Google Proposes To Warn People About Non-SSL Web Sites 396
mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
503 (Score:2, Offtopic)
Did slashdot just die and silently come back up? I was getting 503's and "offline mode", logged in and out for ages, then suddenly its just working again. Anybody else experience anything like that?
Re:503 (Score:4, Interesting)
Yep, same here.
On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.
This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.
Am I overreacting here? Or is Google going too far, too fast with this?
Re:503 (Score:5, Insightful)
Nah... When getting concerned about control, the following usually holds true:
Rules that inform are good.
Rules that control are bad.
This rule informs. It's good. :-)
This has been a public service announcement.
Re:503 (Score:5, Insightful)
This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.
Re: (Score:3)
Also, it will make people accustomed to the pop-up by giving so many false positives. So much that, when it actually matters and they are sending information, they'll just ignore it because it comes up 10 times per day anyway.
Re: (Score:3)
What about when it misinforms?
If I go to a local restaurant site that does not take orders and it is not running SSL just how is it insecure?
It is like a warning that a public park is insecure because it doesn't have a burglar alarm.
Also just because a site uses ssl does not mean that it is malware free or that it has not been hacked and all the user data taken.
When is a false sense of security a good thing?
And please do not tell me that I should worry about the NSA knowing that I was looking at restaurants
Re:503 (Score:5, Insightful)
On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working.
Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).
In any case, Google hasn't formally announced a decision yet, it has merely made a proposal public and started a discussion on the subject requesting feedback. The fact that everyone is condemning Google for this proposal vindicates all the companies that keep their discussions private and out of the public eye until they work them out -- all secretly first.
Re: (Score:3)
Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).
IE taught us that this kind of thing doesn't happen quickly - web developers _still_ have to deal with IE's buggy rendering, despite good alternatives having been available for 15 years. Ok, IE has got better but it's still not great. Users don't see this stuff as a browser problem - if your website doesn't work right then the users see it as a problem with your website.
Re: (Score:2, Insightful)
... You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.
Am I overreacting here? Or is Google going too far, too fast with this?
You are overreacting. It's a positive step and there is no good reason in 2014 that all internet traffic should not be encrypted. Oh, and it's a free browser and there are other options both free and proprietary.
Re: (Score:2)
This. Grandparent's being overdramatic.
Comment removed (Score:4, Insightful)
Re: 503 (Score:2)
Re:503 (Score:5, Insightful)
Not overreacting, but not thinking rationally here either. Google may be going too far alone, but they are definitely not going too fast.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
Google have been quite pushy, but with interesting result. The world hasn't blindly bowed down to them but rather increased the speed at which they have solved other long standing problems which were getting no interest. I'm hoping the same thing will happen here, that one company doing something different may spur people into fixing what I believe is a horrendously broken approach to security.
Re: (Score:2)
I am just fed up with Google dumbing down the web browser and turning Chrome into our way or the highway. Cases in point:
- refusal to support APNG
- hiding protocol in address field URL
I am hesitating whether to go back to Firefox.
Re: (Score:2)
Re: (Score:3)
And so are spell-checkers.
Re: (Score:2)
And so are spell-checkers.
Just what are you allusioning to?
Re: (Score:2)
https will not stop mass metadata collection.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yeah, same here. Kept ending up with certs presented from a CDN's domain.
Re: (Score:2)
Same for me, said the cert was for Cloudfront.
Stupid (Score:5, Insightful)
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This is a dumb idea. A very dumb idea.
Re:Stupid (Score:5, Insightful)
That said, if a website has a password field, it might be a Good Idea to notify the user if it's non-SSL.
Re: (Score:3)
Re:Stupid (Score:5, Interesting)
It also increases costs and management overhead.
Does Fred Bloggs lyrics site need to be SSL? Probably not. But throwing a warning up is going to cause fear, uncertainty and doubt.
Re: (Score:3)
Personally I think the colour scheme is simply wrong. Rather than White for plain, Red for SSL with some minor error (self signed cert), and green for proper encryption, why not go red for unencrypted, orange for encryption with problems, and green for encrypted and verified?
