Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Chrome Encryption Google The Internet

Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) 216

An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.
This discussion has been archived. No new comments can be posted.

Google Will Soon Let You Know By Default When Websites Are Unencrypted

Comments Filter:
  • title (Score:3, Insightful)

    by Anonymous Coward on Friday January 29, 2016 @04:01PM (#51398853)
    I thing the OP wanted the title to be "Google Chrome" Maybe one of the mods can fix that by at least replacing Google with Chrome.
  • Using that logic: The web is predominantly for porn. So we should label exceptions as SFW (Safe For Work).

  • Wait... (Score:5, Interesting)

    by RJFerret ( 1279530 ) on Friday January 29, 2016 @04:28PM (#51399009)

    So we used to have a simple system, see http:/// [http] on the URL bar, or see https:/// [https] on the bar.

    Then some idiot got the bright idea of hiding the start of the URL, so users could be ignorant or infuriated.

    Now they are going to use another symbol to indicate the lack of an "s"?

    Have I really got this right?

    (Hopefully in the future the symbol will be clarified by replacing it with a sequence of letters.)

    • This. Yes you have it right. They took a page right out of Microsoft's book and oversimplified the address bar to the point where people who were capable of learning the difference between HTTP and HTTPS or a search term and a URL no longer have the opportunity, and then they complain of computer illiteracy...

      This shit irks me to no end. Windows is full of examples (hiding file extensions by default for instance)
      • To be honest, a file extension as synonym for type of file was an asinine hack from day 1.

        Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

        • Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

          How would a portable program specify the content type of its output? The standard library of ISO C provides no way to manipulate "another data field of the OS". Nor does the standard library of ISO C++. Which well-known multi-platform programming language's standard library does?

    • Re:Wait... (Score:5, Informative)

      by XanC ( 644172 ) on Friday January 29, 2016 @05:01PM (#51399261)

      What we've learned is that not all HTTPS are created equal. There could be insecure ciphers, mixed content, insecure signatures, vulnerabilities, what have you. Just looking for the "s" isn't enough. It's a very good thing that the browsers, which can look at all the factors, are giving better hints about whether a connection is trustworthy.

    • Re:Wait... (Score:4, Insightful)

      by thegarbz ( 1787294 ) on Friday January 29, 2016 @05:11PM (#51399337)

      So we used to have a simple system, see http:/// [http] on the URL bar, or see https:/// [https] on the bar.

      Are you on mad? They are both the same. Oh wait let me get my glasses. Oh they are slightly different. What the hell does the s mean? and that http thing? and why are there those two dots and the slashes? Is one supposed to be good and the other bad or something? If one is good and another is bad why not just replace them with a red x and a green tick?

      Why does every software developer think that ever user is a damn guru hacker who knows that the big box under the screen is called the HDD? Wait what do you mean that's not right either? ffs I just want to surf the web, leave me alone with your complicated hacker stuff.

      *An excerpt of a conversation many people have had with the very few computer users who understand the difference an s can make in the titlebar.

      • I'm not an engineer! I just want to sit behind the steering wheel and drive the horseless carriage, I don't care about the pedals and sticks.
    • Re:Wait... (Score:5, Informative)

      by JesseMcDonald ( 536341 ) on Friday January 29, 2016 @05:48PM (#51399649) Homepage

      So we used to have a simple system, see http:/// [http] on the URL bar, or see https:/// [https] on the bar.

      Only http:/// [http] is hidden, so users can still look for https:/// [https]. In fact, the difference is even more obvious than before: instead of just one missing letter, the entire protocol field indicates whether the connection is encrypted.

    • I know that, at least in FF, you can re-enable [mozilla.org] the /https?/ prefix in about:config.

  • by dissy ( 172727 ) on Friday January 29, 2016 @04:29PM (#51399019)

    I can't see any problem with showing clear icons for the state of the connection, which includes unencrypted being distinguishable from encrypted with a cert signed by an untrusted party (aka self-signed) vs a cert signed by a trusted party.

    It's better than the current state of things, where the web browser programmers out right mis-interpret what is going on and potentially lying to the user.

