Chrome 43 Should Help Batten Down HTTPS Sites 70
River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.
Re: (Score:2)
Godawful editing on Slashdot? Say it ain't so.
Re:Where's the rest of the summary? (Score:4, Informative)
The summary is that they are introducing a new http header, this can be used to tell the browser to automatically use https instead of http to request resources used by the page. Thus avoiding "mixed content" warnings without requiring the website operator to go through the whole page (and potentially things like stylesheets referenced by the page) changing urls to https.
Hello, Chrome (Score:4, Funny)
Welcome to 2013. [mozilla.org]
Re:Hello (Score:4, Informative)
Nice try, but this is significantly different from what Firefox does.
From TFA:
The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today [chromium.org].
TFA's link to chromium.org essentially says the exact same thing:
Upgrading legacy sites to HTTPS
Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.
Converting to plain English: If the URL says "http://", Chrome will first try the same link with "https://". You'll only see a mixed-content warning if the website fails to return content for the "https://" link. This obviously assumes that the website is running both HTTP and HTTPS, and that it will give the same content regardless of whether you use HTTP or HTTPS.
Your link to Firefox 23 only talks about issuing warnings for mixed content; it does not say anywhere that it attempts to retrieve the HTTPS version of an HTTP link.
tl;dr: Firefox just blocks it; Chrome looks for a safe alternative and only blocks if the safe alternative doesn't exist.
[ Disclaimer: I use Firefox; I have never used Chrome. ]
Re: (Score:2)
This is pretty useless if other browsers don't adopt the same model.
It just means some webdevelopers that forgot to test something in other browser might end up breaking sites unknowingly.
The first paragraph of TFA ... (Score:5, Informative)
Re: (Score:2)
No, it will not. It just shows a yellow triangle. If you want a security policy that does what you describe, then Chrome should not display that web site at all.
Re: (Score:2)
Re:Is this supposed to be a new thing? (Score:5, Funny)
Re:Is this supposed to be a new thing? (Score:4, Interesting)
Go read IE 7 goes RTM from slashdot circa 2006?
Webmasters freaked by SSL https:/// [https] won't display pictures with non secure hyperlinks.
This is not news as for 9 years ancient IE did not allow
Re: (Score:2)
If one of the the biggest banks in my country pulls in background images from http, on there https secure account login page, this can't be a security risk, can it?
It can be, if the bank's using that as the "known image" so you "know" you're on the correct page. Phishing attacks would become easier if attackers could use this to figure out which images were associated with which user accounts.
Re: Not a problem anyway (Score:1)
Yes it can. Man in the middle plus image library vulnerabilities, and similar for other content. Whose WiFi are you on? Do you fully trust them?
When I was in university, hacking your Linksys router to invert all images for people leeching of your open WiFi was all the rage... until someone went with goatse instead.
Chrome broke my VPN (Score:3, Funny)
When everything fails, you sell your soul to Satan and decide to fire up, gasp, internet explorer. For some odd reason it manages to get past all the hurdles gets the network extender running. Satan is laughing at St Murphy. St Murphy never loses, his revenge will come soon, and it will be swift.
In the meantime, caught as a mere pawn in the eternal battle between Satan and St Murphy I am ruing my fate and belly aching in slashdot.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Interesting)
As screwed up as this sounds I would take modern IE 11 over Firefox anyday.
I would have a psychotic episode seeing me type this 5 years ago but Firefox has gone to shit starting with 4. Actually 3.6 U noticed slowness too.