That's easy most websites will appear red and users will tune it out. You have now increased confusion and lost your ability to communicate important information to the user.
Re: (Score:2)
Why does everyone need more?
So many sites are read only with no exchange of data. No warning is needed for these.
Re: (Score:2)
CPU and power increase for encryption is negligible for most sites.
The real cost is getting a certificate from a site that the browser will recognize.
Those are expensive especially if you want a site for a hobbie or a supplemental income.
Re: (Score:2)
Re: (Score:3)
Answer: So that when someone browses to your URL they don't get malware injected into their browser by a MITM.
That said, GP nails it: the problem with SSL is not the tech, it's the that the CAs are money grubbing semi-competent boobs, and the trusted certificate lists are administered by either OS or browser producers leaving a huge open arena for politics and perverse incentives.
Re: (Score:2)
Answer: So that when someone browses to your URL they don't get malware injected into their browser by a MITM.
I fully agree. So why isn't every website I browse in plaintext presented with a gigantic red warning page which requires 3 clicks to get through?
I think plaintext websites should have a red warning.
Self-signed websites but encrypted should be orange.
Fully encrypted and verified should be green.
Re: (Score:2)
That said, GP nails it: the problem with SSL is not the tech, it's the that the CAs are money grubbing semi-competent boobs, and the trusted certificate lists are administered by either OS or browser producers leaving a huge open arena for politics and perverse incentives.
Which is why it was really sad when chrome backed off on supporting DANE [internetsociety.org]
Re:Stupid (Score:5, Informative)
CPU and power increase for encryption is negligible for most sites.
The real cost is getting a certificate from a site that the browser will recognize.
Those are expensive especially if you want a site for a hobbie or a supplemental income.
StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.
Let's Encrypt [letsencrypt.org], run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.
If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.
The financial cost of getting a certificate is essentially negligible.
Re: (Score:2)
The financial cost of getting a certificate is essentially negligible.
Yep, and their free or cheap certificates don't allow wildcards.
Re: (Score:2)
StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.
And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!
Oddly enough, if you don't
Re: Stupid (Score:5, Informative)
Also to rent an ip address isn't free.
IP-based SSL hosting hasn't been necessary since the development of SNI [wikipedia.org] nearly a decade ago.
Essentially all modern browsers (IE 7+, Firefox 2.0+, Chrome 6+ on XP [all versions of Chrome on Vista+ support SNI], Safari in iOS 4+, Android 3+, WP 7+, etc.) and servers support SNI.
Several web hosts offer SNI-based SSL/TLS hosting at no additional charge.
Re: (Score:3)
Minor correction -- no version of IE (or Safari if we want to be technical) on Windows XP supports SNI. IE7 on Vista supports SNI, but not on XP. Also, Android 2.x is still pretty relevant given that it currently represents 9.6% of active Android users [android.com]. The original Kindle Fire did not support SNI, though I believe with the second generation it did support SNI. Anyone with a pre-BB10 Blackberry also does not have SNI support.
Trust me, I would love to go SNI-based for SSL, but support wise we're just not the
Re: (Score:2)
Bing and Yahoo's web crawlers do not support SNI so you can enable it as long as you don't mind not being indexed on some search engines.
Re: (Score:2)
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This. Therefore it also uses more energy and is worse for the environment!
I kind of get why Google engineers might think this is a good idea, but the problem is that there's so many sites that don't use or need encryption, that this won't change. And as a result, lots of users will be getting told that site xyz is insecure, when it isn't... and they'll use it anyway.... thus entirely negating the benefit of changing the browser in the first place.
If the vast majority of websites were encrypted, then I c
Comment removed (Score:4, Interesting)
The major downside to this.. (Score:5, Insightful)
The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.
Re: (Score:2)
Yep, the solution is clearly to use plaintext for everything.
I understand what you mean but we should be risk grading ALL browsing. Not just bringing up warnings for encrypted content which is not perfectly signed by some money grabbing authority.
Comment removed (Score:3)
Re: (Score:2)
"locked green padlock = good, unlocked yellow/red padlock = how bad do you want your pron?".
