New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Right on. The majority of surfers will indeed probably see this as "you are in danger" and not understand what is going on. Does Google care?
The thing is that the problem is not nomenclature, but communication. What does "Not secure" convey to the average user?
Actually that's a (not really) funny two sided issue. From a professional point of view I know and accept as perfectly normal that nothing is secure. Every algorithm in the end comes down to a probability -and- a (quite probably correct) set of assumptions -and- a (typically reasonable) set of parameters.
One such very typical assumption (actually a lumped together set) is that any statement we make about security assumes an enemy that has plus minus about the same knowledge and tools that we have. So, e.g. the statement "aes-256 is secure" means and implies i.a. "against a human adversary" as opposed to, say aliens. It does not mean "an aes-256 encrypted message can not be deciphered by any entity in the whole universe, now as well as in 10000 years".
Normal Janes and Joes, however, just want a guideline, something like "rsa-3k and higher is 'secure'" (which is perfectly reasonable for them). I guess ( can't do better as I'm too deep in the matter) that e.g. "rsa-1k is not secure" to them means something like "stay away! Danger lurking here".
But my related point was a slightly different one, namely that if we security guys, crypto guys etc, do a good job, Jane and Joe can afford some level of ignorance. It's somewhat similar to "I don't need to study medicine for years. My doctor did and he 'compressed' his profound knowledge into an easy to understand and easily applicable for me so that I can afford some ignorance and just, e.g. take the pills he gave me".
Similarly, we (as well as generally in IT development) should do our job properly and provide digestible and practical guidance to the Janes and Joes. Unfortunately it's not as simple as that in real life because diverse factors (e.g. greed or belief systems) contort things. One example is ssl/tls which by quite many is preached all over the place while actually being a rather questionable pile of pieces of very different quality.
Moreover, as a professional I have to ask "is the implementation verifiably OK? Is the design verifiably OK? What probability offer the involved algorithms in terms of being reliable, safe, and secure? Plus the same for the involved protocols; are they OK, too, and verifiably and verified so?" Unless the answers to all relevant question are a convincing - and verifiable! - "yes" there is simply no basis to call ssl/tls secure. So, what are the facts? tls 1.3 is currently being properly verified (but it has not been designed properly!) and at the same time implemented in a proper fashion - unfortunately, though, in a (mostly formal but also implementation) language (f-star) that itself is at best beta and moreover doesn't lend itself as well as one would like for general use (in particular in terms of ffi). As for the algorithms, those have been designed with diverse degrees of quality and the same is true for their implementations. All in all I can't but come to the conclusion that preaching tls is charlatanery, well intented charlatanery often, but still.
Usually after some heated discussion I'm confronted with the "reality" argument in different forms, along lines like "but we don't have anything better" (wrong, btw; true only referring to some widely used protocols like https), "it's better than nothing" (dangerous beast; in some way sadly true but at the same time risking to create millions of uninformed users who think they are safe) or "but it serves us well since years!" (wrong, too. There have been plenty clusterfucks we know. Any sane person should be even more afraid of the ones we don't know yet...).
In June 2018 all sidewalks that run beside roads will be Signed as unsafe.
This is indeed a great move but most of the users have to change the domain name from http to https to avoid the negative impact of this on SEO.
You're holding it wrong.
As long as they just show a notification instead of stopping the connection it's fine. But I fear that they won't stop and will sooner or later start banning out unencrypted websites
So what? Then you use a browser that serves you rather than one limiting you.
I was thinking the same thing. There are a lot of browser choices out there these days, and some of them work very well.
true
This will be a pain for some for a little while, like it was when we transitioned from HTML attributes for design to CSS bask in the day. Ultimately, it's a positive move, although I dislike Google's self imposed title of "boss of the interwebs".
I look forward to seeing all hosting control panels and install scripts including LetsEncrypt or similar by default. None of my local shared hosting retailers currently offer a free cert, and I'm betting they're too incompetent or too greedy to rectify this before the rollout, so I'll be billing brochure site clients for SSL certs.
I'm betting that EV certs will see a big increase in uptake, to add extra "trust" to eCommerce platforms and have them stand out from the crowd.
I am offering SSL installation, cost is two human hearts per page on your website.
Another update now it doesn't just says "insecure" but also highlight url it in red color when you type anything in a form on a http site.