New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Google remove secure mark from SSL enabled websites
liveinhost
Member
in General
Google is assuming that web is safe by default. And, if there is no SSL, it will be marked " Not Secure "
Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).
Source : https://blog.chromium.org/2018/05/ev...ndicators.html
Thanked by 1Aidan
Comments
Finally.
I've had many overeducated employees hand out credentials as "the site(browser) said it's secure."
Secure, therefore safe to watch porn, download malwares, and teamviewer into wife's computer to search for evidence of cheating.
This is what market dominance helps in dictating what they want , so govt cannot snoop into their customer data theft for so called personalized ads .
Well, expected, they moved the tls info to the developer tab before.
So a simple click wont make it, now they are removing that.... bullshit.
With Firefox, you can get the certificate info with a single click.
They should fix their fucking ERR_SSL_PROTOCOL_ERROR on chrome
Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.
Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html
ssl/tls protects only somewhat from little brother, not from big brother. Plus, it's not as much for protection, as it is for delivering nicely encapsulated, closed advertising towards the end user. Encrypted data shall pass deep packet inspection, filtering proxies too. Also streaming encapsulated paid content, for example. https is good, but is being pushed forward due to all the wrong reasons - more control over the users. Same as it used to be with encrypted digital television pushing out terrestrial analog - DRM. It's not that the big guy cares about you little fella, he just wants a better leash.
That's OpenSSH, not TLS/SSL.
EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.
And Chrome is Chrome and not TLS. So?
As far as I'm concerned I regret my quite substantial factual and practical knowledge of TLS/SSL ...
But there are some good news too. Sometimes soon (well, ...) there will finally be a verified TLS implementation of 1.3 (or 1.4). I'd add that verified != properly designed.
So... what does the link have to do with your claims that "TLS (and SSL) are not trustworthy"?
...
The context here suggests 2 to the 128+ as relevant range and you call 8 a "large number"? Seriously? Then you assert that a "large amount of people" [of the 8 in this thread excl. yourself] have very little factual knowledge of TLS. Based on what?
Be a little more forgiving to others and try to avoid personal attacks and belittling others here.
More and more malware sites have letsencrypt ssl, so its a right choice.
After reading, I still don't understand how this problem link with the conclusion:
Seems to be empty.
Anyway, the title of this thread may be considered slightly misleading because it's specifically about the browser Chrome (Chromium) and not about Google per se (other than that Chrome is a product made by Google).
TLS doesn't somehow magically shield and protect. Much, for example, depends on really understanding it and on using it (the library) properly. This includes both the usual things (like e.g. pointers to buffers) and security specific things.
OpenSSH obviously failed (see article) and the OpenSSH people are certainly no idiots. So maybe, just maybe, it could be imaginable that others using TLS libraries also made some bad judgements, misused the lib or made plain errors?
Don't forget that applications don't get secure by this or that concept (e.g. TLS) but by properly using IMPLEMENTATIONS and by properly crafting ones own stuff on top of a library. Also don't forget that SSL/TLS libraries also need proper design and coding - which is well known and proven to not always being the case.
@jsg So, in short, you're assuming people who created TLS (and SSL) doing thing wrong. Just because, OpenSSH (completely different protocol) failed?
No, meanwhile I assume that you understand neither me/what I say nor TLS.
Btw. The SSL/TLS people HAVE done quite some things wrong. That is well known.
Oh and btw, compared to the OpenSSH developers the OpenSSL people indeed ARE a bunch of losers (they made some mistakes but still the OpenSSH devs are a very fine and competent bunch of professionals).
Finally think a bit just for a second: what REAL service do you provide by blindly defending SSL/TLS?
Oh my god! no! Where will we ever get free certificates like from Let's Encrypt that would help us avoid this issue..!
Yes sarcasm. We have known this is coming for 2 years. If you can't act in 2 years, well you are fucked anyways.
Also, this is mainly a challenge for shared hosting where hosts do not allow LetsEncrypt certs or enable individuals to self-install their certifications.
If you are worried about big brother, maybe we should quadruple sign everything. At least make it hard if not impossible.
The problem (well, largely) is not crypto but implementation. And of course a completely rotten stack from the processor upwards. What security can you get when quite some bigger brothers can control your processor and PCIe bus (translation: your whole damn system)?
Sooner or later "the 2nd Snowden awakening" will come and it won't be pretty. Then we'll learn that their problem anyway wasn't to hack us but only to do it in ways we don't see but feel oh so safe with TLS, Let's Encrypt and funny certificates.
You're starting to sound like @bsdguy again.
Is that some weird insider game? Whatever, I don't care. In my universe it's not at all a problem to have views similar to some other people.
How about worrying about REAL issues?
You might want for example look for "Minix inside intel chipsets" or for kernel bugs (read: potential vulnerabilities) in all major OSs or for bugs in OpenSSL (and lots of other important libraries) or for a major SSL/TLS co-designer and also otherwise major figure in SSL/TLS circles (e.g. Let's Encrypt) reporting on bad decisions, serious problems, lack of verification, etc.
I'd LOVE to be wrong but I'm afraid "you sound like XYZ" or "I don't like your hair and clothes" won't change facts or bring us forward or iron out bugs in important software. So, I suggest we stick to the matter.
If you're right about the (negative) practical consequences (as opposed to the merely theoretical situation), then the end is indeed near.
I personally think that climate change will negatively affect all of us sooner, but that's probably just me.
People asked you why you had some long winded rant about Google / TLS but linked to something completely unrelated about OpenSSH. As a result you attacked them as 'defending the other side blindly for only asking what you were on about.
/r/iamverysmart material all over this thread compliments of @jsg.
PS: Before you ask what I get - just a small stipend from Google and the Koch Brothers for every single positive thing I say about TLS.
will they now penalize ranking of site with no ssl?
They might, but this thread is really about the browser Chrome/Chromium, as I tried to say earlier above.
Please note that I largely talked about well known facts. The "2nd Snowden awakening" however was indeed a mere assumption.
You'll probably turn that against me but if you really think that OpenSSH and SSL/TLS are "completely unrelated" you obviously lack relevant understanding.
I see. So I should put the experience of my profession and everyday job aside and instead offer arbitrary memes preferably ones in favour of TLS?
I didn't and still do not assume that you are a paid shill. I know quite well that very many people hold similar beliefs and that's OK unless they are in the field of IT security, in which case they should know better (but might have different reasons guiding their view).
Unfortunately OPs link doesn't work but I guess that Google might increasingly "punish" sites using SSL or even using TLS < 1.1 (or whatever).
I personally was always opposed to enforcing sites to use SSL/TLS. That said I would however support "punishing" sites using old versions. IF one is using SSL/TLS then one should use min. TLS 1.2 and not e.g. SSL 2.0 and/or weak algorithms (e.g. SHA-1).
P.S.: WPA2-PSK a very widely used protocol (WiFi) has been hacked and should be considered insecure. Not directly related to SSL/TLS but yet another example of what I talk about and what I consider a major problem field.
I am just converting my sites to Lets Encrypt. Is that enough?
Not really. You also need to configure anything TLS based properly, e.g. to not accept SSL and to only use a reasonable set of algorithms. But that's largely specific for each server software so you'll have to search for something like "configure TLS 1.2 for [your server, e.g. nginx]".
Or you could use https://cipherli.st/ by @raymii or Mozilla's page for recommended configurations.
https://Cipherli.st is a quick and easy copy paste if your experienced and know what your doing. I recommend reading the mozilla wiki page to get a better understanding of the behind-the-scenes.