Google Chrome Begins Warns Users About Insecure Pages (certsimple.com) 86
An anonymous reader shares an article on CertSimple, a firm that helps companies prove their identity on their websites: Today Chrome's stable channel was updated with a new HTTPS UI. The changes in these versions of Chrome (Chrome 53 for Windows, Mac users got them in Chrome 52) complete 'transition 1' in Google's HTTPS plans, first announced in December 2014: T1: Non-secure origins marked as Dubious. In other words: Chrome now explicitly tells users non-HTTPS sites aren't private. If a Chrome user visits a site that isn't private -- for example, there's no HTTPS, broken HTTPS, or HTTPS only on 'checkout' pages -- Chrome now displays a mid-grey colored info box.
Grammar, anyone? (Score:1)
"Google Chrome Begins Warns Users About Insecure Pages"
Good work, editors.
Re: (Score:2)
don't you know that current slashdot editors believe that adding 's' to verbs is more secure. they will duplicate the story later in the day to ensure.
All Chrome pages are not secure (Score:4, Informative)
Re: (Score:1)
You beat me to it.
All pages are insecure if you use Chrome.
Re: All Chrome pages are not secure (Score:1)
Firefox Portable.
Re: (Score:1)
Last time I checked, yes it did send messages to Google, even running Chromium, on Ubuntu Linux, with all the undocumented command-line options I was able to find to disable various functions. That surprised me.
I was wanting to use Chromium to view local applications without any inappropriate network traffic; it wasn't suitable.
wifi connect https redirect issues (Score:1)
Many public wifis have a page they redirect you to. And they will redirect on https as well. You have to tell your browser that you trust the page but there should be a better way to do the public wifi messages. Browser developers and wifi redirect engineers need to talk and should be able to develop a means of notifying user without making it incredibly difficult to accept.
Hotspots can use RADIUS (Score:2)
Why can't public Wi-Fi use something like RADIUS [wikipedia.org], or at least a pre-shared key changed daily and posted on all cash registers, instead of a captive portal?
Re: (Score:2)
The TOS would be displayed either on the sign with today's pre-shared key or through the RADIUS challenge mechanism.
Re: (Score:2)
Wouldn't having the cert signed by a public authority fix this?
Re: (Score:2)
In order to redirect HTTPS traffic to a login page you would need a valid certificate for wherever the user was trying to get to in the first place. Giving random wifi hotspot operators those kinds of certs would be very bad for security and very impractical.
Re: (Score:2)
A public wifi login page is by definition insecure, so there should be a warning. And you should never enter any sensitive information, which also means that any password for a public wifi better not be an important one.
Re: (Score:2)
Most operating systems I've seen recently test if they can get to the internet themselves and if they are redirected to a captive portal they then automatically open a browser window to where the portal redirected them to (usually a login page). This avoids the issue of trying to MitM attack whatever site the user was trying to get to. You can still make the login page you get redirected to secure with proper certificates. The following are examples of the different things companies use in detecting if they
HTTPS on home LAN (Score:5, Insightful)
And thus people will start seeing the "dubious" mark in the UI when accessing the web-based administration interface of a home router, a home NAS, or a home network printer, which lacks HTTPS because it lacks a certificate, in turn because it lacks a globally unique fully qualified domain name.
Or should a device maker instead deploy the same wildcard certificate with the same private key on all of a given make and model?
Re:HTTPS on home LAN (Score:4, Insightful)
This. Plus, browser that puts warnings on all un-enctypted pages is somehow like a radio that warns before every song that the next song isn't encrypted and might be listened to by anybody. Or a barkeeper telling you at the bar "Don't talk so loud, the police might hear."
Of course you should have the right to whisper any time you want. But you also should have the right to shout something for everybody to hear whenever you want, without somebody warning that you shouldn't do it.
So long as the device is actually hardware (Score:2)
Devices makers should arrange (and may need to pay) for their devices to obtain an Internet FQDN and self-issue a certificate from a CA.
Paying works so long as the device is actually hardware, as the price of a certificate can be built into the price of hardware. It wouldn't work so well if the "device" is a general-purpose computer, such as a PC, an Android device, or a Raspberry Pi board, running a particular application that is free software or otherwise distributed without charge.
in exchange for, let's say $5000 plus $1000 per year for at least the three year intended lifespan of the product.
Which would leave Slashdot's comment section even more up in arms about "planned obsolescence" once the three years run out.
Let's Encrypt is rate limited (Score:2)
a particular application that is free software or otherwise distributed without charge.
For the DIY stuff you already can just use Let's Encrypt. [...] contributing button push "Make sure the machine has an actual FQDN then press this button" one click SSL setup
The "Make sure the machine has an actual FQDN" is the hard part. Each user of an application will have to buy a domain, keep the domain renewed, buy dynamic DNS service for that domain to publish the required TXT record, and keep the dynamic DNS service renewed. Many domain registrars bundle basic DNS service with domain registration, but it's often not dynamic; a user has to edit the zone file through a web form. The application's developer can't just buy its own domain, give subdomains to users, and let a
Re: (Score:3)
static html websites don't need https
Without HTTPS, how can you be sure that the information presented on "static html websites" was not modified in transit by a man in the middle on its way from "static html websites" to you?
