Google Chrome Pushes For User Protection With 'Not secure' Label (axios.com) 85
In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.
Entire internet doesn't need to be https (Score:5, Insightful)
Re: (Score:2)
First, I think yes, it does. Otherwise it will be snooped or manipulated.
Second, they're just making it clearer when a site isn't https. Not saying every site needs to be secure.
Re: Entire internet doesn't need to be https (Score:3, Insightful)
With your browser trusting 600 CAs by default it certainly has absolutely no value without DNSSEC and DANE.
Re: (Score:2)
With your browser trusting 600 CAs by default it certainly has absolutely no value without DNSSEC and DANE.
All it takes is a few webmasters to take note of their security certificate fingerprint and check it from a random home/mobile connection or proxy and you'd see alarm bells go off if someone was trying to MITM the world. With HTTP they can just snoop on a fiber optic cable and nobody would know. So when it comes to protecting everyday people visiting everyday sites I think it has an effect.
Re: (Score:2)
has absolutely no value without DNSSEC and DANE.
"If it isn't perfect, it's worthless" - This AC
Re: (Score:3, Interesting)
HTTPS security doesn't matter if I don't trust the content anyway. (I could be looking at https://sloashdot.org/ for example. Or even the genuine slashdot.org and it could still be utter nonsense. It really only matters for the small handful of sites that I visit where the identity of that site would make a material difference to me (bank, tax dept).
Given that, manipulation is a non-issue. I could be looking at manipulated version of slashdot and I wouldn't trust it any more or less. Snooping is a bit
Re: (Score:2)
One of the obvious problems with this whole thing, is that what https does is somewhat more technical than the kinds of things laymen know about, and Google wants to "dumb down" the distinction in the UI to something succinct. So they chose one single word, "secure" instead of "this conversation is believed (to a somewhat degree of confidence) to be though party X's webserver (or with them plus other parties that they consented to be included), and oh by the way, we also encrypted it too."
It's "wrong" but
That's the problem, it's a lie. Totally false (Score:3)
If it said "not encrypted" that would at least be *true*.
Marking sites as "not secure" vs "secure" based on using HTTPS is simply a lie. The usage of HTTPS is only slightly correlated with security. It's the equivalent of labeling people "tall" if they're black, and "short" if they are Hispanic. In general, the average height of Hispanic people tends to be lower than the average height of black people, but assuming someone is tall because they are black is stupid, and the label would be misleading almost
Re: (Score:2)
That's Google. Google has a huge problem with facts and truth, and dumbing everything down to the point of being counter-productive.
Re: (Score:1)
Then what was the point of phrasing it as "Not Secure"? That you should feel good knowing the site is "insecure"? That you shouldn't think that Clueless Users won't suddenly say "why isn't it secure" and start demanding "security"?
They phrased it that way precisely to make users do that. Encrypt All Of The Things!!!! Never mind that doing so renders using an alternative DNS utterly impossible what with a
Re:Entire internet doesn't need to be https (Score:4, Funny)
Don't the fed have all the SSL master keys anyhow?
Re: (Score:2, Informative)
Short answer; Yes.
Long answer; hell Yes... except all those self-signed certs chrome/google seem dead set on crippling even more for browser use.
Re: (Score:3)
I generate my own key and use letsencrypt to certify it. The key does not leave my server.
The feds can force any number of certificate authorities to generate a certificate that matches mine, with a new private key. They can do exactly the same if I had a self-signed certificate.
They cannot, without doing a targeted attack and breaking into my server, get the actual private key that my site uses. Again, precisely the same as a self-signed certificate.
There is no security advantage to using a self-signed cer
Re: (Score:2)
Someone did not grant me a certificate. They simply signed my public key, certifying that they believe that my public key belongs to me. Whether you choose to believe them or not is immaterial. No one is able to make my security WORSE by signing my public key -- that is pretty much the basis of public key cryptography.
(TLS is broken in that it only allows one entity to sign a given key in a certificate. It is incredible that no one has fixed that yet.)
Re: (Score:2)
You don't seem to understand how TLS certs work. The encryption and the signing are different parts of the security model. If I want to provide TLS connections, I generate public and private key pair. The private key is basically a random number that only I know. The certificate is a combination of the public key and some information (for example, my organisation name, the relevant domain name, and so on). When I ask a CA to sign the certificate, the create a cryptographic signature from their private
Re:Entire internet doesn't need to be https (Score:4, Insightful)
So you don't mind a 3rd party knowing the content of each webpage you have visited?
Re: (Score:1)
nope... except for pages where I actually log in I couldn't care less. There should rather be a warning if there is any 3rd party content, like AdWords or Analytics...
