Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Chrome will mark ALL HTTP sites as insecure
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Chrome will mark ALL HTTP sites as insecure

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Basically, starting from July 2018 or Chrome version 68, all non-SSL websites will be marked as insecure.

This will be a great move in the sense of promoting encryption throughout the whole Internet.

Thanked by 2Aidan coreflux
«134

Comments

  • From Feb 15 they are also going to ban popups/popunders/redirects type ads etc and if sites continue to use them they will block opening new windows for those sites in Chrome.

    Thanked by 4Aidan vovler FHR tarasis
  • @dedipromo said:
    This will be a great move in the sense of promoting encryption throughout the whole Internet.

    If you mean it's a great way to force you to get an SSL certificate for your measly little site nobody cared about and is now on a list, well..

  • @WSS said:

    @dedipromo said:
    This will be a great move in the sense of promoting encryption throughout the whole Internet.

    If you mean it's a great way to force you to get an SSL certificate for your measly little site nobody cared about and is now on a list, well..

    It doesnt force you. If you own a little website you won't even care about it.

    Thanked by 2bdspice squibs
  • Yeah, Google was pretty pissed off with someone having more information about the world than them... their agenda is far from pearly white.

    Thanked by 1Ole_Juul
  • This was scheduled for a while ago and was ultimately delayed, everyone knew it was coming & had at least 2 years to prepare.

  • freerangecloudfreerangecloud Member, Patron Provider

    A note in the address bar looks fine. I was concerned it was going to throw a scary warning page at you similar to when there's a misconfigured SSL certificate.

  • Breaking news: Browser will report how it's connected in natural language instead of relying on user knowledge of protocol scheme.

    Joking aside: The only thing I dislike is things like simple blogs, etc. being expected to run SSL/TLS when there's really no need. Yet Google apparently penalizes them in rankings for running plain HTTP.

  • @JustAMacUser said: Joking aside: The only thing I dislike is things like simple blogs, etc. being expected to run SSL/TLS when there's really no need. Yet Google apparently penalizes them in rankings for running plain HTTP.

    I agree. For static pages just providing information, it's overkill to expect SSL, which would serve no practical purpose but to give naive users a (useless) impression of security.

    Thanked by 1Shazan
  • deankdeank Member, Troll

    In before "Google approved SSL".

    Thanked by 1geekalot
  • raindog308raindog308 Administrator, Veteran

    angstrom said: I agree. For static pages just providing information, it's overkill to expect SSL, which would serve no practical purpose but to give naive users a (useless) impression of security.

    Here's a good example: http://www.openbsdfoundation.org

    There was a discussion of why it's not https and no one could come up with a good reason other than fashion, so they didn't move to https.

    Thanked by 2angstrom Ole_Juul
  • @angstrom said:

    @JustAMacUser said: Joking aside: The only thing I dislike is things like simple blogs, etc. being expected to run SSL/TLS when there's really no need. Yet Google apparently penalizes them in rankings for running plain HTTP.

    I agree. For static pages just providing information, it's overkill to expect SSL, which would serve no practical purpose but to give naive users a (useless) impression of security.

    By overkill are you talking of server load or the cost? The cost is of course practically zero with Lets Encrypt.

    As for server load, don't you think it's negligible given the benefits? I know lots of developers who are still shocked that REST APIs exist and that one can just connect via TCP and send binary coded messages :-) And yet nobody does all that anymore (unless they want to cause a lot of pain for the future maintainers), most software just talks HTTP even when it's a completely internal service.

  • @Aidan said:
    Finally.

    Agreed. Not entirely sure why HTTP sites never were displayed as "insecure" - showing a banner saying "Not secure" is nothing more but informing the user about his connection's security to the other side. Sadly a lot of web shops still don't have TLS, so users should know anyone in the middle might as well sniff the stream, in particular their post requests's body.

  • @sarah said:

    @angstrom said:

    @JustAMacUser said: Joking aside: The only thing I dislike is things like simple blogs, etc. being expected to run SSL/TLS when there's really no need. Yet Google apparently penalizes them in rankings for running plain HTTP.

    I agree. For static pages just providing information, it's overkill to expect SSL, which would serve no practical purpose but to give naive users a (useless) impression of security.

    By overkill are you talking of server load or the cost? The cost is of course practically zero with Lets Encrypt.

    Well, "practically zero" isn't quite zero, and renew every 90 days, etc. Plus older browsers or text-based browsers may not recognize LE certificates.

    As for server load, don't you think it's negligible given the benefits?

    Well, the point above was that for some sites, there are no tangible benefits (other than to please Google).

