Chrome is about to start warning users that non-HTTPS sites are insecure

YES! Why is it that, in 2016, when you type a hostname into the address bar without specifying a protocol, browsers all default to HTTP as the default? This was maybe understandable in 2010, but every browser maker should have known better for years by now.

For what it’s worth, according to their website, you can still use Let’s Encrypt without shell access, even if your host doesn’t offer it. It’s not ideal, but it’s also not impossible.

Then I think your experience is very limited in scope. HTTP interception is a major problem, happens frequently in the real world, and HTTPS provides real security against it. And is now available for free to anyone who wants it although some hosting providers may need changes to allow their customers to easily deploy it -which will happen as soon as there is incentive.

[Quote]Connection security ≠ server security.
[/quote]

But without connection security you don’t even know you are talking to the right server.

You think they are insecure now, just imagine how insecure they’ll feel being pointed out all the time.

Even them. But our corporate call center is stateside. Granted, Chrome is not business approved or supported…but that doesn’t mean every other workstation doesn’t have it installed

Hopefully Google/Chrome has the guts to start flagging CDN’s bogus man-in-the-middle SSL certs. Most people don’t realize that many CDNs fundamentally break the HTTPS/SSL system in the very way that SSL is supposed to prevent.

https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/

Not to mention all the ads, malware, and other bad actors that use CDNs to get around being blocked. I hate having to clear 5 random CDNs from my browser block just to view a webpage. ugggh. HTTP 2 makes the only real benifit to CDNs reduced server load and geographic distribution. With HTTP 2/HTTPS we no longer see blocking connections or the restrictive connection limit per domain, which was one of their original primary advantages.

We would love to! Unfortunately, the advertising networks of the world haven’t jumped on to the HTTPS train with both feet quite yet. Until they do, we still need to default to HTTP.

We are actively advocating for change in this regard and will become HTTPS-only as soon as we can.

I was thinking more along the lines of the server doing the redirection from HTTP to HTTPS, but maybe the browser could be made to do that if HTTPS is available (though I suspect that if the site operator doesn’t ensure all their resources load over HTTPS, this is going to break things spectacularly - from my experience, people buy SSL certificates but all resources are absolute rather than relative resulting in mixed SSL/non-SSL content).

I have to applaud vendors such as cPanel, Inc. who are now providing free SSL certificates (in conjunction with Comodo, or if you prefer, Let’s Encrypt). CloudFlare is another such company. Technologies such as SNI also make it much easier to host multiple SSL sites without extra IPs - the only reason you’d want an IP for an SSL secured site is if the client is using a really, really old client (Windows XP being one example). Again, you’d be surprised how many people still want a separate IPv4 addresses because of that.

Ah, the advertising networks. Yep, that would certainly explain it. They’d better catch up soon!

Actually, there is HSTS to fix that very problem. When it stops being a keep-the-lights-on vs HTTPS issue, we’ll enable that here as well:

My site is run with Google Apps on Blogger, which doesn’t appear to have Let’s Encrypt support. So, the very company forcing me to move to HTTPS doesn’t provide a way to let me do it for free.

A man could get cynical about that sort of thing…

Public WiFi portals also need to catchup…

It can, this can be done via a simple .htaccess redirect.

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}/%{REQUEST_URI} [R=301,L]

It can, this can be done via the browser plugin HTTPSEverywhere, and a few others.

The new cPanel/WHM v60+ has an option to automatically request and install free certificates for every domain and renew ones about to expire. It has to be enabled at the hosting level, and many hosts sell certs so they have this flipped off because certs are easy money and have been overpriced for years.

CDN’s such as CloudFlare break web security in such a fundamental way as to be doing the very thing that HTTPS/SSL is supposed to prevent. They are the scourge of HTTPS. See my post above. They are also the primary enablers of malware and ads circumventing the various blocking technologies.

Yes SNI was a huge step forward and something we should all applaud. It isn’t the only reason to want a dedicated IP for SSL though, any enhanced SSL cert (identity verified) needs a dedicated IP address for good reason obviously. If you are doing ecommerce an enhanced certificate and a dedicated IP is a good idea, as is getting off of a shared host.

Also, welcome to BB! Thanks for the discussion.

A server side redirect to HTTPS via an initial HTTP request is almost as insecure as not bothering.

Once the browser sends one HTTP request, a MITM attacker can take over. Sure the server sent a redirect to HTTPS, but the client isn’t talking to the server - the client is talking to the attacker, and the attacker to the server. So the attacker loads resources over HTTPS from the server, and presents them to the client over HTTP.

Unless, as @orenwolf notes, the server also uses HSTS to prevent the client reconnecting later via HTTP. That way the MITM attacker’s window of opportunity is limited to the first connection (or each first connection after the browser’s HSTS setting has expired).

None of this is as secure as if browsers just always tried HTTPS first, and only fell back to HTTP if the server didn’t offer HTTPS - at that point the attacker’s window of opportunity is further reduced. Which IMO should have been default browser behaviour since at least 2012.

I don’t get it. If anybody can get a HTTPS certificate from Let’s Encrypt, how is that any different than some other CA issuing bogus certs?

Any SSL bridging mechanism inherently breaks SSL by design. There’s basically no other way to analyze the traffic after the handshake occurs. It makes sense when you’re using a reverse proxy for some corporate resources exposed by your DMZ but for CDN to do that, well that’s just slimy as hell.

you can get only a cert if you have access to the server. if your box is opened by a hacker you’re pwned anyway.

The point is does Let’s Encrypt have any protections so I can’t issue a certificate for “yourbank.com” to my own web server?

can you place files in arbitrary places on yourbank.com?

If I hijack your DNS to point to my server, then sure.