Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Security The Internet

Google Proposes To Warn People About Non-SSL Web Sites 396

mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
This discussion has been archived. No new comments can be posted.

Google Proposes To Warn People About Non-SSL Web Sites

Comments Filter:
  • 503 (Score:2, Offtopic)

    Did slashdot just die and silently come back up? I was getting 503's and "offline mode", logged in and out for ages, then suddenly its just working again. Anybody else experience anything like that?

    • Re:503 (Score:4, Interesting)

      by Dutch Gun ( 899105 ) on Wednesday December 17, 2014 @09:08PM (#48622643)

      Yep, same here.

      On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.

      This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.

      Am I overreacting here? Or is Google going too far, too fast with this?

      • Re:503 (Score:5, Insightful)

        by Charliemopps ( 1157495 ) on Wednesday December 17, 2014 @09:19PM (#48622717)

        Nah... When getting concerned about control, the following usually holds true:
        Rules that inform are good.
        Rules that control are bad.

        This rule informs. It's good.
        This has been a public service announcement. :-)

        • Re:503 (Score:5, Insightful)

          by Anonymous Coward on Wednesday December 17, 2014 @10:13PM (#48622977)

          This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
          Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
          I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.

          • Also, it will make people accustomed to the pop-up by giving so many false positives. So much that, when it actually matters and they are sending information, they'll just ignore it because it comes up 10 times per day anyway.

        • by LWATCDR ( 28044 )

          What about when it misinforms?

          If I go to a local restaurant site that does not take orders and it is not running SSL just how is it insecure?
          It is like a warning that a public park is insecure because it doesn't have a burglar alarm.
          Also just because a site uses ssl does not mean that it is malware free or that it has not been hacked and all the user data taken.

          When is a false sense of security a good thing?
          And please do not tell me that I should worry about the NSA knowing that I was looking at restaurants

      • Re:503 (Score:5, Insightful)

        by stephanruby ( 542433 ) on Wednesday December 17, 2014 @10:12PM (#48622971)

        On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working.

        Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).

        In any case, Google hasn't formally announced a decision yet, it has merely made a proposal public and started a discussion on the subject requesting feedback. The fact that everyone is condemning Google for this proposal vindicates all the companies that keep their discussions private and out of the public eye until they work them out -- all secretly first.

        • Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).

          IE taught us that this kind of thing doesn't happen quickly - web developers _still_ have to deal with IE's buggy rendering, despite good alternatives having been available for 15 years. Ok, IE has got better but it's still not great. Users don't see this stuff as a browser problem - if your website doesn't work right then the users see it as a problem with your website.

      • Re: (Score:2, Insightful)

        by bledri ( 1283728 )

        ... You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.

        Am I overreacting here? Or is Google going too far, too fast with this?

        You are overreacting. It's a positive step and there is no good reason in 2014 that all internet traffic should not be encrypted. Oh, and it's a free browser and there are other options both free and proprietary.

        • This. Grandparent's being overdramatic.

        • Comment removed (Score:4, Insightful)

          by account_deleted ( 4530225 ) on Wednesday December 17, 2014 @10:59PM (#48623197)
          Comment removed based on user account deletion
        • Google has a dominant position (among other places) in the browser market so site owners can't disregard their imposition. Saying that you can install other browsers would have been just like saying "you can install another OS" when Microsoft played leverage games with their near monopoly on the desktop back in the times. Plus, Chrome tends to end up installed on the PCs of many unexperienced users because of their policy of aggressive bundling. So one can expect that a relevant portion of his site's visito
      • Re:503 (Score:5, Insightful)

        by thegarbz ( 1787294 ) on Wednesday December 17, 2014 @11:43PM (#48623403)

        Not overreacting, but not thinking rationally here either. Google may be going too far alone, but they are definitely not going too fast.

        It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.

        Google have been quite pushy, but with interesting result. The world hasn't blindly bowed down to them but rather increased the speed at which they have solved other long standing problems which were getting no interest. I'm hoping the same thing will happen here, that one company doing something different may spur people into fixing what I believe is a horrendously broken approach to security.