IE is great for running ancient shit intranet sites. Java is negligent to run as a plugin. Only few good reasons for IE is group policy to allow java to run on only intranet or trusted site lists. If your mcses at work have it enabled globally they should be slapped up the back of the head
Re: (Score:2)
I think Mozilla have more relevance to web standards and technology now. As a web developer i have a slightly conflicted view of FireFox, i think Mozilla are great, because of MDN and the active community developing FireFox and fixing bugs... But unfortunately the browser just sucks in too many ways these days, there are fairly serious bugs that stay open for many years, they keep re-writing large chunks of the browser only to have it still act buggy and perform poorly, i have no idea why because their seem
Re: (Score:2, Interesting)
It is your IT dept's responsibility to keep the VPN working, not Google's. Google has chosen to drop support for a 20 year old insecure plugin architecture in favor of a more modern, secure one. Sure, it's one developed by Google, but 1) there wasn't an existing standard out there AFAIK so they had to make one and 2) the plugin interface is open source so anyone can go and implement it in their own browser, or in their own plugin.
Oracle's official stance seems to be that Java users should switch to Firefox
Re: (Score:2)
Murphy's law means that whatever can happen, will happen. Matthew McConaughey taught me that, by having a career.
I guess that is fine (Score:1)
After all, we aren't in the days where pages could be returned in place of images and somehow still get parsed by web browsers like in days of old.
Holy shit that was an awful bug.
Can still be used for tracking though.
Summary misses out the actual feature... (Score:5, Informative)
What a shock, a slashdot summary that misses the actual salient point of the linked article...
Here's the description of the new feature from the linked article:
Here's Google's own description of the feature from the Chromium Blog [chromium.org]:
So basically this means you don't have to worry if you accidentally miss an HTTP asset link on your site when upgrading to HTTPS, Chrome will automatically do that for you.
Hopefully the other browsers will follow suit soon, otherwise it's of limited use.
HTTPS Everywhere - 3rd Party Certs? (Score:2)
Ahem.. https://www.eff.org/HTTPS-EVER... [eff.org]
The HTTPS Everywhere is a great idea, but how great when so many use self signed certs. This just gives the illusion of security. One of the biggest problems here is that browsers don't recognize legit free third party cert authorities like CAcert.
Re: (Score:3)
Ahem.. https://www.eff.org/HTTPS-EVER... [eff.org]
The HTTPS Everywhere is a great idea, but how great when so many use self signed certs. This just gives the illusion of security. One of the biggest problems here is that browsers don't recognize legit free third party cert authorities like CAcert.
I disagree that Everywhere is a great idea. Seriously, does it really matter if an NYT article or /. is delivered securely, or 99.9% of search queries?
Re: (Score:3)
Seriously, does it really matter if an NYT article or /. is delivered securely, or 99.9% of search queries?
Seriously, yes it does. It makes a big difference.
First there is paranoia, based in the obvious facts that throughout the course of human history aspersion have been cast, prosecutions have been level, executions committed, stakes burned, all with the evidence simply being something read - be it books or web page. Maybe nobody will get prosecuted for reading the NYT today, but human history has has episodes of tyrannical left/right turns. And what one reads in the NYT today will be logged and stored by p
Re:HTTPS Everywhere - 3rd Party Certs? (Score:4, Interesting)
"Does it really matter...." is an intellectually lazy argument. Yes it matters.
No it doesn't not for everything or even most things. You're over-thinking things and conflating the important with the unimportant, the big things with the little. Stop sweating the little things.
I used to get more worked up about things, like you apparently are, but then in late 2005, after 20 years together, my wife was diagnosed with a brain tumor and died, literally in my arms, just 7 weeks later. I heard her last breath, felt her last heartbeat and learned what the word "forever" means.
So, having my NYT or /. connection encrypted isn't really that important - my banking connection, yes, but I try to keep everything in perspective. The scenarios you've described lack some of that.
I'm not "intellectually lazy" I just know what is and is not important - for me anyway.
Also, entities like Google are not encrypting their connection to protect your privacy, it's to protect their revenue stream, so third-parties cannot skim ad/search information w/o paying Google for it.
Re: (Score:2)
Sorry about your wife. I can see how you might achieve certain perspectives after that.
Nervetheless, I think the scenarios I'm speaking of do have a valid perspective in this forum. This is /. and a internet privacy is a recurring and important topic, is it not?
Two points here:
1. Clearly our internet communications are being monitored by third parties outside the endpoints. Time, data, endpoints, and content. This data is being stored forever. To what end?
