Google Chrome Wants To Block Some HTTP File Downloads (zdnet.com)

UGh. by flippy · 2019-04-10 06:17 · Score: 5, Insightful

Why oh why does Google think that they know better than everyone? Give a warning, sure, and then let the user decide. Just the same way it handles an HTTP page vs an HTTPS page.

Re:UGh. by Highdude702 · 2019-04-10 06:27 · Score: 1

On top of that there are a ton more file extensions that should be added to it if they are trying to stop on the fly bin replacment. This is google playing nanny again.
Re:UGh. by flippy · 2019-04-10 06:29 · Score: 2

100%. I get that they want to try to protect people from their own mistakes, but just outright disallowing stuff isn't the way to do that.
Re:UGh. by Anonymous Coward · 2019-04-10 06:33 · Score: 0

This has to be one of the most Google thing we've seen in some time. But that's Google for you. They have a ridiculously long record of ignoring users or actively doing things they don't want, and they're not about to change until forced.
Re:UGh. by Anonymous Coward · 2019-04-10 06:41 · Score: 0

Why oh why does Google think that they know better than everyone?

Well, they do make the most popular browser in the world. That lends a little bit of credibility.
Re:UGh. by supremebob · 2019-04-10 06:53 · Score: 4, Insightful

I wish that Google gave you the ability to suppress those warnings as well. I have a few internal development sites with invalid SSL certificates on them, which Google throws an obnoxious "YOUR CONNECTION IS NOT PRIVATE" warning every time I hit them.
Congratulations, Google, you're training people to click on the "Proceed to x (unsafe)" link EVERY time they see that page as a muscle memory reaction, whether or not it's a real security issue or not.
Re: UGh. by Anonymous Coward · 2019-04-10 06:53 · Score: 0

When a browser blocks a download I close the browser and use a different browser. Simple. If they want me to use chrome then they will make chrome user friendly for this user.
Re: UGh. by Anonymous Coward · 2019-04-10 06:56 · Score: 0

Or you could fix your sites.
Re: UGh. by flippy · 2019-04-10 07:02 · Score: 1

I gotta agree with the AC here. If your SSL cert is invalid, then you're the one teaching people to proceed to unsafe as muscle memory reaction, unless you're the only one using that site.
If you are the only one using the site, you're expecting a browser customization to make your life less annoying by allowing you to disable a feature that benefits most users. The Big G ain't gonna do that.
Re: UGh. by supremebob · 2019-04-10 07:07 · Score: 1

Like I said, it's an internal development site. I don't want to waste my time setting up and maintaining SSL certificates for it.
All I want is a simple "ignore SSL warnings for this domain" checkbox. It's not a huge ask.
Re:UGh. by Anonymous Coward · 2019-04-10 07:18 · Score: 0

BS! JEWgle shoved it down everyone's throat as 'addonware' to what people downloaded even autoinstalling it taking advantage of ignorance by most users and like typical jews they stole others code to do it and corrupted it (Chromium). Either get woke or quit twisting things jew boy liar.
Re:UGh. by fafalone · 2019-04-10 07:23 · Score: 1

Firefox isn't much better. I had no idea all download URLs were transmitted to a malware check, until after I spent 8 hours on a super slow download of one part of a zipped video file (i.e. not even executable), then Firefox, without warning, said it was malware and deleted it so hard forensic software couldn't get it back a minute later. And the only option around this is disabling the service entirely, which was fine for me since I was appalled at it transmitting all my URLs to a 3rd party without warning, but I'd imagine some would want a prompt. Maybe they changed it since I stopped updating, but knowing Mozilla, it's probably worse.
Re:UGh. by MightyMartian · 2019-04-10 07:38 · Score: 1

Most people have no ability to decide. Providing the feature can be turned off, I have absolutely no problem with a default that blocks files that are the most frequent delivery agents of malware.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Re:UGh. by GameboyRMH · 2019-04-10 07:53 · Score: 1

It's incredibly stupid that browsers don't make a peep about plaintext HTTP connections, but go into full "DANGER WILL ROBINSON!!1" alert for HTTPS connections with a self-signed or invalid cert. In what way could the latter possibly be less secure than the former?

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re: UGh. by ilsaloving · 2019-04-10 07:57 · Score: 2

I used to feel the same way. Then I started seeing issues like mixed http/https, and similar things, which don't get caught until far later in the dev cycle than they should be. Occasionally it results in an unexpectedly complicated mess.
You don't need to be fancy about it. It may take a little initial setup to get, say, Lets Encrypt working, but incorporating SSL into your dev/qa environments will save you potential unexpected frustration down the road.
Generally speaking, the closer you can match a dev environment to the final prod environment (in all aspects that can impact the operation of the final product that is), the better off you'll be.
Re:UGh. by Anonymous Coward · 2019-04-10 07:58 · Score: 0

What a strange question. They almost certainly have data (telemetry) that shows conclusively that they do know better than "everybody", meaning that they know the number of downloads initiated through http from https and have a fair idea of the proportion of times it was provably unsafe.
I also bet there's an option to re-enable this, but in the basement behind a door that says "beware of leopard".
Re:UGh. by AmiMoJo · 2019-04-10 08:39 · Score: 1

You are supposed to install a local root certificate that you use to produce your own test certs.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:UGh. by Anonymous Coward · 2019-04-10 08:45 · Score: 0

Why doesn't Google have a warning that your connection isn't private whenever you use Chrome? If Google could provide instructions on how to block Google then I'd appreciate it.
Re:UGh. by grep+-v+'.*'+* · 2019-04-10 08:54 · Score: 1

as a muscle memory reaction,

Just hand Chrome (Chromium) over to the UI/UX experts. They'll have your errant muscle memory fixed in no time. And even better, it'll even STAY fixed since they'll keep moving it around and changing it's appearance.

--
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Re:UGh. by SurenEnfiajyan · 2019-04-10 09:13 · Score: 1

As if Mozilla (and others which usually make browsers based on Chromium) is much better. I remember I couldn't paste a quite large piece of JS code in Firefox dev console since Mozilla thinks that it's very insecure to execute something from an unknown source. Actually it's uncommon for an average clueless user to open browser dev tools, paste and execute a JS code. This is just an example of ruining the developers' experience. And many similar things are can be said for user experience. Others aren't significantly better, they're doing almost the same things.
Re: UGh. by Anne+Thwacks · 2019-04-10 09:33 · Score: 1

It may take a little initial setup to get, say, Lets Encrypt working
It would so much easier if LetsEncrypt gave you error messages with at least a little info on what went wrong. If a file is a problem: give me the damn filename! (and the path you where YOU think it should be. Then I will be able to find out if it is the content or the location that is a problem. If the permissions are wrong, let me know. Its not that hard).
However, with regard to the OP, if there are multiple errors, you might have to let some go while you fix others. Its quite helpful to have the choice to leave the ones you are waiting for help on while fixing ones you know the answer to.
It is absolutely infuriating to have to fight Google every step of the way.

