Safari Tests 'Not Secure' Warning For Unencrypted Websites

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

Re:Isn't this a waste?

[Aighearach]

Do we really need SSL on everything?

The reality is that you need SSL just to prevent content from being transparently altered en-route; it is not only for secret content, but just for knowing what the content actually was!

Sad, but true.

Re:Isn't this a waste?

Do we really need SSL on everything?

Yes. Only securing "sensitive" traffic makes it trivially easy to identify "sensitive" traffic.

Also, Yes! What what you consider non-sensitive information may, in fact, be useful to a malicious actor listening in on the wire.

Do you really want your ISP any one else in the transit path between you and Google knowing what search terms you enter? That's between you and Google. Do you want your ISP censoring your Internet? Modifying pages as they come back to remove "bad" words?

SSL also helps to prevent modification of data in transit. The most easy example of this is inserting malicious javascript in a page as it passes through one of the many hops enroute to you. With SSL you have some confidence (if you trust the CA, for example) that you are talking directly to the remote host you think you are and that nobody can insert malicious code or modify the data on its way to you without your client noticing.

Re:Isn't this a waste?

[Strider-]

So what you’re saying is that we need content validation without full encryption for most things. This is how windows update (and I think apple update). Hashes of the packages are transferred securely, while the bulk data is in the clear. This allows the data to be verified, while still permitting caching to work.

Self Signed

[ewibble]

I don't see why a self signed certificate gets a warning, but http doesn't it is no less secure. An Icon saying it is less secure should be enough (say you may not be going to the site you expect). It is really annoying that you have to pay someone a recurring fee just to add a little security. Even worse for routers that don't have a DNS entry, you have to start managing your own certificates.