2. Encrypting everything is not that radical of
Firesheep (Score:2)
One thing TLS does is make sure that only you can post comments under the name fahrbot-bot, not somebody who copied your cookies by looking at your HTTP headers.
Re: (Score:2)
The Perspectives extension for Firefox mostly solves the problem of certificates from an unknown issuer. It uses "notary servers" scattered throughout the Internet to verify that everyone is seeing the same certificate. If the rest of the Internet is seeing the same certificate as you, it automatically skips unknown issuer errors for that certificate. (I haven't checked whether it's on other browsers.)
Re: (Score:2)
And if that resource for whatever reason is only on HTTP then your screwed?
Re: (Score:2)
The difference between things like this and what IE used to do is that the manner of fixing applied by Chrome is 1. documented, and 2. controlled by an HTTP header to which the server must opt in.
Great (Score:1)
So instead of going through and changing your pages to use https:/// [https] they want you to go through your pages and add a meta tag. (Yes I did read that there is an option to set it at the server level.)
run grep (Score:2)
Run grep on every article (or SELECT from your database) and on every script for http[^s]. Then open a bug for every one of them you find. You're done when every bug is closed and every regression test passes.
Oh shit, I forgot, web developers aren't engineers and aren't capable of doing the above. So this is really hard and can't be solved except by brilliant Google.
Something more useful (Score:2)
Create a plugin for a browser so that when you come across a page that has mixed content it finds out the contact information for the site and sends them a message how stupid they are automatically. Stop bugging me with warnings since I can't do anything about it. It's time to inconvenience the bad developer who made the page until they fix it.
Chrome is severely broken (Score:2)
More info on Security Now #502 [grc.com]
Re: (Score:3)
Re: (Score:1)
I'd be even more worried about their handling of certificate revocation. If you aren't on their special list, your cert isn't revoked.
great, chrome becomes even more annoying (Score:4, Interesting)
For a good long while it's been annoying when dealing with mangled SSL configurations - at least firefox let's you tweak stuff in about:config to work around them. [ryananddebi.com]
No, getting the site fixed is not always an option, and validation of the certificate is not always necessary. For instance, there was a good long while where Chrome was completely unusable with some of our ZFS storage appliances (which live on a nonrouted private management network) because of retarded cert validation changes. Sure, that makes sense when you are visiting your bank's site... but not so much when you're trying to get into something on 10.0.0.0/8 when you're directly connected to the thing with a crossover cable... and no, updating the software in the controller wasn't an option because of outstanding critical-level bugs.
Fun times.
Re: (Score:2)
No, because the vendor appliance does not allow non-ssl connections. Neither can you supply your own certificate/CA data.
Re: (Score:2)
Ancient sun hardware.
There may be a way to do so as it's running Solaris under the hood (getting to it is possible but comes with all sorts of "you are about to break warranties" types of warnings), but it's certainly not visible in the interface.
https^wmetadata everywhere (Score:3)
The push for https everywhere also means there is more metadata floating around. If all your are looking at is the metadata and not the data stream, https gives an observer more info about what is going on than with just http. Once you get into properly verifing certs, both sides and an observer has more info to tie a converstaion between a specific client and a server.
You can see this yourself by getting something that does netflow and look at the data that comes from that.
Some more usefull info (Score:2)
From https://www.chromestatus.com/f... [chromestatus.com]:
This feature allows authors to ask the user agent to transparently upgrade HTTP resources to HTTPS to ease the migration burden.
So it is the content provider which decides if this is being used.
It is not only a Google thing, check the Firefox bugzilla:
https://bugzilla.mozilla.org/s... [mozilla.org]
And the W3C Draft:
https://w3c.github.io/webappse... [github.io]
This is in my opinion a good thing, it leaves all control in the hands of the content provider and supports the move to encryption everyw
maybe they should worry about fixing bugs first (Score:2)
Like bugs in features that people actually want to use - http://ark42.com/chrome/ [ark42.com]