--
Sent from my ASR33 using ASCII
Re: UGh. by Anonymous Coward · 2019-04-10 09:37 · Score: 0

This is a useful idea.
Re: UGh. by fibonacci8 · 2019-04-10 09:40 · Score: 2

Thoughts and prayers to everyone using your internal development site.

--
Inheritance is the sincerest form of nepotism.
Re:UGh. by tepples · 2019-04-10 09:52 · Score: 1

I've read it's a lot harder to install a local root certificate on an iPhone, iPad, Android phone, or Android tablet than on, say, a desktop computer. Besides, as of Android 7, local root certificates don't even work in all apps unless each app's developer has opted into using local root certificates through the app's Network Security Config.
Re:UGh. by jythie · 2019-04-10 10:09 · Score: 1

Even worse, there are some cases where it doesn't even give you the 'Proceed to x (unsafe)' link anymore. It makes dealing with outdate (gasp only a few years old!) embedded devices REALLY frustrating.
Re:UGh. by AmiMoJo · 2019-04-10 10:22 · Score: 1

It's fairly easy: https://support.google.com/nex...
Should work with all major browsers.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:UGh. by gmack · 2019-04-10 10:24 · Score: 1

Setting up an internal Certificate Authority is not that hard.
Re:UGh. by Anonymous Coward · 2019-04-10 10:45 · Score: 0

And have a way to disable all warnings. Chromium based browsers have the annoying tendency to pop up a box asking to confirm the download of certain filetypes, such as exe but have no setting for disabling it. I don't want my computer second-guessing me.
Re:UGh. by Anonymous Coward · 2019-04-10 11:07 · Score: 0

Firefox isn't much better. I had no idea all download URLs were transmitted to a malware check, until after I spent 8 hours on a super slow download of one part of a zipped video file (i.e. not even executable), then Firefox, without warning, said it was malware and deleted it so hard forensic software couldn't get it back a minute later. And the only option around this is disabling the service entirely, which was fine for me since I was appalled at it transmitting all my URLs to a 3rd party without warning, but I'd imagine some would want a prompt. Maybe they changed it since I stopped updating, but knowing Mozilla, it's probably worse.
Where can I find more info about this, please?
Re: UGh. by Anonymous Coward · 2019-04-10 11:15 · Score: 2, Interesting

Except Let's Encrypt doesn't work well for servers behind firewalls. You can coax out a manual cert via DNS but it sucks if your DNS doesn't have a dynamic update API or is only accessible via a special VPN network. And then Let's Encrypt certs are short-lived, so you end up repeating the process every 3 months.
The scenario you describe is precisely why we need DNSSEC DANE TLSA mode 3. Then we can all publicly run our own private CAs. Browsers would trust your root for your domains only and trust my root for my domains only. They would also be able to trust internal infrastructure behind firewalls signed with that root without ever having to install a single root CA cert. We would finally ditch public CAs at that point, including Let's Encrypt, and have real trust on both the Internet and Intranets.
Unfortunately, none of the major web browsers implement any part of DNSSEC DANE TLSA. At one point Mozilla even declared the relevant open bug/feature request as WONTFIX. If you read into the whole DANE TLSA debacle that's silently gone on for the past 8 years after the IETF finalized the specification, the TL;DR is that no one cares about implementing actual software security unless it makes a ton of money for someone.
Re:UGh. by Shikaku · 2019-04-10 11:17 · Score: 1

https://support.mozilla.org/en...
Re: UGh. by Anonymous Coward · 2019-04-10 11:18 · Score: 0

If you can't be assed doing it now you won't be later you lazy piece of shit.
Re:UGh. by AHuxley · 2019-04-10 11:48 · Score: 1

So their encrypted ads show. No more placing ads with HTTP that are 3rd party.

--
Domestic spying is now "Benign Information Gathering"
Re: UGh. by Anonymous Coward · 2019-04-10 13:09 · Score: 0

Different AC here. I manage around 8,000 different devices which use an html based interface. Yes, I could generate and install a valid cert for each one.
Or more accurately, I could open a ticket with our IT Cert team to have them generate one for me. Well, one for each device, they won't allow me to use one (or even a few) for multiple systems. Oh, and it's a standard 30 to 60 SLA for them to generate one. Last time I tried doing a batch of 200 they quoted me six months. And they'll only give me certs that are valid for a year.
Did I mention that IT also has our workstations locked down and won't allow installation of any unapproved authorities?
Anyhow, I gave up on it. And have now trained my fingers so well I can click through the warnings without really looking.
Re:UGh. by tepples · 2019-04-10 16:12 · Score: 1

Should work with all major browsers.
From the page you linked:

Most apps don't work with CA certificates that you add
In Android 7.0 and up, by default, apps don't work with CA certificates that you add. But app developers can choose to let their apps work with manually added CA certificates.
Do you mean that the publishers of Chrome, Firefox, and other major browsers do in fact "choose to let their apps work with manually added CA certificates"?
Re: UGh. by Zmobie · 2019-04-10 17:23 · Score: 1

No. Granted, working in a dev environment is a bit of a corner case, but there is no reason this can't be a configuration option. I am not generating a bunch of certs for staging servers or other environments that are highly volatile and constantly built and torn down. Google is getting pretty draconian with their policies and changes.
Re: UGh. by Anonymous Coward · 2019-04-10 19:04 · Score: 0

Shut up you fake news faggot shill INCEL genocidaire deplorable uneducated cis-hetero gaylord running dog trumptard Russian NAZI alt-right bolshevik anti-Semitic Zionist Chinese cock-gobbling fascist mansplaining French fundamentalist SJW shitfucker MRA strawman trailer trash inbred lesbian Hillaryist feminazi richie rich ghetto alt-left white supremacist PEDOPHILE wetback spic mick wop nlgger chink kike redneck dago camel jockey bourgeois puritanical crackhead liberturdian commie TRAITOR!
Re: UGh. by houghi · 2019-04-10 19:18 · Score: 1

Yeah, but how do they know it is an internal site once they get the data back from their own DNS build in server?

