    Some of us remember when the web was for the interchange of ideas and knowledge, not some glorified shopping cart for mouth breathers.

  3. Thanks Google! by Anonymous Coward · · Score: 5, Insightful

    Thanks, Google, for breaking the internet.

    Misusing your power (client & server) to push people around and to shape a landscape favoring your business and nothing else. You are finishing the nightmare Microsoft tried to realize.

    Assholes.

    1. Re:Thanks Google! by squiggleslash · · Score: 3, Insightful

      I'm failing to see how an unobtrusive warning that the webpage you're looking at wasn't served securely is "breaking the Internet".

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Thanks Google! by Khyber · · Score: 4, Insightful

      The warning isn't fucking unobtrusive, that's the problem.

      Any time you do something Google doesnt' like, it makes sure to make a big fucking fuss about it.

      And that's going to give people the idea that the age they're trying to visit has been hijacked or otherwise when it has not.

      It's going to pretty much result in digital libel and defamation of the site as idiots who don't know better start spreading word that "site x is hacked because Google Said So."

      Too bad nerds like you quite often have shorter sight than your coke-bottle glasses lets on.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  4. This is stupid garbage by Anonymous Coward · · Score: 5, Insightful

    Most web sites don't need https. Most web sites don't take payments, don't transmit user data, etc.

    Bbc.com doesn't need encryption. My business site which doesn't take payments or allow user accounts does not need encryption. It's a wall of text and pictures.

    Google acting like the entire world needs this is incredibly stupid.

    I already have to use Firefox to access firewalls because Google decided that "go to the site anyway goddammit" just means "allow traffic for 2 minutes, and then complain about the certificate again. And again. And again"

    Now it's going to scare people for no reason. Screw them

    1. Re:This is stupid garbage by Luthair · · Score: 2

      Insecure is an accurate description for HTTP. Further given the number of sites I've run into over the years showing locks and claiming to submit credit cards securely that are using HTTP I don't think this change is bad.

    2. Re:This is stupid garbage by Anonymous Coward · · Score: 5, Insightful

      Bbc.com doesn't need encryption.

      You visit bbc.com. The great firewall inserts javascript to DoS attack another website.

      You visit bbc.com. You read a simple article about foreign policy. In between you and the BBC, the text of the article has been replaced, changing your knowledge of facts, your opinion, and ultimately your vote.

      You visit bbc.com. To preserve your privacy, you use a VPN or Tor. Your HTTP request has a BBC-UID cookie. Anyone snooping the connection can tell which link is yours as opposed to someone else's, and can track when you're there using the internet and which pages you go to.

      You visit bbc.com. You're an activist in a country which would like to not have you around. Instead of receiving bbc.com, you receive child porn. It only takes a minute for the police to be signalled and break down your door and confiscate your computer. In court, experts testify that you hid the CP in a clever place (the browser cache). Not only do you go away for life, but you're discredited to the public and the court, police and experts don't have to be in on it.

      Explain why it is essential to have bbc.com not be encrypted.

    3. Re:This is stupid garbage by omnichad · · Score: 2

      They say "not secure" rather than "insecure." It's a fair distinction, that makes more sense in the context. The least of the problems are the wording.

  5. Re:To be honest by XanC · · Score: 3, Funny

    Do you not want any guarantees that your news is unaltered from the source?

  6. Why encrypt LOLcats? by XXongo · · Score: 4, Insightful

    I'd be very concerned if any site I used for monetary purposes wasn't using HTTPS. On the other hand, sites providing data services like streaming or news probably don't need to encrypt anything.

    Yes!

    for 90% of the stuff I browse on the web, I don't need https. I really don't care who sees the cat pictures I look at.

    https should be saved for pages that actually need encryption

    1. Re:Why encrypt LOLcats? by Anonymous Coward · · Score: 2, Insightful

      for 90% of the stuff I browse on the web, I don't need https. I really don't care who sees the cat pictures I look at.