      • I am just fed up with Google dumbing down the web browser and turning Chrome into our way or the highway. Cases in point:
            - refusal to support APNG
            - hiding protocol in address field URL

        I am hesitating whether to go back to Firefox.

      • If they implement this I will be going back to FireFox as my primary browser (I'm a web developer, I have almost every damn browser installed) I fail to see how going to my local newsite to read about the new antics of our clown politicians needs to be encrypted and load slower because the proxy can't cache it when a fellow work colleague visited the site earlier in the day. I will encrypt what I deem to be sensitive in nature. If the NSA or anybody else even gives a rats ass about me reading the news the
    • I got an "insecure login" warning when I was trying to log into /. in the past 15 minutes
  • Stupid (Score:5, Insightful)

    by ShieldW0lf ( 601553 ) on Wednesday December 17, 2014 @09:06PM (#48622635) Journal

    Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.

    This is a dumb idea. A very dumb idea.

    • Re:Stupid (Score:5, Insightful)

      by by (1706743) ( 1706744 ) on Wednesday December 17, 2014 @09:18PM (#48622707)
      Yeah, I really don't care that a webcomic/news site/etc. is non-SSL.

      That said, if a website has a password field, it might be a Good Idea to notify the user if it's non-SSL.
    • Re:Stupid (Score:5, Interesting)

      by jaymz666 ( 34050 ) on Wednesday December 17, 2014 @09:23PM (#48622735)

      It also increases costs and management overhead.
      Does Fred Bloggs lyrics site need to be SSL? Probably not. But throwing a warning up is going to cause fear, uncertainty and doubt.

    • CPU and power increase for encryption is negligible for most sites.
      The real cost is getting a certificate from a site that the browser will recognize.
      Those are expensive especially if you want a site for a hobbie or a supplemental income.

      • I have my own website, but it's just a vanity site. Why do I need to get a certificate and use https?
        • by skids ( 119237 )

          Answer: So that when someone browses to your URL they don't get malware injected into their browser by a MITM.

          That said, GP nails it: the problem with SSL is not the tech, it's the that the CAs are money grubbing semi-competent boobs, and the trusted certificate lists are administered by either OS or browser producers leaving a huge open arena for politics and perverse incentives.

          • Answer: So that when someone browses to your URL they don't get malware injected into their browser by a MITM.

            I fully agree. So why isn't every website I browse in plaintext presented with a gigantic red warning page which requires 3 clicks to get through?

            I think plaintext websites should have a red warning.
            Self-signed websites but encrypted should be orange.
            Fully encrypted and verified should be green.

          • by gmack ( 197796 )

            That said, GP nails it: the problem with SSL is not the tech, it's the that the CAs are money grubbing semi-competent boobs, and the trusted certificate lists are administered by either OS or browser producers leaving a huge open arena for politics and perverse incentives.

            Which is why it was really sad when chrome backed off on supporting DANE [internetsociety.org]

      • Re:Stupid (Score:5, Informative)

        by heypete ( 60671 ) <pete@heypete.com> on Wednesday December 17, 2014 @09:53PM (#48622893) Homepage

        CPU and power increase for encryption is negligible for most sites.
        The real cost is getting a certificate from a site that the browser will recognize.
        Those are expensive especially if you want a site for a hobbie or a supplemental income.

        StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

        Let's Encrypt [letsencrypt.org], run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.

        If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.

        The financial cost of getting a certificate is essentially negligible.

        • The financial cost of getting a certificate is essentially negligible.

          Yep, and their free or cheap certificates don't allow wildcards.

          • StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

            And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!

            Oddly enough, if you don't

    • Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.

      This. Therefore it also uses more energy and is worse for the environment!

      I kind of get why Google engineers might think this is a good idea, but the problem is that there's so many sites that don't use or need encryption, that this won't change. And as a result, lots of users will be getting told that site xyz is insecure, when it isn't... and they'll use it anyway.... thus entirely negating the benefit of changing the browser in the first place.