--
Don't fight for your country, if your country does not fight for you.
Re:UGh. by AmiMoJo · 2019-04-10 19:58 · Score: 1

Read it again, carefully. That caveat only applies to CA certificates, not ones you make yourself.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:UGh. by Anonymous Coward · 2019-04-10 20:58 · Score: 0

It works in Chrome which is the only one that matters since it is built in. For the other browsers you can just download the apk from apk pure and patch it so that it works.
https://github.com/levyitay/AddSecurityExceptionAndroid
Re:UGh. by Anonymous Coward · 2019-04-10 21:02 · Score: 0

For Android 7+ it is since aside from Chrome you have to manually patch the apk for each browser or app you want to be able to use it. There is a tool to do so but it is Linux only.
Re:UGh. by Anonymous Coward · 2019-04-10 21:10 · Score: 0

Yes it does but there is a fairly easy workaround. Install Linux (in a VM if necessary), install Java, manually download the browser apk from apkpure, and finally use this https://github.com/levyitay/AddSecurityExceptionAndroid to patch the apk so custom certs work.
Either that or just only use devices with an unlocked bootloader and use a magisk module to install them a system certificates.
Re:UGh. by thegarbz · 2019-04-10 22:30 · Score: 1

Why oh why does Google think that they know better than everyone?

I'm going to guess it's because they spend more money on R&D and human interaction studies than the typical armchair warrior does.
Re:UGh. by thegarbz · 2019-04-10 22:34 · Score: 1

Congratulations, Google, you're training people to click on the "Proceed to x (unsafe)" link EVERY time
No. They are training IT experts who should be immune to to the training to do so. The number of times an ordinary user will experience a page with a legitimate SSL certificate error that they need to routinely click through is close to zero. The result is that people take pause.
Quite telling that your example talks about internal development sites. I'm not concerned too many users have to worry about those.
Re: UGh. by thegarbz · 2019-04-10 22:36 · Score: 1

I am not generating a bunch of certs for staging servers or other environments that are highly volatile and constantly built and torn down.
Your slackness in automating something that is easily automated shouldn't rely on Google adding yet another option to their product.
Re:UGh. by thegarbz · 2019-04-10 22:37 · Score: 1

It's not stupid at all.
Do you expect a warning every time you walk down the street while you talk that your conversation may be overheard by the person walking next to you?
Do you expect a warning when you're in your home and someone has installed a microphone in your closet?
There are completely different use cases.
Re:UGh. by GameboyRMH · 2019-04-11 02:14 · Score: 1

You make the same mistake as raymorris, in asserting that most users even notice the difference between HTTP and HTTPS. They don't, which is why browsers have green lock indicators etc.
https://slashdot.org/comments....

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:UGh. by tepples · 2019-04-11 03:16 · Score: 1

If you're acting as a private CA, what's the difference between "a local root certificate that you use to produce your own test certs" and "CA certificates"?
Re:UGh. by AmiMoJo · 2019-04-11 03:44 · Score: 1

Basically it's the level of trust that each gets. CA certs are generally handled transparently without any user interaction and accepted as validating identity. Self signed certs are just used for security and don't prove identity, and some clients may choose to ask the user to confirm their use, typically only once the first time they are encountered.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:UGh. by Anonymous Coward · 2019-04-11 05:15 · Score: 0

I find it somewhat remarkable that you as an apparent web developer don't know how to install a trusted certificate on your computer and instead suggest that the browser vendor should provide an one-click negation of every protection offered by https.
You should do one of the following:
1) Install and trust your dev certificates locally.
2) Use dev certs signed by a 3rd party CA (Beware of leaking internal machine names in public CT logs)
3) Install and trust your own private CA and issue dev certs signed by your trusted private CA (Best approach)
4) Use lets encrypt with DNS challenge (complex; point 2 still applies)
Re: UGh. by Anonymous Coward · 2019-04-12 09:25 · Score: 0

Google treats people as idiots. Example:
Google removed the --ignore-certificate-errors options useless in development citing a single post on obscure blog by some idiot telling people it was a way to stop the annoying error messages, and was this a security vulnerability because people where using it without "understanding".

Google ain't done 'til the Web won't run by Anonymous Coward · 2019-04-10 06:19 · Score: 0

Punishing sites for using mixed content? That's a paddlin'.

Re:Google ain't done 'til the Web won't run by Anonymous Coward · 2019-04-10 07:19 · Score: 0

To be fair, they're blocking file downloads, not the pages with mixed content themselves.

Google version of the web. by Anonymous Coward · 2019-04-10 06:19 · Score: 0

Google is making there own version of the web. I think Microsoft tried to do this and failed.

Re:Google version of the web. by Anonymous Coward · 2019-04-10 06:28 · Score: 0

Da 'tards lub da Goog, doh.
Re: Google version of the web. by Anonymous Coward · 2019-04-10 06:39 · Score: 0

The times weren't ready. Now they are. People crave security above all else.
Re: Google version of the web. by Lanthanide · 2019-04-10 06:59 · Score: 2

Google are doing it in a standards based way though, Microsoft didn't.
If you visited the site using another browser, you can still do the download. Once the website admin jumps through Google's hoops, the download will still work correctly in any other browser that properly follows the HTTPS standard.
Re:Google version of the web. by Anonymous Coward · 2019-04-10 07:20 · Score: 0

*their*
It might be over there, however.
Re: Google version of the web. by tepples · 2019-04-10 09:54 · Score: 1

If you visited the site using another browser, you can still do the download.
Another browser won't even run on a pre-Crostini Chromebook.
Re: Google version of the web. by Anonymous Coward · 2019-04-10 11:13 · Score: 0

Google implements "standards" in their own proprietary way and force other browsers to adapt. They also corrupt the standards bodies and push for DRM on the web. They constantly find places to insert themselves between you and the content, instead of simply pointing you to the content and then getting out of the way. Google has damaged the web by infesting it with Google ads and constantly spying on the users. The collected data is happily funneled by them to the CIA and the Chinese government.
Re: Google version of the web. by bursch-X · 2019-04-10 11:21 · Score: 1

It's what the body craves.

--
There are two rules for success:
1. Never tell everything you know.

uhh,, by SuperDre · 2019-04-10 06:21 · Score: 2

But http or https doesn't really matter these days, even malicious sites are using https..
As long as you get a warning when downloading and you are still able to download the file, I don't have anything against it. But if they just block download completely because it isn't coming from an https site, than I won't be using Chrome anymore.. As I said, https doesn't say anything about the file being safe.

