Chrome is about to start warning users that non-HTTPS sites are insecure


#1

Originally published at: http://boingboing.net/2016/11/05/chrome-is-about-to-start-warni.html


#2

I’ll have a drink for all you call center folks that get to explain this to panicked users.

Stay strong :muscle:


#3

Of course, the irony of this post is that when I clicked through Feedly to read it, it directed me to the non-HTTPS version of BoingBoing. Maybe time to redirect all non-HTTPS requests accordingly?


#4

Just waiting for the bills to come in to weaken HTTPS so that we can fight “TERRORISTS!!!”.

This is a good thing IMHO. I want to see secure sites out there.


#5

Damnit. Thats not how it works. Whether a connection is encrypted or not doesnt tell you anything about the security measures of the site itself.


#6

But… if the connection that the site allows doesn’t use certificates, access of said site becomes vulnerable to snooping, and things like ad injection by your ISP, right? Sounds pretty “insecure” to me.


#7

By my 20 years of working in infosec, snooping the data in the connection has not been interesting in a very long time. That said, HTTPS intercept by ISPs (or employers) is still less of a problem than someone attacking the site server itself and harvesting data. Connection security ≠ server security.


#8

This change is not about securing you from fraudsters who want to intercept your private financial communications. It’s about preventing totalitarian government entities (like the NSA, for instance) from strolling into the office of an internet backbone and installing a box that slurps up the contents of everyone’s browsing sessions. It’s about turning out the lights on easy broad based snooping, making it harder to drag people in for questioning because they used “suspicious” words on a forum somewhere.


#9

“that word blah blah blah”

sigh

Doesnt work that way. Large scale data collection and HTTPS unwrapping are still perfectly do-able even with this change.


#10

I realise plain HTTP will have to be deprecated at some point along the road to the Security Promised Land, but I have all sorts of vague misgivings about this.

As Israel_B very rightly says, conflating HTTPS with secure sites is misleading. This warning will train users to think that certificate problems are a sign of malware, rather than an operator who lacks the time / money / expertise to maintain a certificate. Meanwhile, most actual malware will continue to go unflagged by Chrome, and in a world where lots of sites display warning messages, users will read the absence of warnings as a clean bill of health. So although the goal is to secure users against (mainly) state intrusion, the effect could be that this, and all other types of web-based evil, are implicitly blamed on church and model railroad club websites.

tl;dr The headline could just as well read “Chrome is about to start warning users that amateur websites are insecure”.


#11

Oh cool. So now I need to pay for a certificate to run my blog. :expressionless:
Let’s Encrypt only works with sites where you have shell access.

I do nothing but advocate for more encryption. But HTTPS is not just encryption, it’s also a racketeering scheme for third-party identification.

You’re not the internet police, Google. Knock it off.


#12

Google has been pushing the industry towards certain practices (like the disclosuring of a zero-day exploit in Windows only 7 days after Microsoft was told about it), and they have the industry clout to demand to be listened to, but no one is forcing anyone to use Chrome.

Apathy and inertia keep us using unencrypted email and dns servers that can be swamped with requests from bogus IP addresses. If Google is using it’s clout to get the tech world off their asses, then it’s a good thing.


#13

So, what is the solution for devices with embedded web pages? As I understand it, they’re basically faced with three bad choices:

  • don’t use https at all
  • embed the same certificate in every device (pro: happy green lock icon. con: one compromised device renders the certificate untrustable)
  • allow the user to provide their own certificate (pro: technically correct??? con: no one will do it)

Do I misunderstand?


#14

Chrome alerted me that my ISP was using SHA-1 SSL certification for online payments.
I emailed ISP’s support about this, and they upgraded to SHA-2 within a day.


#15

Would like to use the add-on HTTPS Everywhere but it doesn’t work in Pale Moon, which I use because it is far faster than Firefox. So, uh, can anyone here ask EFF about that (hint, hint)? They are not easy to contact about such things.


#17

you did read @GeekMan’s comment? he mentioned Let’s Encrypt there


#18

Oh. So he did. Multitasking fail on my part.


#19

In India?


#20

Clearly you don’t do security work within the browser space. We’re all impressed that Google had the cojones to do this first and doff our hats to them.

Flagging insecure connections to servers is not the be all and end all of things but it is certainly a good thing if it promotes people using secure connections.


#22

So which would you rather have? No incentive for the use of HTTPS, or at least some weak incentive? Next up, HTTP 2.0 BTW…