Re: (Score:3)
Sniffing is a minor concern. The bigger problem, by far, are third party tackers. This is more an attempt by Google to monopolize tracking data than preventing it.
Also, it only protects knowing which specific page I visit on a site (they can tell from the IP address what website I'm visiting, right?). And that's unnecessary on many or most sites. On , WebMD pages matter, but when you go to XKCD?
Re: (Score:2)
Re: (Score:1)
a waste of money and time to make every site https
Let's Encrypt makes it easy and free for every website to be https.
Re: (Score:1)
that's really an nginx flaw (it shouldn't have to restart to update certs).
Re: (Score:2)
It doesn't. It can gracefully reload.
Re: (Score:2)
Re: (Score:2)
Nope, reload, and it can be done online
That's a bug in DNS policy, not CA policy (Score:2)
Someone who shouldn't be allowed to have a certificate for bankofarnerica.com shouldn't even be allowed to own the domain bankofarnerica.com in the first place. Typosquatting is in the bailiwick of the UDRP.
Re: (Score:2)
The two concepts are separate in TSL. The encryption and the certificate verification are entirely separable concepts within the protocol and within most implementations.
In use, they are usually conflated because encryption by itself is meaningless. As a client, I care that I have a secure connection to a specific server. A secure connection to somewhere random, which may or may not be the server that I expected, is not a secure connection in any meaningful sense.
Only if a server has a FQDN (Score:2)
Let's Encrypt makes it easy and free for every website to be https.
This is true of public websites. It is not true of private websites hosted by web servers on a home local area network. Examples include the configuration interface of your router or printer. These have no certificate because they have no fully-qualified domain name (FQDN).
Or is everyone who operates a LAN at home expected to already own a domain?
Re: (Score:2)
I'm confused: are you saying that it is a problem if your printer config page says "not secure" in the browser bar?
GP should have said "every website that Google will index" rather than "every website", but that seemed understood to me.
Re: (Score:3)
It gets annoying whenever I access a local device on my network and chrome presents it's warning page, then I have to click on a link to expand some extra text, which has a link to let me continue to the intended destination.
They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.
My Octoprint service is one example. It runs on a raspberry pi on my workbench and I use it's web interface from my PC or p
Re: (Score:2)
They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.
The latter leads to security failure, as your browser would trust "local network devices" operated by an attacker on the open WLAN at a coffee shop.
The sad thing is I am starting to prefer other browsers which don't have these annoying features.
Which might these be? The same features you decry in Google Chrome are likely to show up in other derivatives of Chromium, and Firefox is implementing the same features.
W3C Candidate Recommendation: Secure Contexts (Score:2)
are you saying that it is a problem if your printer config page says "not secure" in the browser bar?
I'm saying it's a problem if I can't, for example, view media that I have stored on my NAS box because its presentation in the browser relies on JS APIs that are reserved for secure contexts [w3.org].
Re: (Score:2)
I prefer to use acme-client than the certbot (th
Re:Entire internet doesn't need to be https (Score:4, Informative)
Every site has *something* to lose - if it's not user credentials or personally identifiable information, then it's reputation or simply the ability for a third party to inject ads or crypto mining scripts into the page.
We have all seen the fall out of ISPs injecting ads into pages - Comcast and others have done it - so if you want to be *certain* your page reaches your audience as you intend them to receive it, http is no longer good enough (and hasn't been for years).
Re: (Score:2, Insightful)
This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https
They are doing nothing of the sort, they are only finally putting HTTP in the correct light: It's not frigging secure and never has been. The fact that so far we have put more effort into poorly encrypted but none the less far more secure than HTTP.
It made no sense. This finally does.
Re: (Score:2)
Are you shopping for your groceries using an armoured truck with a set of guards carrying heavy weapons ? If not, why ?
I'll tell you what I'm doing. I am shopping for my groceries with a truck and security detail that is expressly made clear to me.
When I go grocery shopping in my armoured truck I know it's secure like a Secure HTTPS certificate.
If I go grocershopping and someone in my security detail is on the take the security company will make that known to me and inform me when I'm insecure, just like a breached HTTPS trust.
When I go grocery shopping in my minivan without security I know about that too completely fucking
Re: (Score:1)
This is silly. Google is saying every website needs to be https. That's not true and is a waste of money and time to make every site https
I completely disagree. Companies that run websites should already be serving their websites via https. This will probably push companies who aren't using encryption to start or face backlash from users. It is very easy to make use of https! Any competent website administrator should already know how to do this. It isn't even an issue of money either. Let's Encrypt [letsencrypt.org] offers free certificates so I don't want to hear that it is a time and money issue.