And yet that's not how any browser works so users are right to be confused.
This again? (Score:5, Interesting)
Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.
Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...
Re: (Score:3)
Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.
You can install a custom root certificate on your client and have your proxy work as usual.
Re: (Score:2)
Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.
Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.
Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats
Re: (Score:2)
The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol. Most places don't really need its authenticity validated (and really, the only way authenticity can be assured these days is with certificate pinning and advanced notice of cert changes, so the authenticity features of HTTPS aren't as reliable as they appear). But it'd be good to have the communications itself secure. But there aren't any alternatives, so even if it's a
Re: (Score:2)
The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol.
This is doublespeak. Encryption without authentication is an illusion.
Re: (Score:2)
It depends on your adversary model. Encryption without authentication is good protection against passive adversaries, no protection against active adversaries. If someone can get traffic logs, or sits on the same network as you and gets your packets broadcast, then encryption protects you. If they're in control of one of your routers and are willing to modify traffic, then it doesn't.
The thing that's changed recently is that the global passive adversary has been shown to really exist. Various intelli
The web is shrinking (Score:5, Insightful)
Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:
Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.
When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.
Then, you have total dominion and total control. For much profit!
Re:The web is shrinking (Score:5, Informative)
In fairness to Google, they're also pushing a new standard that will allow free SSL certs to be used by anyone who wants it. Search for Let's Encrypt [letsencrypt.org] for more info.
Re: (Score:2)
The 'brought to you by' box on that site lists Mozilla, Akamai, Cisco, EFF, and IdenTrust. I don't see Google pushing it. They're not listed as a sponsor.
That said, it is pushing Certificate Transparency, which is something that is largely led by Ben Laurie at Google and is a very good idea (it aims to use a distributed Merkel Tree to let you track what certificates other people are seeing for a site and what certs are offered for a site, so that servers can tell if someone is issuing bad certs and clien
Good idea only if ... (Score:2)
I applaud this move, but ONLY IF https websites are also flagged as being insecure (typical example follows).
https://www.whynopadlock.com/ [whynopadlock.com]
Google Domains Free SSL (Score:2)
If google starts their own CA and gives away DV SSL certs (all sorts, counting wildcard, multi-domain), then I'm on board more or less. SSL should be free.
Intranet (Score:3)
Sweet! Now I'll need to get SSL keys for all of my web basic administration consoles on my already secured private LAN, or else management will yell at me. This sounds GREAT!
Malware (Score:3)
I see the value of the proposal: it is easy to inject malware inside a HTTP stream. Snowden documents taught us that the NSA and CGHQ do it over internet backbones. Infected machines also do it when it is easy (hint: WiFi). Pushing towards HTTP/SSL address that
However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.
Re: (Score:2)
I see the value of the proposal: it is easy to inject malware inside a HTTP stream.
Only when the attacker is sitting on the path from the browser to the server. Not when listening in on the side-lines.
However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.
Exactly. And once users are trained to ignore warnings, they will ignore them too if they are about bad certificates, so nothing is gained (see above).
Including Slashdot? (Score:4, Informative)
Re: (Score:2)
This!
I've seen the GP's comments a few times today. Why would you encrypt Slashdot. But really is it up to you to decide what needs to be encrypted for your users? People are being persecuted for opinions and leaks, for anonymous postings, for visiting certain websites; people are having their movements logged for something as simple as which fertilizer they research, or god forbid you access a website which doesn't align politically with someone who has power over you.
It's not up to you to decide what your
Boy who cried "wolf" (Score:3)
How arrogant (Score:2)
>"If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security"."
Arrogant, annoying, unnecessary, stupid, and inaccurate. There are a LOT of sites that have absolutely no need for https and labeling them "insecure" will annoy clue-full users and confuse clueless users all in one swoop. And by encrypting everything, it makes caching far less useful and slows down bro
Bad for small business owners (Score:5, Insightful)
I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.
I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.
Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.
There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.
Re: (Score:2)
There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.
Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.