      If the vast majority of websites were encrypted, then I c

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Wednesday December 17, 2014 @11:57PM (#48623463)
      Comment removed based on user account deletion
  • by DigitAl56K ( 805623 ) on Wednesday December 17, 2014 @09:09PM (#48622647)

    The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.

    • Yep, the solution is clearly to use plaintext for everything.

      I understand what you mean but we should be risk grading ALL browsing. Not just bringing up warnings for encrypted content which is not perfectly signed by some money grabbing authority.

  • by account_deleted ( 4530225 ) on Wednesday December 17, 2014 @09:14PM (#48622673)
    Comment removed based on user account deletion
    • "locked green padlock = good, unlocked yellow/red padlock = how bad do you want your pron?".

      And yet that's not how any browser works so users are right to be confused.

  • This again? (Score:5, Interesting)

    by fahrbot-bot ( 874524 ) on Wednesday December 17, 2014 @09:15PM (#48622681)

    Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

    Um... Secure != Trustworthy and, seriously, most web connections DO NOT NEED to be HTTPS.

    Furthermore, I cannot filter HTTPS via my proxy filter (Proxomitron) to strip out annoying things, like the fucking Google sidebar and other forced "user experience" settings - which is why I use nosslsearch.google.com ...

    • by iamacat ( 583406 )

      Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.

      You can install a custom root certificate on your client and have your proxy work as usual.

      • Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.

        Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.

        Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats

    • The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol. Most places don't really need its authenticity validated (and really, the only way authenticity can be assured these days is with certificate pinning and advanced notice of cert changes, so the authenticity features of HTTPS aren't as reliable as they appear). But it'd be good to have the communications itself secure. But there aren't any alternatives, so even if it's a

      • The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol.

        This is doublespeak. Encryption without authentication is an illusion.

        • It depends on your adversary model. Encryption without authentication is good protection against passive adversaries, no protection against active adversaries. If someone can get traffic logs, or sits on the same network as you and gets your packets broadcast, then encryption protects you. If they're in control of one of your routers and are willing to modify traffic, then it doesn't.

          The thing that's changed recently is that the global passive adversary has been shown to really exist. Various intelli

  • by hessian ( 467078 ) on Wednesday December 17, 2014 @09:18PM (#48622699) Homepage Journal

    Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:

    Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.

    When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.

    Then, you have total dominion and total control. For much profit!

    • by Dutch Gun ( 899105 ) on Wednesday December 17, 2014 @09:38PM (#48622811)

      In fairness to Google, they're also pushing a new standard that will allow free SSL certs to be used by anyone who wants it. Search for Let's Encrypt [letsencrypt.org] for more info.

      • The 'brought to you by' box on that site lists Mozilla, Akamai, Cisco, EFF, and IdenTrust. I don't see Google pushing it. They're not listed as a sponsor.

        That said, it is pushing Certificate Transparency, which is something that is largely led by Ben Laurie at Google and is a very good idea (it aims to use a distributed Merkel Tree to let you track what certificates other people are seeing for a site and what certs are offered for a site, so that servers can tell if someone is issuing bad certs and clien

  • I applaud this move, but ONLY IF https websites are also flagged as being insecure (typical example follows).

    https://www.whynopadlock.com/ [whynopadlock.com]

  • If google starts their own CA and gives away DV SSL certs (all sorts, counting wildcard, multi-domain), then I'm on board more or less. SSL should be free.

  • by darkain ( 749283 ) on Wednesday December 17, 2014 @09:36PM (#48622803) Homepage

    Sweet! Now I'll need to get SSL keys for all of my web basic administration consoles on my already secured private LAN, or else management will yell at me. This sounds GREAT!

  • by manu0601 ( 2221348 ) on Wednesday December 17, 2014 @09:41PM (#48622835)

    I see the value of the proposal: it is easy to inject malware inside a HTTP stream. Snowden documents taught us that the NSA and CGHQ do it over internet backbones. Infected machines also do it when it is easy (hint: WiFi). Pushing towards HTTP/SSL address that

    However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.