  • @angstrom said:

    @sarah said:

    @angstrom said:

    @JustAMacUser said: Joking aside: The only thing I dislike is things like simple blogs, etc. being expected to run SSL/TLS when there's really no need. Yet Google apparently penalizes them in rankings for running plain HTTP.

    I agree. For static pages just providing information, it's overkill to expect SSL, which would serve no practical purpose but to give naive users a (useless) impression of security.

    By overkill are you talking of server load or the cost? The cost is of course practically zero with Lets Encrypt.

    Well, "practically zero" isn't quite zero, and renew every 90 days, etc. Plus older browsers or text-based browsers may not recognize LE certificates.

    Correct me if I am wrong but aren't most of these low budget sites hosted in some shared web hosting using cpanel/plesk etc? They all have LE support from what I can make out and it's really just 1-click if they haven't automated that click as well already.

    The tangible benefit may not be for the producer but there is definitely a lot for me as a consumer. In the past, I would be worried about browsing random pages on reddit since they can be sniffed in coffee shops and I didn't want to be "judged". But thankfully, they moved all to https.

  • joepie91joepie91 Member, Patron Provider
    edited February 2018

    Sigh, seems the same discussion recurs every time.

    If you believe that TLS is purely for protecting creditcard data: you're wrong. If you believe that TLS is purely for protecting credentials: you're wrong. If you believe that TLS is purely for 'dynamic data': you're wrong. If you think TLS is just for e-commerce: you're wrong. If you think TLS is just for 'personal information': you're wrong. In all of these cases, you misunderstand the point of TLS.

    The point of TLS is to make connections what they should always have been from the start, but weren't for historical reasons; secure against eavesdropping or modification from third parties, in any way, for any purpose, to any type of content.

    So yes, there's absolutely a reason to demanding TLS for static websites and 'little blogs' and whatnot, and it's the exact same reason as why large sites should be using TLS: to prevent third parties from interfering with the traffic to them.

    And as I've explained numerous times before in just about every TLS-related thread on here: yes, it matters whether somebody can spy on users reading your blog. Information is greatly valuable, not just from a marketing perspective, but also to eg. understand what kind of infrastructure a target is running (by looking at what pages they are reading), and so on.

    TL;DR: Yes, everything should be using TLS, there is a tangible security benefit (to your users!), and your little blog is no exception. I'm quite happy that this is finally getting pushed through.

    EDIT: Also, if you're one of the fringe that tries to brand this as a 'Google conspiracy': you really, really don't understand what any of this is about. Go read up on the past several years of scientific research and metric collection around this topic, and try again.

  • angstromangstrom Moderator
    edited February 2018

    @joepie91 said: The point of TLS is to make connections what they should always have been from the start, but weren't for historical reasons; secure against eavesdropping or modification from third parties, in any way, for any purpose, to any type of content.

    By the way, correct me if I'm wrong but your ISP (or whoever provides your momentary internet connection) can see which sites you visit, TLS or not. But, yes, with TLS, nobody can eavesdrop and see what exactly you're reading or looking at.

    Edit: And your ISP can also see what files you download, TLS or not, correct? (See @raindog308's comment below.)

  • raindog308raindog308 Administrator, Veteran

    joepie91 said: TL;DR: Yes, everything should be using TLS

    Here is a concrete example: distributing OpenBSD binaries. How does having those served over https improve security vs http? They're already signed and verified through a different cryptographically secure system, and https doesn't really protect against that anyway. There is nothing in them that needs eavesdropping protection because they're published to the world.

    So what benefit does https provide here? The only interesting data (which isn't very interesting: "raindog308 downloaded openbsd binaries") is not protected or cloaked by the protocol.

    I understand the somewhat aspirational quality of your overall point - maybe encryption "should have been there from the start". But if that's the case, then http should be deprecated entirely.

    I still mail both postcards and letters in envelopes. I don't expect privacy with the former. That doesn't mean there isn't a role for postcards.

  • The main issue I see is that a lot of websites cannot be full SSL for example pages that link non-SSL images.

    What's the plan for that?

  • raindog308raindog308 Administrator, Veteran

    6ixth said: What's the plan for that?

    Stop being a hotlinking dick.

    If you host the images yourself...this problem goes away.

    Thanked by 3dedipromo rm_ maverickp
  • @freerangecloud said:
    A note in the address bar looks fine. I was concerned it was going to throw a scary warning page at you similar to when there's a misconfigured SSL certificate.

    It starts as a small note and then after a while they're sitting in your wooden chair eating your own potatoes and drinking your yoghurt.