Your problems are problems, there are no doubts about that. However your problems are related to the current implementation of the technology. Personally I found it quite easy to setup SSL on my website. I fou
Re: (Score:2)
Those spy agencies can always see which server one connects to. No encryption can hide the actual connection, the IP address you talk to. That "metadata" tells spies what you're looking for.
If implementation were easier, much easier, and without having to go through the trouble of remembering renewals or break your site, I'd probably have implemented it already, as it won't hurt.
Re: (Score:2)
Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.
Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.
Blockages, Warning Signs, Slow Traffic (Score:2)
I have to have an adblocker running just to keep my browser from turning into a scene of Times Square on a bad acid trip, even on reputable sites which brings the page load to a crawl. Most browsers have some warning for this or that, little green or red padlocks, etc.. Everything might be unsafe, click at your own risk!
If I were a pilot and there were the same number of warnings and blinking lights flashing in the cockpit I probably would have bailed out lon
Google gone batshit insane (Score:2)
How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.
You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.
Distinct IP address per site required for SSL (Score:3)
Re:So perhaps /. will finally fix its shit (Score:5, Interesting)
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Re: (Score:2)
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
Re:So perhaps /. will finally fix its shit (Score:5, Insightful)
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
Some folks at Belgacom may disagree [spiegel.de].
Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.
Re: (Score:2)
You really don't understand how TLS works if you think it doesn't protect you from someone injecting data into a stream, or from redirecting one to an unexpected endpoint.
Re: (Score:2)
Really Why? what content on Slashdot justify's the need for encrypted content?
Mainly if you're worried about someone stealing your cookie and making posts with your account.
If that's not something that worries you, then there's no need.
Re: (Score:2)
People re-use passwords across sites.
Re: (Score:3)
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
since you have a slashdot account, I'm sure you don't mind your ISP, their transit provider, and slashdot's CDN seeing your password going over their network in cleartext when you log in.
Even if you use a throwaway password for sites like this (and I hope you do), don't you think it would be better to make a small change that has no effect on how end users interact with the site but somewhat increases their security?
Re: (Score:2)
Really Why? what content on Slashdot justify's the need for encrypted content?
Content coming from Slashdot? Very little. It's a public website that is served in a similar way to everyone. But what about content going to Slashdot?
We are living in a world where the west is increasingly persecuting people for ideas. People are being charged over opinions, leakers of information are being persecuted as enemies of the state, and I'm wondering just how many people are logging what it is I said right here right now.
Delivery of open content shouldn't be encrypted unless it's sensitive. That
Re: (Score:2)
There's nothing new about this. If you look at history, you'll see things like this happening over and over. Look at how Rome treated Christians, look at the Spanish Inquisition and their expulsion of Jews, look at the Holocaust, look at Stalin's Great Purge. For that matter, remember that the Pilgrims weren't interested in letting everybody worship they way they wanted, they were interested in creating a colony where
Re: (Score:2)
Re: (Score:3)
Re:So perhaps /. will finally fix its shit (Score:4, Informative)
The more traffic is encrypted the more EXPENSIVE it is to host sites and dish out content, it screws up caching and makes everything harder to diagnose with technical issues . encryption comes at a cost and when the content has not real value it is a pointless cost.
Re: (Score:3)
Caching only works with static content anyway, and a good chunk of the web has largely moved onto dynamic, real time or near-real time content.
Also, note that caching methods like Google Cache and Coral Cache have no issues with encryption, as they can access a site via HTTPS separately, store the page's contents, and then serve the information back to whoever requests it. It's not as convenient as automatically caching at an intermediate hop, but it still works for situations where there's a sudden localiz
Re: (Score:2)
OK, Mr AC, care to explain how you plan to cache SSL-encrypted objects? All your caching proxy sees is the "connect me securely to server X" request - after that, it's encrypted and your proxy cannot tell what's being loaded. Worse, since SSL inflates the data sizes of whatever you've requested, your images are up to 50% more data, and your (already compressed with gzip) HTML, CSS, JS etc is the same. So you've added 50% to your traffic for ... potentially nothing.