Re:uhh,, by Anonymous Coward · 2019-04-10 06:27 · Score: 0

The difference is that HTTP allows practically ANYONE to MITM your downloads..
Re:uhh,, by CastrTroy · 2019-04-10 06:27 · Score: 2

But it does mean that the executable file wasn't altered in transit.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:uhh,, by Highdude702 · 2019-04-10 06:29 · Score: 1

Auto check summing would be better all around.
Re:uhh,, by Anonymous Coward · 2019-04-10 06:33 · Score: 1

I like big CATS and I cannot lie
You cheetahs can't deny
Re:uhh,, by Anonymous Coward · 2019-04-10 06:36 · Score: 1

I always wondered... if the checksum was from the same place, how do you know some MITM attack didn't change the checksum?
Re:uhh,, by Anonymous Coward · 2019-04-10 06:44 · Score: 0

Good question, send checksum via https and file via http?
Re:uhh,, by SuperDre · 2019-04-10 06:52 · Score: 0

In case you didn't know, MITM attacks are now also possible through https....... It's not as simple as with http, but it is possible..
Re:uhh,, by Chris+Mattern · 2019-04-10 06:56 · Score: 3, Insightful

But it does mean that the executable file wasn't altered in transit.
Catching executables in flight and altering them sound like a really hard way to do something unless your ISP is doing it to you (and if your ISP would do that to you, you have much bigger problems). It ranks way down on my list of worries, being massively overshadowed by the possibilities that the site itself has been hacked or is intentionally serving up malware--neither of which this does anything to help you cope with.
Re:uhh,, by darkain · 2019-04-10 07:01 · Score: 2

Simple, just send a checksum of the checksum! PROBLEM SOLVED!
Re:uhh,, by balexis · 2019-04-10 08:09 · Score: 2

It may not be in your threat model, but it is to some Internet users. Have a look at this report for example: https://www.welivesecurity.com... The fact that other threat vectors are more likely to impact users does not mean that rarer cases should be ignored - they are not mutually exclusive.
Re:uhh,, by WaffleMonster · 2019-04-10 09:03 · Score: 1

The difference is that HTTP allows practically ANYONE to MITM your downloads..
So does HTTPS. You just get one of hundreds of CAs to issue you a cert by MITMing their automated DNS/Website flag planting procedure then you can MITM that sites HTTPS downloads to your hearts content.
Re:uhh,, by Anonymous Coward · 2019-04-10 11:01 · Score: 0

The checksum is encrypted with the provider's private key. The user decrypts it with the provider's public key retrieved from a certificate authority the user, really the user's browser, trusts.
That is how signed certificates work.
Re:uhh,, by Anonymous Coward · 2019-04-10 12:12 · Score: 0

MITM it all the fuck you want. Yay Hash verification! Hash don't match, it gets deleted, plain and simple.
Re:uhh,, by Anonymous Coward · 2019-04-10 12:28 · Score: 0

But if they just block download completely because it isn't coming from an https site, than I won't be using Chrome anymore..
Yeah you will, because sites will only work right on it. I'm already in that boat at work with stupid apps that we have to use, and it's only a matter of time before sites like banks will only work right on Chrome.
It's like IE6 all over again.
Re:uhh,, by Anonymous Coward · 2019-04-10 12:39 · Score: 0

It may not be in your threat model, but it is to some Internet users
But his point is valid. From an attackers point of view, the easiest method of delivery by far (and the most common also) is to alter a working sites code using known exploits and deliver the malware from there. Or, just setup a site on the internet somewhere, including a working SSL and start delivering malware.
Re:uhh,, by Anonymous Coward · 2019-04-11 02:26 · Score: 0

You don't catch the executable and alter it in flight. You just block the download, and serve up your malware with the same filename whenever you see an executable flying by. A compromised ISP could infect a lot of machines before anyone realized what was going on.
Re:uhh,, by Anonymous Coward · 2019-04-11 04:04 · Score: 0

MITM it all the fuck you want. Yay Hash verification! Hash don't match, it gets deleted, plain and simple.
Not every site publishes their respective hashes though.
Re:uhh,, by Anonymous Coward · 2019-04-11 04:06 · Score: 0

I like big CATS and I cannot lie
You cheetahs can't deny
Why did this get up-modded? It's practically redundant.
Re:uhh,, by Anonymous Coward · 2019-04-11 12:08 · Score: 0

The difference is that HTTP allows practically ANYONE to MITM your downloads..
So does HTTPS. You just get one of hundreds of CAs to issue you a cert by MITMing their automated DNS/Website flag planting procedure then you can MITM that sites HTTPS downloads to your hearts content.
I'd still wager that the kid down the coffee shop who MITM's customers connections doesn't know how to attack a CA as you described, thus raising the bar significantly against casual attacks.

Re:Shut up and eat yer porridge by flippy · 2019-04-10 06:27 · Score: 0

Have you not yet learned from experience? I enjoy poking at you. It's entertaining to me.

How by Anonymous Coward · 2019-04-10 06:28 · Score: 0

Can someone confirm how they are planning to detect these file types to disallow downloading? Are they going purely by extension or are they testing for mimetypes?

I only ask because as a developer I hate when filetypes are assumed just purely based on extension. Not only that but, is this going out on all OSes? Because .exe files are harmless on Linux (unless transmitted again), for example.

Re: How by bursch-X · 2019-04-10 11:31 · Score: 1

Same stupidity for .dmg files on the Mac. Unless you open it, double click on the app contained within and then enter your password on the following dialogue to grant the app admin rights, nothingâ(TM)s gonna happen with that file.

--
There are two rules for success:
1. Never tell everything you know.

*facepalm* by ilsaloving · 2019-04-10 06:29 · Score: 1

Ok, and how exactly do they expect people to be able to download software, or other files?

Apparently in Google's world everyone has gigabit fibre so very large log files (for example) is not an issue. But for those of us in the real world, being able to compress stuff before sending is still incredibly valuable.

(And for anyone that plans to latch onto the log file example like starving dog on a steak and say "Well you should be splitting up your log files!", I kindly invite you to eff off in advance. I'm talking about the real world, where shit happens on a routine basis...)

Re:*facepalm* by ilsaloving · 2019-04-10 06:39 · Score: 1

Or, I could read the summary and article a little more carefully and realize it's restricted to HTTP downloads from an otherwise HTTPS site.
I can why they would do that since an HTTP connection can be MITM'ed easily. But that goes for literally anything. Malicious office docs, PDFs... There are tons of files that can have a malicious payload beyond the ones they mentioned. Hell, someone MITMing an HTTP connection can basically send whatever they want, so it would be far simpler to just bring up a warning on ANY switch from HTTPS to HTTP.
Blocking specific extensions in the way they are proposing is going to cause far more confusion than good.
Re:*facepalm* by squiggleslash · 2019-04-10 06:40 · Score: 1

This is only for files served via HTTP from webpages that were loaded using HTTPS. Either change your bookmarks site (or whatever it is) to be HTTP, or change the site that serves the "compressed log files" to HTTPS. If your bookmarks site is HTTPS, you probably should be serving the log files via HTTPS anyway.