    For example, if I run my own CA and sign all of my own certificates, and push my CA public key by hand to computers intended to access my server, verified by hash fingerprints - this is arguably MORE secure than a "secure" public CA signed certificate that I have no control over.
    After all I know exactly who signs certs with my CA - me - and despite what the public CAs and web browser programmers claim, I in fact do trust myself.

    CAs are known to have signed fraudulent certs, so they are not the ultimate high tier of trust.

    Of course the self-signed situation described above is very different from random snakeoil.crt style self-signed certs where the only possible way to verify the servers identity is to check the thumbprint hash. And who has time for that?

    Displaying the lowest tier of security icon for non-https sounds just as useful as it has been since SSL was invented.
    (After all, a lock vs a lack of a lock works good enough for anyone that cares about encryption, but I could care less what the two icons actually are of)

    At least Googles approach is better than Mozillas by an infinite amount!
    I'd rather use Chrome and at least have it bitch about the lack of SSL while still actually showing me the webpage.
    Firefox will soon actively remove non-https support and display an "unknown protocol 'http'" error instead.
    Hope you don't like browsing .html files locally in firefox :P
    https://blog.mozilla.org/secur... [mozilla.org]

    • You apparently did not bother to read the blog to which you linked:

      It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

  • Now I have to pay someone else to have a web site that will visible to the public.

    My website is primarily static information (actually, it is only static information). I don't exchange any data (other than standard log files) ... I don't even use cookies. Now big-ass Google is coming in and I need to pay someone else to have an encryption certificate.

    If things were bad enough, the last one I tried to implement ... after three days I was not able to implement SSL on my server (help!?!). I suspect th
    • by ChadL ( 880878 ) *
      Free certificates can now be gotten via https://letsencrypt.org/ [letsencrypt.org]. Its still in public beta, but functional. For help on the how to set up encryption, LetsEncrypt's client can take care of few web servers, but for more specific instructions you would need to disclose what web server software your using.
      • by Bomarc ( 306716 )
        Thank you for the URL, however 'letsencrypt.org' won't work (that I can see) for me... I have windows servers (only worried about one that is public facing). It appears that they only support Linux.

        Plan "B"?

        I've been trying to replace / upgrade the my key server; the upgrade is dependent on a change to the network. The change to the network involves finding need documentation on non-straightforward 'rout' commands.
        • by ChadL ( 880878 ) *
          It appears at least a few people have had luck with using it on Windows here [letsencrypt.org], but the results certainly appear mixed and no official clients are offered.
          I've not touched a Windows server since the days of 2k (and never ran SSL on it), so... I can't really provide much useful assistance I'm afraid.
        • The Let's Encrypt project will work just fine with Windows servers. You just need a compatible ACME client, and there are a few options available:

          ACMESharp [github.com]

          letsencrypt-win-simple [github.com]

    • Now I have to pay someone else to have a web site that will visible to the public.

      You already have to pay your domain registrar and hosting provider.

      Now big-ass Google is coming in and I need to pay someone else to have an encryption certificate.

      But you don't have to pay StartSSL, WoSign, or Let's Encrypt for a TLS certificate.

      • by Bomarc ( 306716 )

        You already have to pay your domain registrar and hosting provider.

        I actually tried to avoid an itemized list. (Hosting provider: My basement)

        But you don't have to pay StartSSL, WoSign, or Let's Encrypt for a TLS certificate.

        As noted: After three days of working on just this problem; I was not able to implement SSL.

        • by tepples ( 727027 )

          You already have to pay your domain registrar and hosting provider.

          I actually tried to avoid an itemized list. (Hosting provider: My basement)

          You already have to pay your domain registrar and your home ISP. Many home ISPs' acceptable use policies prohibit running a publicly accessible server from your basement, and they enforce it either through a firewall (blocking inbound connections on 80/443 or on all ports), through carrier-grade network address translation (CGNAT) which doesn't give your computer a public IPv4 address in the first place, or simply through threat of having your home disconnected from the Internet for twelve months. To avoid

          • by Bomarc ( 306716 )

            You already have to pay your domain registrar and your home ISP.