  • In my view, the much bigger worry is all of the personal info that people happily hand over to Google, Facebook, etc.

    The worry isn't if people read the pages of the OpenBSD Foundation over an unencrypted connection.

  • @joepie91 said:
    The point of TLS is to make connections what they should always have been from the start, but weren't for historical reasons; secure against eavesdropping or modification from third parties, in any way, for any purpose, to any type of content.

    So yes, there's absolutely a reason to demanding TLS for static websites and 'little blogs' and whatnot, and it's the exact same reason as why large sites should be using TLS: to prevent third parties from interfering with the traffic to them.

    Yeah... Heaven forbid someone modify Sally's recipe on route to your computer screen.

    Thanked by 1iki
  • @joepie91 said:
    Sigh, seems the same discussion recurs every time.

    If you believe that TLS is purely for protecting creditcard data: you're wrong. If you believe that TLS is purely for protecting credentials: you're wrong. If you believe that TLS is purely for 'dynamic data': you're wrong. If you think TLS is just for e-commerce: you're wrong. If you think TLS is just for 'personal information': you're wrong. In all of these cases, you misunderstand the point of TLS.

    The point of TLS is to make connections what they should always have been from the start, but weren't for historical reasons; secure against eavesdropping or modification from third parties, in any way, for any purpose, to any type of content.

    So yes, there's absolutely a reason to demanding TLS for static websites and 'little blogs' and whatnot, and it's the exact same reason as why large sites should be using TLS: to prevent third parties from interfering with the traffic to them.

    And as I've explained numerous times before in just about every TLS-related thread on here: yes, it matters whether somebody can spy on users reading your blog. Information is greatly valuable, not just from a marketing perspective, but also to eg. understand what kind of infrastructure a target is running (by looking at what pages they are reading), and so on.

    TL;DR: Yes, everything should be using TLS, there is a tangible security benefit (to your users!), and your little blog is no exception. I'm quite happy that this is finally getting pushed through.

    EDIT: Also, if you're one of the fringe that tries to brand this as a 'Google conspiracy': you really, really don't understand what any of this is about. Go read up on the past several years of scientific research and metric collection around this topic, and try again.

    Can ssl protect against cross side scripting or sql enjection?
    I do not think so but please you or somebody correct me if I am wrong.
    If you don't download random plugins or hacked ones, have good javascript and php security standereds then you should be safer.
    The main use of ssl in my opinion is secure transmition of data from users to server and back. So if you had some sensitive data then I believe ssl is a good idea.

  • But I personally will implement it always because it isn't as hard as I thought especially if I back up the letsincript folder.

  • raindog308raindog308 Administrator, Veteran

    hammer said: The main use of ssl in my opinion is secure transmition of data from users to server and back.

    That's the only purpose, no?

  • thenetthenet Member
    edited February 2018

    Thanked by 2hostdare netomx
  • angstrom said: By the way, correct me if I'm wrong but your ISP (or whoever provides your momentary internet connection) can see which sites you visit, TLS or not. But, yes, with TLS, nobody can eavesdrop and see what exactly you're reading or looking at.

    That's correct, the site's domain name is leaked via DNS or during SNI negotiation. The former is being fixed with DNS over TLS. Not sure about how the latter can be fixed. However, one cannot sniff the URLs being visited. For example, your ISP might know that you visiting some page inside reddit.com but not the page itself.

  • @raindog308 said:

    hammer said: The main use of ssl in my opinion is secure transmition of data from users to server and back.

    That's the only purpose, no?

    And also that the site you're connecting with is actually the site it claims to be. So secure data transmission and identity verification*.

    *And yes the current implementation makes the identity part rather sucky.

  • raindog308 said: Here is a concrete example: distributing OpenBSD binaries. How does having those served over https improve security vs http? They're already signed and verified through a different cryptographically secure system, and https doesn't really protect against that anyway. There is nothing in them that needs eavesdropping protection because they're published to the world.

    I am not a PGP expert. Doesn't this assume that I have a mechanism to verify the binaries using PGP? PGP can only be verified if I somehow authenticate the key by meeting somebody in person or trust someone who trusts that key... SHA of openbsd binaries cannot be relied upon if they were listed in HTTP websites (since people can change the binary and the checksum on-route). This is the value that HTTPS adds. I can download a binary from openbsd servers and verify checksum. I can then go to other 5-6 https websites and double check the checksum value (for the off case that bsd servers itself got hacked). It's unlikely all the 4-5 https websites got all hacked. But with http one can easily forge the response of those websites without taking over the servers. Happy to be corrected :-)

Sign In or Register to comment.