--
You are not alone. This is not normal. None of this is normal.
Re:*facepalm* by Immerman · 2019-04-10 07:29 · Score: 1

The big difference I see is that executable inherently get pretty much full unrestricted user-level access to the machine, whereas compromised documents rely on exploiting vulnerabilities in applications (i.e. it's somebody else's problem). Those applications are typically constantly being updated to remove vulnerabilities (well, so long as they're not "too big to care about users' needs" at least, which perhaps covers the specific examples you mentioned...)
That said - yeah, it does seem like simply warning on everything would be the better route. Except... there's been a big cross-browser push towards "HTTPS for every page" to avoid browser warnings, while HTTP downloads behind the scenes are probably still a pretty common scenario (no need to rack up the encryption overhead for such comparatively large files, right?), which means the warning would be popping up constantly, with every new font, mp3, etc. downloaded. And any warning shown frequently enough becomes effectively invisible. By (initially at least) focusing on the most vulnerable files they greatly reduce the frequency of the warning for most users, while still raising awareness and pressuring site owners not to silently degrade to unencrypted downloads behind the scenes.
I.e. this is at its core a social solution to a social vulnerability, rather than a strictly technical one.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:*facepalm* by Anonymous Coward · 2019-04-10 09:02 · Score: 0

Whether am executable gets unrestricted access to the machine is up to 1) whether the browser itself, or whatever app opens the document, executes it or embedded code with whatever permission it has and is running as admin, and 2) whether the OS executes it with unrestricted permissions.
Http or https has nothing to do with it. You can download a virus or other malware via https. Try https://McAfee.com or https://microsoft.com or any one of the "downloads" sites
Re:*facepalm* by Immerman · 2019-04-10 13:12 · Score: 1

We're talking about files downloaded from insecure links on secure pages - I'd say it's safe to assume that this is a move designed to discourage putting the user in an unexpectedly dangerous position, rather than provide greater technical defenses. A user downloading a file from a trusted and obviously secure web page (it has the secure icon.) is going to reasonably assume that the file that leaves the server is the same as the file that arrives at their computer, rather than realizing it could have been infected by any router it passed along the way.
And the entire point of intentionally downloading an executable is to run it, so as a developer you can reasonably conclude that any such programs will *definitely* be given *at least* the full range of normal user access, and probably at least the limited elevated access typically requested by an installer. You want to take a guess at what percentage of people actually scan a fresh download from a trusted site for viruses before running it?
I think rather than blocking though, there should be a dialog along the lines of: "WARNING: this download is not secure. Even if you trust this site, the file could be infected by viruses as it crosses the internet to reach you. Are you sure you want to continue?"
That warning could be legitimately given for any http download, but is especially appropriate when the user apparently has a connection safe enough to share banking information over.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.

Re:Shut up and eat yer porridge by Anonymous Coward · 2019-04-10 06:31 · Score: 0

I'm confused. D'you have a stalker troll?

I was making a point about having things shoved down one's throat. Like what Google likes to do.

My wish... by Strider- · 2019-04-10 06:31 · Score: 1

Is that we could all agree on some sort of standard whereby from a secure site you could initiate a download, have that download be unencrypted, but the download link would include a sha256 checksum that would be checked automatically by the browser once the download was complete.

This would allow popular downloads to be cached closer to the user, while providing for verification of the download integrity.

--
...si hoc legere nimium eruditionis habes...

Re:My wish... by Anonymous Coward · 2019-04-10 06:41 · Score: 1

if you think about it a bit longer you'll discover that doesn't solve anything
Re: My wish... by Lanthanide · 2019-04-10 07:02 · Score: 1

The idea, that was not communicated clearly, is that the hash would be transmitted over the encrypted channel, thus extending trust to the object served outside of that trusted umbrella.
Re:My wish... by Immerman · 2019-04-10 07:34 · Score: 1

I'm not seeing it.
Obviously the checksum would have to be sent over the encrypted channel, but so long as you do that, sending the data itself unencrypted and cacheable is a non-issue. (well, aside from surveillance)
I've often wondered why such a thing isn't common myself - not just for security purposes, but to reliably and transparently detect accidental transmission errors.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:My wish... by tepples · 2019-04-10 10:01 · Score: 1

Would a "signing-only cipher suite" make sense?
Re:My wish... by Anonymous Coward · 2019-04-10 11:22 · Score: 0

You could potentially encode the hash of the object in the url itself.
Re:My wish... by Strider- · 2019-04-10 11:47 · Score: 1

Bingo. The hash is part of the URL, so it's delivered securely, but the body of the download isn't.
This is how Microsoft (and apple I think) do their updates. The control channel is secured via https, but the mass download of the updates is not. I always know when a big update is put out, as the effectiveness of my WAAS setup goes up dramatically for a few days.

--
...si hoc legere nimium eruditionis habes...
Re:My wish... by Anonymous Coward · 2019-04-10 16:37 · Score: 0

...BitTorrent?

Mostly Pointless by EndlessNameless · 2019-04-10 06:32 · Score: 4, Insightful

Most sites provide their file hashes over HTTPS. If I'm going to verify the file on my end anyway, there's no real reason for the site to waste CPU encrypting the entire ISO every time someone downloads it.

Digital signatures and hash verification address the same security concerns with less impact.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.

Re:Mostly Pointless by Anonymous Coward · 2019-04-10 07:02 · Score: 0

There should be a protocol for clear-signing or put another way, automatically verify the hashes.
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 07:08 · Score: 0

Maybe a better solution would be to add a new attribute to link tags, like with the hyperlink ping auditing, but for providing a secondary link to the file hash. That way the user agent could check the hash over HTTPS automagically, download the file into a sandbox, check against the hash, and then tell the user whether the file passed or failed verification (leaving the user the choice of deleting the sandbox or installing the potential malware).
Re:Mostly Pointless by Kjella · 2019-04-10 07:10 · Score: 1

Most sites provide their file hashes over HTTPS. If I'm going to verify the file on my end anyway
Well to my knowledge there's no standard way to do this. Like if you could have an <a href="http://my.plain.download" sha-256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"> this would be fine, simply fail if it doesn't verify. But if you're expecting the average user to verify security certificates etc. then 99.9% of them won't do that.

--
Live today, because you never know what tomorrow brings
Re:Mostly Pointless by Immerman · 2019-04-10 07:52 · Score: 1

>Most sites provide their file hashes over HTTPS.
I'm going to have to disagree. In my experience, most sites don't provide hashes, and most users don't know how to check them anyway.
If you're downloading ISOs you're probably a fellow Linux enthusiast, which puts you in a (generally) much more technically competent group, but a group so small as to be largely irrelevant to the attack channels used against the broader population.
Also - even for technical users they're not talking about blocking all HTTP downloads, just the ones posing as HTTPS and being silently degraded behind the scenes. If I click an HTTPS download link, then they I should be able to assume that what was sent is what I receive, and that checking against the hash is redundant - anyone compromising the source file could probably also compromise the displayed hash. Whereas if I download via HTTP, I know the transmission is vulnerable and should check the hash.
An excellent compromise I've seen mentioned many times before, and which would benefit everyone, technical and otherwise, would be to establish a convention that would securely transmit the hash via HTTPS, and then automatically verify it when the download is complete. It could be as easy as adding a "checksum=..." attribute to the link tag.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:Mostly Pointless by balexis · 2019-04-10 08:13 · Score: 1