Re: (Score:2)
[My Brother network printer] can even generate a CSR which you can sign with your own CA or an external CA.
In order to sign the CSR with a CA that other devices on your network already trust, including devices brought in by friends and family visiting your home, you'd first need to buy a domain and dynamic DNS service for that domain to allow the CA to verify that you own the domain. It'd take a huge shift in Internet culture to convince the administrator of each home network to buy a domain for that home network.
GUH (Score:2)
Eyenot User Begins Just Smashing The Fuck Out Of This Headline With A Hammer
Re: (Score:1)
Related issue: This Connection is Untrusted (Score:1)
I'm not using Chrome. What's up Slashdot? Is this a time stamp thing?
Re: (Score:1)
:-) The certificate will not be valid until 09/02/2016 06:19 PM
Then I shall wait another hour for it to clear up
Overly aggressive (Score:3)
I used to think that maybe this kind of thing was a good idea, but I've changed my mind. There are all sorts of reasons you might not want to use HTTPS for a website, usually revolving around the fact that it is just a pain in the ass to set up and maintain (especially if you run your own server). It's often overkill during development, or in a situation where you're piggybacking on an already-secure connection like SSH.
I suspect this is all to do with the desire of big corporations like Google to make the web more of a place for people with $$$. The money and time to setup and maintain SSL infrastructure.
And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with (good luck if it's not Apache). But that sucks, frankly.
Re: (Score:2)
I still think a better solution is to treat HTTP and self-signed HTTPS the same - giving no warning for them. By all means display a secure icon for HTTPS with a CA cert, but there's nothing inherently dangerous about an HTTP or self-signed HTTPS connection.
Re: (Score:1)
Re: Overly aggressive (Score:2)
Alternatively you can get Comodo brand PositiveSSL certs for about $10 for 3 years.
Tell me again how expensive SSL Certificates are?
Re: (Score:2)
It's often overkill during development
Chrome considers the loopback interface secure. If you can't use localhost because you're testing a web application on a mobile browser, you can run a private CA with OpenSSL and install its root certificate on your testing devices.
And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with
You don't have to install Certbot (the canonical client recommended by LE) to get a certificate for a host in a domain that you own. Certbot is only one of many ACME clients that LE supports. Some of these clients support a DNS challenge, in which the CA asks you to put a TXT rec
Headline is bad syntax (Score:2)
Try reading it like this, "Google Chrome Warns Begins ...." What a terrible turn of phrase, get it together editors.
Re: (Score:2)
Honestly,
- If you run a webserver, go get yourself letsencrypt, use cloudflare or namecheap has cheap ssl.
- Enable http2 on nginx (if you are using it, use it well)
- Enjoy faster loading time.
Your welcome.
- The argument against https is pointless.
Let me rephrase that:
Honestly,
- If you run a webserver, install this software, just trust us it's fine; redelegate your DNS to this company with-whom-I'm-totally-not-involved so they proxy all your connections and know who's visiting your site (and can sell or hand it over to whatever TLA you like); or pay money to another organisation for a set of we-promise-they're-unique-and-secure-numbers and we would totally never be compromised or behave unethically [cough] Symantec [cough] DigiNotar [cough] Verisign [hack] [cough];
- Do it my way because spinach and everything supports enforced HTTPS, and the peons can do without
- Don't worry that your data usage just doubled for HTTPS, it's only $50 a month extra for the upgraded plan and everyone can get gigabit fiber anyway.
You'rE unwelcome here.
- The argument against https is my-way-or-the-highway so screw you.
There, I think I covered it all.
Good lord, editors (Score:1)
This story has been on the front page for two hours with a glaring error in the headline? Do you guys even look at the site?
I can has cheezburger (Score:3)
Google Chrome Begins Warns Users
Come on, manishs, I know it's after beer thirty on a holiday weekend, but good grief -- this would take about 30 seconds to fix.
And yet, they removed the warning a long time ago! (Score:1)
Chrome was one of the first to hide the "http://" prefix.
That is exactly what "http://" means: no encryption, no authentication.
And of course, some other browsers started to copy chrome in this regard.
Stop hiding important information from the user!!!
The browser UI was perfect around firefox 25 or so. It's gone downhill since.
Re: (Score:2)
http vs https in the Adressbar were never a good indicator. People do not want to know if its http or https, they want to know if its secure or not.
And we nerds should acknowlege, that http, spdy, http2, gopher or ftp should be the same for a transport protocol and the user does not need to care, but if its ftp or ftps is important to him.
About time (Score:2)
Here we have still unencrypted pages that ask for the single sign on login information. And IT say that's ok, because the HTML POST request is sent off over https...
I assume Google Chrome would think otherwise.
I Wants Be Slashdot Editor (Score:3)
Google Chrome Begins Warns Users About Insecure Pages
I've always wished for a job that involved no manual labor and no mental labor.