Seriously, what do you gain (actual, measur
Re: So perhaps /. will finally fix its shit (Score:5, Insightful)
Make no mistake, Google doesn't do this because they have our best interest in mind, but because caching means they can't always tell exactly how many and who saw a particular page or ad. They hate caching unless it's them doing it. Going https instead of http defeats most caching, at the expense of the web sites easily having to serve twice as much data to serve the same number of visitors - some of that from the overhead of https, and some of that because of less caching.
Again, follow the money trail, and you'll get the answer for why Google wants to push everyone to https.
The guys over at squid-cache.org are not amused.
Re: (Score:2)
Pros have certs and don't have caching problems. .
ROFL!
Re: (Score:2)
Over half the web doesn't need SSL, and the way it is implemented is an overpriced scam
Self-signed certificate (Score:3)
Firefox added a warning against all self signed certs
It makes sense: encryption without authentication is useless, as the browser gets a secure channel to talk with an unidentified peer. It can be your server, it can also be a man in the middle, there is no way to tell.
You can get a properly signed SSL certificate for free from STARTSSL [startssl.com], therefore there is no excuse for your broken setup.
Re: (Score:2)
Chrome also complains about self-signed https, so you lose. Sorry.
Annoying to Self Hosters (Score:2)
Just use a free TLS cert from StartSSL
Re: (Score:2)
While I think you should use HTTPS, it's also quite easy to strip away, anyone in the "man in the middle" position can do this, so no problem for the NSA, no problem for an ISP, no problem for a decent hacker (WiFi anyways), however it is "better than nothing".
Which seems to be what we have to settle for these days BTN "better than nothing".
It's difficult to strip HTTPS from sites that use HSTS [wikipedia.org]. Considering that enabling HSTS is literally a one-line addition to a server's config file and prevents SSL stripping attacks, it'd be silly not to use it.
Assuming the client can access the authentic HTTPS-secured, HSTS-enabled site at least once, their browser will cache the "HTTPS is required" bit for as long as the site requests. Most deployment guides suggest HSTS cache times of 6-12 months, which would make an attackers job much more difficult.
Addi
Re: (Score:2)
Trivial to defeat HSTS:
https://github.com/sensepost/m [github.com]...
Oh give me a break this does not defeat HSTS it just links to the wrong hostname offered up by an insecure site. Garbage-In-Garbage-Out.
Saying this defeats HSTS is like saying getting domain micr0s0ft.com registered and an SSL cert assigned defeats SSL because I tricked someone into going there and thinking it was the real deal.
Re: (Score:2)
hahaha! A website with no NSA backdoor. You told a funny!
Sly (Score:3, Interesting)
It's not nuts. It's sly. What they're trying to do here is force increased purchasing of SSL certificates from third parties. It's about profit and the wealthy and powerful scratching each other's backs. Sure, you can put in your own, but the the browsers will all put up scare dialogs about how they don't know who issued the cert, and away go your visitors / customers.
Do you NEED to have SSL for your blog? For your comic strip? For your aquarium how-to pages? For your archive of 50's pinups? For your CGI th
Sly (Score:3)
You know you can get free SSL certificates, right?
Re:Sly (Score:5, Insightful)
That you can get free certs doesn't mean it's easy or in some cases even possible to install them. These days, you find web servers in lots of embedded devices. Should i have to click by a warning every time I want to access my DVR on my LAN?
Encryption is useful when it serves a purpose. It doesn't always, and then it's just a waste at best and a false sense of security at worst.
SSL is inherently a weak solution - it is never any stronger than the least strong of the enormous list of CAs built into every browser. If just one of them is compromised (or have handed over the keys to a three letter agency), visitors lose the protection against MITM attacks and similar.
Self-signed certs are actually far safer, if done right, where the user has to actually validate the cert the first time. But those gets warned against.
Re:Sly (Score:4, Insightful)
Re: (Score:3)
StartSSL.com gives free Class1 and is preinstalled in every modern browser
And whilst I use StartSSL, it's a pain that you can't get free wildcard certs for your domain...
Re: (Score:3)
Did you miss that a warning will be displayed that the site "provides no data security". It's not blocking access to your blog or comic strip.
Re: (Score:3)
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL"
posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what mak