You should realize that people who systematically manually verify the hash of the files they download represent an infinitesimal proportion of all internet users.
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 08:38 · Score: 0

Even some of the complete nutjobs won't manually verify every single hash every single time.
Re:Mostly Pointless by DRJlaw · 2019-04-10 08:41 · Score: 1

If I'm going to verify the file on my end anyway, there's no real reason for the site to waste CPU encrypting the entire ISO every time someone downloads it.
Nobody will see this due to the wall of trolling that's accumulated under your post, but...
Sure there is. "They'll"* know that you downloaded that file through their deep packet inspection gear.
*They being the government (three letter agencies), or the transit provider, or the cable/DSL oligopoly, or FAANG because why the hell not.
Re:Mostly Pointless by AmiMoJo · 2019-04-10 08:42 · Score: 1

What percentage of internet users do you think actually know what a hash is?
This is just another step towards fixing a very old mistake. Security should be the default.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 09:20 · Score: 0

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
done
Re:Mostly Pointless by WaffleMonster · 2019-04-10 09:36 · Score: 1

What percentage of internet users do you think actually know what a hash is?
Is this an issue that needs solving? Are people actually being owned by this vector? What percentage of Internet users have been attacked in this way? Where is the evidence supporting this position? Why are less assertive measures insufficient?
Or like Google's bullshit reasoning for reducing security by removing public key pinning and falsely claiming certificate transparency is an effective analogue is this just another scheme for punishing *undesirable* sites who link to third party files for download that happen to be IP literals (no DNS therefore no possibility of TLS) or otherwise don't have certificates?

This is just another step towards fixing a very old mistake. Security should be the default.
This is not an objective fact. It's a subjective opinion.
Regardless of opinions for or against there is something fucked up when one company imposes restrictions on the entire Internet because it can.
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 09:41 · Score: 0

This would be a great feature!
Re:Mostly Pointless by AmiMoJo · 2019-04-10 09:50 · Score: 1

Is this an issue that needs solving?
Yes. MITM attacks are used by everyone from governments to ISPs to spread malware.

there is something fucked up when one company imposes restrictions on the entire Internet because it can.
The entire internet runs on Chrome?

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 11:42 · Score: 0

If you right-click a file in explorer.exe you can sha256 it right there. But that's because I have 7-zip installed.. Linux desktops such as Mate have this built-in. Microsoft should probably add this.
Thus I don't have to download checksumming software or remember how to run it! But I do know what a hash or a checksum is (or a CRC) and I remember that I didn't check for anything when updating BIOSes back in the day.
Re:Mostly Pointless by Immerman · 2019-04-10 13:31 · Score: 1

You really want to try to explain how to do that properly to your average user?
More to the point - why should even a skilled user have to do that manually when it's such a fundamental part of safely downloading a file? How many millions of man-hours per year would be wasted doing that easily-automated task, if everyone actually could and did do so for every download?

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:Mostly Pointless by WaffleMonster · 2019-04-10 15:13 · Score: 1

Yes. MITM attacks are used by everyone from governments to ISPs to spread malware.
There isn't a government in the world worth mentioning lacking resources to MITM HTTPS. Numerous CAs are located in effective dictatorships, some even state run.
This fact is why it was so damaging and counterproductive for Google to have removed key pinning protections from Chrome while falsely claiming certificate transparency to be an analogous replacement. The man asked and Google complied.
As for ISPs spreading malware this is illegal criminal behavior in most of the world. Any ISP caught doing so faces criminal liability. Given fact any HTTP use carries increased risk it's not sufficient to cherry pick and hand wave "x used by everyone" to support a course of action. There should be a study conducted with concrete peer reviewed data and findings addressing the specific question at hand distinct from question of MITM generically.
Under the same theory what prevents Google from justifying total removal of HTTP? What's the difference? Why do one but not the other?
What is absolutely maddening is the fact vectors by which people are actually being compromised in the millions have nothing at all to do with BIW shenanigans.
People are actually being social engineered into compromise their own systems and accounts. For the vast majority of users HTTPS use is actually completely worthless when it comes to protecting them from actual threats they actually face. 9 out of 10 of all attacks exploit PEOPLE not systems.
Strong ZKP based authentication technologies which can mitigate social engineering risks when used consistently are actively held back from deployment in major browsers even though all of the necessary infrastructure exists and patches have been written to implement them. Why is that?

The entire internet runs on Chrome?
The entire Internet has to support Chrome users. Nobody can seriously say you are using Chrome so take a hike as doing so would preclude access by majority share of the worlds Internet population.
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 19:37 · Score: 0

That is what HTTPS could (well should) do too. Just automatically check hashes on the receiving end. No need to encrypt data, unless client opts to force it.
Re:Mostly Pointless by Anonymous Coward · 2019-04-10 20:05 · Score: 0

Who the crap actually uses hashes to verify a file? I've got better things to do with my time.
Re:Mostly Pointless by thegarbz · 2019-04-10 22:39 · Score: 1

If I'm going to verify the file on my end anyway
What are you working for the NSA or something? Normal people don't do that.
Re:Mostly Pointless by Anonymous Coward · 2019-04-11 05:22 · Score: 0

You could waste your time doing that, or you could just let HTTPS take care of it for you. Encryption is nearly free. You will definitely be spending more time feeding the file into a hasher and copy/pasting the website hash to compare than just using a secure connection to begin with.
Now if you had the hash from an out of band source, like a gpg'd email you received from the publisher, then comparing the hash would give a genuine increase in confidence that the file is legitimate. But just using the one on the website? Worthless when TLS exists.

makes no fucking sense by Anonymous Coward · 2019-04-10 06:36 · Score: 0

You can still download the .exe over HTTPS and run it when it's done downloading.

Why exactly ban these file types' transmission over HTTP again? It has nothing to do with encryption.

Good thing I don't use that dog shit Chrome though.

Re:makes no fucking sense by JcMorin · 2019-04-10 06:44 · Score: 2

The idea is not to prevent to download them but to prevent the ISP, rooter, internet cafe or guy next door to change the content of that .exe during the download.
Re: makes no fucking sense by Lanthanide · 2019-04-10 07:03 · Score: 1

*router

HTTP/HTTPS by PPH · 2019-04-10 06:39 · Score: 0

Let me guess: So that a site without a Hollywood approved security certificate can't make use of HTTPS to encrypt and circumvent mandatory Hollywood file inspection?

--
Have gnu, will travel.

Re:HTTP/HTTPS by tepples · 2019-04-10 10:04 · Score: 1

What does the neighborhood of Hollywood or even the US movie industry have to do with HTTPS? Let's Encrypt offers free certificates to anyone who owns a domain name.