Re:Entire internet doesn't need to be https (Score:5, Interesting)
It's a reputation issue. Given Let's Encrypt has issued over 14,000 paypal phishing certificates, one would think you should revoke Let's Encrypt certificates. After all, if Symantec, Comodo or others issued those, we'd be calling for blood.
The only reason we aren't is because Let's Encrypt has big names like EFF and Mozilla behind them. But all the scammers are basically dragging them through the mud - are your EFF donations being used to scam poor old ladies out of their money? Is scamming people really the goal of EFF and Mozilla?
Heck, it's actually kind of funny because a new exploit opened up on sites using Let's Encrypt, because they have a well-known directory that's being used to hide cryptocurrency miners and other things, too.
Maybe if there was a way to grade the quality of a certificate - Let's Encrypt can be made low, sites that charge with a real valid billing address (i.e., used a credit card, as opposed to bitcoin) can be higher rated because there is accountability down the line - including down to a real name and address.
Re: (Score:3)
There is a way to grade. If you want actual validation, you need an extended validation certificate.
Any other type of certificate is just a way to scam you out of your money -- they do not verify anything except the fact that you aren't piss-poor. If you think a car charge provides any verification, I give you How to use prepaid debit cards [itstactical.com].
If anything, it should be forbidden to charge money for a certificate that isn't extended validation. However, with Let's Encrypt available, the market hopefully sorts i
Re: Entire internet doesn't need to be https (Score:1)
Extended validation is a sham too. I got an EV code signing certificate recently for signing windows drivers. The only verification was that the CA called my prepaid phone number to ask if I am indeed a hardware engineer working for xxx. I said yes, and got the certificate. I could easily have lied.
Can phishing be stopped at the domain level? (Score:2)
GoDaddy, Gandi, Namecheap, and other registrars have registered over 14,000 paypal phishing certificates. Should we call for registrars' blood too?
Re: (Score:3)
The certs that Let's Encrypt issues don't certify identity. If you are assuming that they verify the identity of the site owner you made a mistake.
Let's Encrypt check that the key belongs to a person with the ability to edit the site. That's it. You can be reasonably sure your communications with that she can only be read by people who can edit the site, that's it.
Re: Entire internet doesn't need to be https (Score:2)
LetsEncrypt is not a low-grade certificate. It is a domain validated certificate. It offers the exact same encryption option as any other certificate does. If anything, a shorter renewal period is an improvement to turn over a compromised certificate faster. It does not offer low security, and labeling it as such is incorrect.
EV certificates are a way to sell trust, but they sadly do very little to actually verify the company. A fake document later and you have your certificate. Plus youâ(TM)re assumi
Then who offers the free domains? (Score:2)
It isn't even an issue of money either. Let's Encrypt offers free certificates
Only to a domain owner. Neither Let's Encrypt nor any other CA included in the browsers' default certificate store offers any certificates for use with (say) .local, the TLD reserved for use with multicast DNS. What certificate should (say) the configuration interface of your home NAS use?
Re: (Score:1)
Re: (Score:2)
Not going to help (Score:1)
Re: (Score:2)
Why have I been modded as a troll? Examples of both of these issues have been shown in the wild - Comcast has injected ads and other things into third party web pages before, and crypto miners have been included on pages via ads or third party scripts, so it's only a matter of time before they are injected directly.
So why the troll mod? Every site has something to lose - reputation and users. HTTPS prevents your ISP or VPN provider from doing this.
WWw (Score:2)
Trusted computing (Score:2)
"WARNING! Secure label is inaccurate and does not apply to google.com, facebook.com, youtube.com, or any other giant site with backdoors for government monitoring as part of the Prism panopticon."
"WARNING! Does not apply to any website run on computers with Windows, with backdoors for government."
"WARNING! Does not apply to any computer with hardware from the US or China, with special chips or standard chips with backdoors for government."
"Don't worry, they won't abuse it, even though human history has n
Re: (Score:2)
When you say "they won't abuse it", are you talking about some specific "they"? Or just a general whining that there is no perfect security plus everyone in power sometimes acts like shit? Cause I think we all agree with the second one already.
Overstated (Score:2)
"Don't worry, they won't abuse it, even though human history has no examples where it isn't abused by those in power against their political opponents to remain in power."
While this may be true, it is something of an overstatement - because you can't show it to be true for recent stuff. It take a while for info to leak out.
Make it something like:
Don't worry, they won't abuse it, even though human history has no examples (more than 30 years old) where it wasn't shown, within 30 years after the event, that i