      Because it's none of the NSA's or any other sniffing scumbag's damned business what you're viewering, full stop. If you only establish encrypted connections for things that you want private, then the snoops know what to focus on. If everything is encrypted, you offer them no clue.

    2. Re:Why encrypt LOLcats? by Anonymous Coward · · Score: 5, Insightful

      Honestly, I want encryption so my ISP *can't* inject adds into the pages. Need has nothing to do with it.

    3. Re:Why encrypt LOLcats? by willaien · · Score: 3, Informative

      HTTPS isn't just about encrypting information like bank info - but also about preventing tracking. If all of your websites use HTTPS, your ISP can't snoop on your traffic to sell your data.

    4. Re:Why encrypt LOLcats? by telek83 · · Score: 2
      It's about preventing tracking for anyone but Google*

      Fixed that for you.

    5. Re:Why encrypt LOLcats? by fafalone · · Score: 2

      Careful what you wish for. That would make adblockers copyright infringement tools, as they too modify the page.

  7. Re:celf signed certificates by roman_mir · · Score: 4, Funny

    elf signed certs are fine, but they cause all sorts of issues in Gnome environments and Men in the Middle-earth attacks are possible.

    --
    You can't handle the truth.
  8. You shouldn’t have given Chrome market share by xack · · Score: 2, Interesting

    Now Chrome can do web controlling actions like security extortion. the next step will be making only google approved certificates complete with extortionate prices will be marked as secure. Join the resistance, get one of the xul trio of browsers Waterfox Pale Moon or Basilisk.

  9. Re:To be honest by flink · · Score: 3, Insightful

    Do you not want any guarantees that your news is unaltered from the source?

    Nobody is doing that. It's the source itself that is usually subverted.

  10. The problem:ALL HTTPS is insecure and allows MitM by Anonymous Coward · · Score: 5, Informative

    The entire concept of certificate "authorities" is already fundamentally broken by design. (Kinda obvious, given the "argument from authority" fallacy.)

    I can not trust an organization that happens to host a website, but I'm supposed to trust an organization that happens to be a CA? Because the browser maker said so? Whose trustworthiness is not established either, by the way.

    If you want at least some trust, you either have to BE the CA (like with my own servers), or meet and get to know the person *personally*. Everything else is just hearsay, and of comparable trustworthiness to whatever you receive when you send out an unencrypted HTTP request to a random unknown domain.

  11. "Redirect" by darkain · · Score: 2

    Their metric specifically mentions redirecting. One of the sites that I manage is an antique auto parts store. There is still a large fraction of our customers using Windows 98 era PCs. Due to this, automatic redirects from HTTP to HTTPS are disabled, so they can still browse the catalog and call us on the phone to order. Bots testing this site would notice the lack of redirection. However, modern browsers pass in some new additional headers which mention some HTTPS capabilities, and *IF* these headers are available, automatic redirection happens (since we know the client will be on a browser which supports the proper TLS version)

    I'm sure several of these other sites are using a similar approach. I just personally tested FedEx.com, and it is properly redirecting from HTTP to HTTPS in an up-to-date browser. So odds are that these bots testing these sites are not fully supplying all the same headers that browsers do.

  12. Re: something something motes and beam by nitehawk214 · · Score: 2

    The text on duck.com is significantly more informative than I expected.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  13. Software updates etc... by Strider- · · Score: 4, Interesting

    Hopefully, though, software updates (such as Windows Update, Apple Update, etc...) will remain unencrypted. I run a network that services some remote communities via satellite, and those things are eminently cacheable (we have a WSUS server for our corporate computers).

    Before you get your panties in a twist about that being insecure, the way I recall these things working is that the update client fetches SHA256 sums of the update files via HTTPS, and then downloads the files over HTTP. That way, the updates can be cached locally, but the end user can still be assured that they haven't been tampered with.