Re:Shut up and eat yer porridge by flippy · 2019-04-10 06:40 · Score: 0

I might have a stalker troll. I've been poking at them a lot the last few days. The entertainment helps me get through my work day.

But, now that I can put your response into its proper context, well done. Read the right way, it did give me a chuckle.

This has a funny taste by Headw1nd · 2019-04-10 06:42 · Score: 1

It brings back bad memories of when Google decided that certain filetypes were too dangerous to be handled by gmail, so suddenly I could no longer access a bunch of .js files a buddy had sent me long ago that I had in my mailbox. I was not impressed.

http make little sense today by JcMorin · 2019-04-10 06:43 · Score: 1

Considering how many are downloading from wifi or untrusted router, it doesn't make sense to use http because you can get you file change during the download. HTTPS wont slow you down and will offer basic security against the hacker next door. For web hosting, https://letsencrypt.org/ offer free SSL certificates.

SCR files? by Dwedit · 2019-04-10 06:44 · Score: 1

Including .EXE but forgetting about .SCR, .COM, .BAT, .LNK, and possibly other extensions that are treated just like .EXE files?

(Yes, .BAT files which are valid PE executables will run as executables, and it won't try to execute it as a command prompt script)

Re: Shut up and eat yer porridge by Anonymous Coward · 2019-04-10 06:44 · Score: 0

Welcome to slashdot. Where everyone has a stalker troll. It's called freedom and being an AC.

Not everything should be encrypted by Anonymous Coward · 2019-04-10 06:44 · Score: 1

I think there's actually a push to encrypt too much. It's got obvious benefits for privacy and security, but encrypted traffic can't use the internet's caching infrastructure which would benefit popular downloads, which tend to be ZIPs, EXEs, TARs and such. What I'd really like to see is browser integration to insecurely download files and securely confirm its fingerprint.

That said, informing the user aware of an unencrypted download from an encrypted site would be good. Blocking it would be bad.

Google Chrome... by Anonymous Coward · 2019-04-10 06:45 · Score: 0

Google Chrome...the Windows 10 Spy/Virus of web browsers!

Re: Shut up and eat yer porridge by flippy · 2019-04-10 06:45 · Score: 0

They're welcome to it! When I tire of the entertainment I get from poking at them, I'll stop poking at them ;)

Won't this require... by rnturn · 2019-04-10 06:52 · Score: 1

... web site to go through all their web pages and make sure that no instances of "http:" are accidentally left in pages where downloads are available?

It might be easier for web sites to merely add a browser detector to their pages to warn the user that they're using a product from a vendor that's actively trying to make their use of the Internet into a royal pain in the behind?

--
CUR ALLOC 20195.....5804M

Re:Won't this require... by Anonymous Coward · 2019-04-11 01:16 · Score: 0

$ grep -R "http://" ~/public_html
^ This would find what you're looking for. With sed you could do all the necessary finding and replacing in one go.

Secure ? by Anonymous Coward · 2019-04-10 06:55 · Score: 0

The S in HTTPS does not have anything to do with SECURITY it means SSL. It means, and only mean, and has no meaning any more than, that the connection between you and whomever you are talking too (which may or may not be who you think it is) is encrypted (PRIVACY mode is engaged) so that third-parties in betwixt cannot make sense of the data transmitted (nor easily make undetected alterations to that data).

Repeat again with feeling: HTTPS HAS NOTHING WHATSOEVER TO DO WITH SECURITY. HTTPS DOES NOT IMPLY THAT SOMETHING IS SECURE. NOT HAVING HTTPS DOES NOT IMPLY SOMETHING IS NOT SECURE. HTTPS HAS NOTHING WHATSOEVER TO DO WITH SECURITY.

Why on earth would one want to protect a file download against third parties? There are far better and more efficient ways to do it that HTTPS which again, has nothing whatever to do with SECURITY and whether or not the file is malicious, but is only a transport PRIVACY measure against third-parties interposed between the two end-points (who may not be who you think they are).

Re:Secure ? by tepples · 2019-04-10 10:09 · Score: 1

Why on earth would one want to protect a file download against third parties?
Two reasons:
A. Protect a proprietary work from being downloaded by third parties who have not paid for access to the work
B. Protect a work from being modified in transit

[TLS] is only a transport PRIVACY measure against third-parties interposed between the two end-points (who may not be who you think they are)
My reply depends on what attack model you had in mind that results in the parties not being "who you think they are". Does it involve defrauding a CA? Typosquatting? Something else that you'll describe?

Google Echo Chamber in full effect by nadass · 2019-04-10 06:55 · Score: 5, Interesting

The Google Chrome engineer who posted this ask to the W3C mailing list ( https://lists.w3.org/Archives/... ) also made a social media poll, https://twitter.com/estark37/s...

Essentially, they're reinforcing their own echo-chamber effect to only listen to confirmations of their conceived notion of correctness rather than truly encouraging discourse on the matter. Her poll options are, "yes" and "yes" -- and several Twitter replies have been deleted.

Personally, it seems they are an engineer looking for a problem to solve to help justify their job... and that's just sad in itself.

Re: Google Echo Chamber in full effect by houghi · 2019-04-10 19:22 · Score: 1

Google does not listen to what users want, it will just see if it can get tge highest yield from their product.
They are pretty good at that. Big brother meets animal farm. See ya all at the slaughter house.

--
Don't fight for your country, if your country does not fight for you.
Re:Google Echo Chamber in full effect by thegarbz · 2019-04-10 22:42 · Score: 0

Personally, it seems they are an engineer looking for a problem to solve to help justify their job... and that's just sad in itself.
Whats sad is assuming that someone's decision making process is at all dependent on a tweet. Can we just go back to a world where people understood that stuff posted on twitter was just worthless shit and not actually meant to be taken seriously already? Frankly I'm sick of every idiot reading a tweet and then declaring a war as a result.

Fuck google by Anonymous Coward · 2019-04-10 07:00 · Score: 0

Fuck google.

Re:Fuck google by Anonymous Coward · 2019-04-10 14:38 · Score: 0

and the horse it rode in on.

Re:Shut up and eat yer porridge by Anonymous Coward · 2019-04-10 07:09 · Score: 0

Between Microsoft shoving things up your ass and Google shoving things down your throat, I think you are well covered.

Google declares war on general-purpose computing. by Anonymous Coward · 2019-04-10 07:12 · Score: 1

It's getting close to a point where we need to make our own web and web browsers, with blackjack and hookers (but seriously!). There are lots of free TCP ports left, let's just choose another one and walk away from the HTTP2/3/AMP/QUIC bullsh$t. Make a translator gateway if someone wants to visit the "Google-web" with all of its limitations.