    • I see the value of the proposal: it is easy to inject malware inside a HTTP stream.

      Only when the attacker is sitting on the path from the browser to the server. Not when listening in on the side-lines.

      ... and sitting on the path is the exact definition of man-in-the-middle, which allows to take advantage of poor certificates. And how many people properly understand certificates?

      However, with only 33% of the sites that are SSL enabled, they are just going to show warnings everywhere, and users will quickly learn to ignore them.

      Exactly. And once users are trained to ignore warnings, they will ignore them too if they are about bad certificates, so nothing is gained (see above).

  • Including Slashdot? (Score:4, Informative)

    by Midnight_Falcon ( 2432802 ) on Wednesday December 17, 2014 @09:42PM (#48622839)
    I find it more than ironic that this article was posted on Slashdot, which in 2014..still doesn't support SSL. It'll even redirect HTTPS to plaintext HTTP!
  • by antifoidulus ( 807088 ) on Wednesday December 17, 2014 @10:11PM (#48622967) Homepage Journal
    Have they ever read "The boy who cried wolf"? You warn people that their local community bulletin board website isn't encrypted enough times and they will probably start to ignore all your warnings. All this would probably do is annoy people to the extent that they will automatically click away any warning window, including when certs are invalid, possibly forged etc. In other words, it will really annoy people and could even be detrimental to security. Maybe if they restricted it to POSTs not GETs, though that may just incentivize lazy developers to use GETs instead of POSTs.....
  • >"If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security"."

    Arrogant, annoying, unnecessary, stupid, and inaccurate. There are a LOT of sites that have absolutely no need for https and labeling them "insecure" will annoy clue-full users and confuse clueless users all in one swoop. And by encrypting everything, it makes caching far less useful and slows down bro

  • by wvmarle ( 1070040 ) on Wednesday December 17, 2014 @10:41PM (#48623131)

    I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.

    I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.

    Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.

    There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.

    • There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.

      Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.

      Your problems are problems, there are no doubts about that. However your problems are related to the current implementation of the technology. Personally I found it quite easy to setup SSL on my website. I fou

      • Those spy agencies can always see which server one connects to. No encryption can hide the actual connection, the IP address you talk to. That "metadata" tells spies what you're looking for.

        If implementation were easier, much easier, and without having to go through the trouble of remembering renewals or break your site, I'd probably have implemented it already, as it won't hurt.

      • Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.

        Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.

  • So much for the 'information superhighway'.

    I have to have an adblocker running just to keep my browser from turning into a scene of Times Square on a bad acid trip, even on reputable sites which brings the page load to a crawl. Most browsers have some warning for this or that, little green or red padlocks, etc.. Everything might be unsafe, click at your own risk!

    If I were a pilot and there were the same number of warnings and blinking lights flashing in the cockpit I probably would have bailed out lon
  • How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.

    You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.

  • by originalhack ( 142366 ) on Thursday December 18, 2014 @09:36AM (#48625217)
    Most non-SSL sites use a single IP address for multiple sites and the actual hostname portion of the URL is not known until the GET request.<br><br>Assuming that we want IPv4 to continue to work, a mechanism to permit an SSL certificate to secure a group of sites would be needed before more widespread use of SSL for non-commerce/non-login sites would be practical.<br><br>Essentially, if a server hosts 30 domains, the server's certificate would need to have a certificate of its own and that certificate would have to be signed by EACH of the 30 domains. That is tricky and would require revision of HTTPS. You would probably have to have the server initially use its OWN unsigned/self-signed certificate to establish an SSL connection, have the browser specify the hostname, then have the server return a signature record that uses that hostname's certificate to sign the fingerprint of the server's SSL certificate. Once the browser confirms that the appropriate CA signed for the hostname and the hostname signed for the server, then it could continue the request (and cache the server's fingerprint).<br><br>Google should get cracking on this new HTTPS handshake first.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...