    --
    ...si hoc legere nimium eruditionis habes...
  14. Re:To be honest by KixWooder · · Score: 4, Informative

    Not news, but Comcast has and continues to modify websites.

    --
    I hate fat people.
  15. Crying Wolf by nuckfuts · · Score: 4, Interesting

    The upshot of this is that users are going to become accustomed to ignore all such warnings and proceed to the site anyway. Rendering even legitimate warnings basically useless.

  16. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  17. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  18. HTTPS is centralizing the internet by SkOink · · Score: 4, Interesting

    I'm all for encrypting web traffic, but this push for HTTPS-everything is kind of terrifying. It puts us in this dystopian future where we rely on CAs to decide whether or not we can visit a website.

    If a couple of CAs decide (or are told) to revoke my cert, there's literally nothing I can do about it. And all of a sudden my website is inaccessible to 90% of browsers, and there's nothing I can do about it.

    I would happily support some kind of peer-to-peer encryption scheme (HTTPS with no CA, maybe). But centralizing everything through CA gatekeepers is just asking for a government to butt in.

    --
    ---- I'll take you in a Hunt deathmatch any day.
    1. Re:HTTPS is centralizing the internet by Opportunist · · Score: 2

      A revoked certificate isn't much different from a self-signed certificate. You can still connect to the server, there is just no guarantee that you're actually talking with the correct server. Which is something you kinda need someone to vouch for unless you want to manually verify every certificate of every server you communicate with.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. Too many warnings = people ignore warnings by raymorris · · Score: 2

    The number one reason, from my experience, is that of people see warnings a lot, especially for dumb things, they are quickly trained to ignore warnings. Microsoft learned this lesson with their first attempt at UAC. SELinux had a similar problem for a few years.

    For best security, you should alert people to actual security problems, and only problems they can do something about. Reading Wikipedia over http is not a problem.

    Also, Bobmorning makes a good point here:
    https://tech.slashdot.org/comm...

    The security systems that are supposed to rpotect you can't see all the malware being downloaded onto your system, the data being exfiltrated, etc when everything is TLS.

  20. You think that is the main feature of https? by fuzzyf · · Score: 2

    Your mundane page showing cat pics or whatever can be a serious threat if the script-kiddie on the next table can inject whatever javascript he wants into it before you receive it.

    Yes, a source can be compromised too, but the ease of mitm http is just amazing. Also, any http security header (csp, hsts, hpkp, etc) or other mitigation techniques are futile if transport can't be trusted.

  21. This is true by raymorris · · Score: 2

    I suspect most people reading this haven't worked in a SOC, so they won't appreciate how much truth there is in what Bobmorning said.

    > There is a delicate balance between having situational awareness of what is going on in the network versus

    Exactly. We have systems that can see when a site is trying to do a drive-by malware installation or whatever, lots of ways to protect people in some pretty advanced ways. We can't protect what we can't read, though. So there is a balance. Encrypting everything makes it easier for the bad guys to send bad stuff to and from your machine without getting caught. So the ideal is neither "encrypt nothing" nor "encrypt everything as if it's a state secret". The best ways to protect against various attacks are situation dependent. For reading Wikipedia, unencrypted is probably safer overall. It's also faster - https can't be cached.

  22. Re:celf signed certificates by Dragonslicer · · Score: 2

    Nobody modded it down. It currently has +2 Funny. The poster is just such an overwhelmingly obnoxious troll that all their posts start at -1.

  23. Re: To be honest by Zero__Kelvin · · Score: 2

    What an absurd comment. Whomever created the browser has 100% access to everything, including your account logins and passwords, both http and https. Google gains no additional advantage.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  24. ISP caught injecting cross-site scripting by tepples · · Score: 2

    Comcast has been caught injecting advertisements into HTML documents that Comcast customers view over cleartext HTTP. If BBC doesn't want Comcast performing cross-site scripting on BBC's site, BBC needs to use HTTPS.