            I actually tried to avoid an itemized ... oh well

            Many home ISPs' acceptable use policies prohibit running a publicly accessible server from your basement, and they enforce it either through a firewall (blocking inbound connections on 80/443 or on all ports), through carrier-grade network address translation (CGNAT) which doesn't give your computer a public IPv4 address in the first place, or simply through threat of having your home disconnected from the Internet for twelve months. To avoid this threat of disconnection, many customers upgrade to a business-class plan that includes an IPv4 address with inbound and no server ban in the AUP.

            ... one key term (missing) "commercial"; for profit; (If they start blocking, I switch ISP's... there are three nice ones in the area. It is good having a little competition) I'm using my server as an non-profit information portal. The technique also can route traffic to different ports (using 6 now) based on the actual domain (URL). As for CGNAT implementation ... I'll start bitching about being blocked by wikipedia [wikipedia.org] and other broken websites. I will con

  • by Lauren Weinstein ( 828974 ) on Friday January 29, 2016 @04:38PM (#51399083)
    I'm forced to agree with this Slashdot poster. The use of a red X in this context will confuse users about perfectly correct and properly working websites, particularly legacy sites that carry no practical risks and contain widely referenced information, but that cannot be upgraded to SSL in a practical manner. The most likely outcome will be users learning to ignore such warnings completely because they will be so widely present and widely viewed as "crying wolf." It is also likely that many sites will push back against Google on this by posting explicit messages on their pages explaining to users that Google is playing Mommy and that nothing is wrong with their sites. It is perfectly acceptable and reasonable for Google to encourage the use of SSL. However, the approach being discussed is not helpful and is likely to even be counterproductive. REFERENCE: "When Google Thinks They're Your Mommy" - http://lauren.vortex.com/archi... [vortex.com]
    • There's no such thing as crying wolf in this case. The users just need to be taught if you see red, don't enter your credit card.

      I see red sign and red x all the time, but they often have context as to what I can and can't do with them. This is no different.

      • Exactly right.

        I swear, techies are so egotistical and think that nobody can possibly understand stuff.

        Just spend some time training instead of immediately assuming that people will be confused.

        More likely, techies are just lazy or afraid of dealing with people and would rather find the "solution" that involves the least amount of face time possible.

    • particularly legacy sites that carry no practical risks

      There is no such thing. It doesn't matter whether the content of the connection is particularly sensitive; whenever you connect to any Internet site over an unauthenticated connection, an attacker can take advantage of that opportunity to substitute malware in place of the innocuous data you expected. Malicious scripts, injected third-party ads, exploit-riddled media filesâ"unprotected connections offer endless opportunities for those so inclined to take over your PC. The only way to protect yourself a

  • So my simple web server, serving up some basic info - like maybe my most recent cat photos.. Are you saying that I *must* use SSL to do this? And to make SSL work I have to pay to get a certificate (cuz I don't really trust the freebie options yet). All so that visitors to my site will *know* that they are looking at cat pictures securely? That doesn't really make too much sense, and seems to suggest a broad assumption about the main purpose of web sites. Not everything requires an encrypted channel.

    • I don't think anyone has ever said that.

      All this is doing is upping the ante a little bit by expanding on the idea of the "lock" icon. As in, we have visual cues that tell us when a connection is secure, why not have some visual cues for letting us know a connection is not secure.

      As far as I know, nobody is talking about refusing connections to non-secure sites.

      Also, this is a Chome only thing. If you don't like it, use a different browser. Google is known to use their market dominance as a bully pulpit.

    • So my simple web server, serving up some basic info - like maybe my most recent cat photos.. Are you saying that I *must* use SSL to do this?

      If you don't use SSL then you're putting your users at risk, not because someone might find out that they're looking at cat pictures, but because someone can tamper with the unprotected connection and inject malware which appears to come from you.

      And to make SSL work I have to pay to get a certificate (cuz I don't really trust the freebie options yet).

      That's your problem. The free certificates work just fine, so there's no need to pay unless you run a big enough operation to warrant an EV certificate.

  • On install or setup ask if they would prefer SSL only results/sites and inform them after the fact they elected for the option if they want to proceed to an unecrypted site. Kind of the same thing with sites that have certificate errors.

    As others have said the warning thing will just add a layer of complexity that users ultimately won't understand.

  • Cacheable pages might have ads, but they're not The Right ads.

No spitting on the Bus! Thank you, The Mgt.

Working...