This is a clear violation of stack layers -- a general purpose APP for browsing and fetching online content should NOT attempt to be the gatekeeper for what the TRANSPORT is trying to send. This is equivalent to an email program refusing to forward mails with the (non)-word 'alot' in it, because the programmers want to stamp out bad grammar. It's NOT THE PROGRAM'S PLACE TO DECIDE.

Re:JEWgle = PERFIDIOUS jews by Anonymous Coward · 2019-04-10 07:17 · Score: 0

Can Google please block this shit!

Re:JEWgle = PERFIDIOUS jews by Anonymous Coward · 2019-04-10 07:22 · Score: 0

Truth and fact you jews supplied from your own doings, history, book of law you don't want exposed to the goyim non-jew cattle bother you jew?

file extensions in ... 2019??? by Anonymous Coward · 2019-04-10 07:30 · Score: 0

they're using file extensions in 2019 and not mime types? this is the real google, the big billion-dollar technology company? is this an old Apr 1 article? does google not think someone might possibly use a different extension and let the computer run the file by mime type? do computers really use extensions now? is this windows-only? so many questions

(this reminds me of all those INVOICE.DOC.JPG.ZIP.EXE.RAR files in e-mails for some reason)

.torrent by Gabest · 2019-04-10 07:35 · Score: 1

It already blocks .torrent files on certain sites. Says they are dangerous. Orly?

They don't by rsilvergun · 2019-04-10 07:38 · Score: 0

this makes it harder for their competitors to index the files in their search engines. I forget the specific technical details, but google's push for HTTPS has nothing to do with privacy and security (I mean, look at who we're talking about here, it's a company that exits to sell ads and your demographic data).

If anyone remembers the technical details feel free to chime in, but this is just an anti-competitive trick.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/

Re:JEWgle = PERFIDIOUS jews by MightyMartian · 2019-04-10 07:41 · Score: 1

If there was a virus that would render 4chan's foul spawn unable to get on the Internet, I'd be all for it. Even if you're joking, you're still a disgusting piece of crap.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.

WGET and CURL are your friends by Virtucon · 2019-04-10 07:46 · Score: 0

What a bunch of nanny state bullshit!

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"

April 1st was last week by Anonymous Coward · 2019-04-10 07:47 · Score: 0

No seriously though, what the fuck?

As for the change, they already have the infrastructure baked into Chrome and firefox. I have gone through the code of both Chrome and Firefox as part of an audit. The control Google has over everything we do online is ... terrifying. I'd take a devil I can see over one who lives in California.

Ask ten people what TLS is by raymorris · 2019-04-10 08:05 · Score: 1, Insightful

Yeah, if you ask 10 random people what TLS is, you'll find out why Google security engineers think that they know security better than thr average consumer does. It's their. JOB to know security, so they SHOULD be much better informed than the average user. They shouldn't forget that fact when they make *defaults* and *warnings*.

On the other hand, I've been an internet security professional for twenty years. I can reasonably decide to override the defaults in selected situations. I am not a typical user in that regard.

Re:Ask ten people what TLS is by Anonymous Coward · 2019-04-10 14:34 · Score: 0

Security is an illusion, I wonder why most security "Experts" aren't alcoholics or living in eternal depression.
Re: Ask ten people what TLS is by Anonymous Coward · 2019-04-10 19:19 · Score: 0

20year security professional sheesh and u post on slash dot, good on you.

dont you like it? by Anonymous Coward · 2019-04-10 08:10 · Score: 0

don't use their browser. easy.

It's about dictatorships (Re:uhh,,..) by whizzter · 2019-04-10 08:10 · Score: 2

On the contrary, i have some recollection of some nation-states poisioning downloads of "encrypted" communication apps to be able to eavesdrop. (Egypt? Iran?).

Re:It's about dictatorships (Re:uhh,,..) by Anonymous Coward · 2019-04-10 10:54 · Score: 0

This feature won't do any good if the country which you reside controls how and what you can access anyway. Poisoning apps midflight is not much of a game changer as it's hard to do, and signing apps mitigates it pretty easily for the real people said country would be most interested in anyway. Most likely the apps that were poisoned were probably done at the source.
So turning on encryption on all HTTP traffic and suggesting EXEs are now more secure this way is worse than no-encryption. It lulls people into a false sense of security. Encryption should be used sometimes, yes, but not all the time.

Defective product. Declared secure, illusion of se by raymorris · 2019-04-10 08:16 · Score: 2

If you had a physical safe, 2,000 pounds, which would open whenever someone tapped it on the left side, that would be a defective product. Since you probably bought the safe to protect valuables, you'd want to know if it doesn't offer any security. A security warning about that safe would be warranted.

A cardboard box would not be defective of it could be opened easily. You don't store gold in a cardboard box and expect high security.

By applying TLS, the site operators are essentially declaring that the content needs to be protected and claiming that it is protected. If it's not actually protected as claimed, users may want to know about that.

Doesn't chrome already block magnet links? by Anonymous Coward · 2019-04-10 08:20 · Score: 0

I can't use chrome to browse torrents because it has a problem downloading magnet links. I feel like Firefox is becoming the better option by the day.

Re:Doesn't chrome already block magnet links? by Anonymous Coward · 2019-04-10 11:20 · Score: 0

https://sourceforge.net/projects/portableapps/files/
Older versions. No install just extract with wizard.
Re:Doesn't chrome already block magnet links? by Anonymous Coward · 2019-04-11 01:05 · Score: 0

Older versions of browsers are insecure. This is terrible advice.

JEWgle = PERFIDIOUS jews by Anonymous Coward · 2019-04-10 08:34 · Score: 0

Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in the 1940 under Peron, Spanish inquistion, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above.

Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud.

This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

Mark Zuckerberg stole the Winklevoss twins' code for Fakebook (figures as he is a thieving low jew too).

Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...

Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

"Most Jews do not like to admit it, but our god is Lucifer Â- so I wasnÂ't lying Â- and we are his chosen people. Lucifer is very much aliveÂ" Harold Rosenthal http://www.thetruthseeker.co.u...

Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...

Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).

Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.

George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.

Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.

Bernie Madoff (who made off with everyone's money, especially construction union pensions) shows the thieving nature of the JUDEN!

Michael Milken (another JEW SCAMMER junk bondsman THIEF)

Ivan Boesky

Re:Defective product. Declared secure, illusion of by GameboyRMH · 2019-04-10 08:35 · Score: 2

The problem is that you suggest the common user can tell the difference between a cardboard box and a safe. They can't (thus the green locks and such), and yet we're still treating a safe with potentially no lock (or potentially the best lock of all, if you roll your own cert, verify keys out-of-band, and save them) as a less secure container than a cardboard box. Which it in no way is.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel

They are SELF-proclaimed (un)"holy" JEWgle by Anonymous Coward · 2019-04-10 08:36 · Score: 0