Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Chrome Google Security IT Technology

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 102

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September

Comments Filter:
  • It will be back (Score:3, Insightful)

    by asackett ( 161377 ) on Thursday May 17, 2018 @04:52PM (#56629092) Homepage

    Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

    • It seems that this is more removing that annoying ding when you don't put on your seatbelt and just leave the light on your dashboard, but make it dimmer.
      • Re: (Score:3, Insightful)

        by HiddenL ( 967659 )

        Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.

        • by jrumney ( 197329 )
          The norm has been successfully moved from insecure to secure. Even slashdot, which in 2018 is still way behind on ÃUÃnÃiÃcÃoÃdÃe adoption, is using https. Originally the Secure indicator was indicating that the site you were on was abnormally safe. Now they need to mark the abnormally unsafe (and hopefully still mark the Extended Validation sites as abnormally safe), since the default is now safe.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

      • they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

        It might do. It rather depends what the lock icon looks like - Donald Sinden, a turnip, a Mandelbrot set...

        You never know with Google.

        • by rtb61 ( 674572 )
          People are starting to learn with Google, their new Youtube security method, https://www.theguardian.com/te... [theguardian.com], want to secure it, hah hah, well just break it in fucking purpose, now it's secure and tough luck for the suckers who bought it, what a pack of dick bags. They have become just as ridiculously unreliable as M$.

          New reality from Google don't trust it. Forever in Beta, they will scrap it after selling, break it to suit them with total disregard to the people who already bought it, delete features an

    • Re: (Score:2, Informative)

      by Anonymous Coward

      I was confused by the summary and so I RTFA.

      The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

      They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.

      Overall, I approve, the "everything's OK alarm" can go.

      • by AvitarX ( 172628 )

        This is hardly new, but a continuation of the trend from all browsers to push people away from sites that don't use HTTPS.

        with HTTPS being essentially free now, this makes sense.

        • And with Google having their hooks inro so many webpages now, they feel nobody but them should be able to monitor.

      • The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

        Those who are accustomed to looking for the word "Secure" because thousands of web pages told them to are going to be astonished by this change. Emphasize both conditions and the typical user will make the wise choice.

    • nobody has walked into my apt uninvited guess i can take the door off now
    • Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

      Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

      What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status,

      • A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian.
        If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"

      • Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

        Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.

        What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status, focus the user on Extended Validation credentials, and maybe we can undo the horrible screwup of teaching users shitty security practices we started in the 90s that have exposed so many people to fraud.

        Bumpers DO save lives, actually. You're mistaken.

        (A crash that ALMOST kills someone but doesn't because the impact in a crash was sufficient to total the car, compress the crumple zones, etc., WOULD have been sufficient to kill the occupants if it had had less energy-absorbing capability, part of which is in fact provided by the bumper, the bumper mounts, etc. Now of course, I realize that MOST crashes don't fall into the Goldilocks Zone of being energetic enough to kill withOUT the bumper, but NOT ener

        • Now that the analogy has been properly torpedoed

          Writing things in ALL CAPS does not torpedo anything. You effectively admitted yourself that there's a very very narrow set of cases where this will make a difference... kind of like the very narrow set of cases where the word "Secure" makes a difference.

          Point is, bumpers mattered in the 60s, just like DV certificates and the word secure mattered in the 90s. However when we made crumple zones, bumpers effectively ceased mattering, and when we moved to EV certification in 2005 combined with the fact that it

      • What? Did your analogy not got the way you wanted it to?

        What? Does conceptual thinking evade you?

        • What? Does conceptual thinking evade you?

          Given the way the conversation went I would postulate precisely the opposite.

  • How about ... (Score:5, Insightful)

    by PPH ( 736903 ) on Thursday May 17, 2018 @04:55PM (#56629102)

    ... an insecure indicator?

    • by bondsbw ( 888959 )

      To keep going with the car analogy... why am I only warned when the stop sign is 4-way? That's the only time I don't want to be warned.

      • Why would you not want to be warned?

        (Disclaimer: we don't really have stop signs here, not the way they do in the US. They've always seemed a bit condescending to me...)

        • by bondsbw ( 888959 )

          Here we have a small sign attached that says 4-WAY.

          But what I need to know is who doesn't have to stop. That is much more important than knowing that everybody has to stop. We are effectively trained to look at the sign, and in the absence of a 4-WAY indicator, look around to see which other directions have stop signs. Except we are looking at the silver backing which is much less visible in many cases, particularly in the dark or where trees/bushes may be overgrown.

          Bad UI.

          • by novakyu ( 636495 )

            Um, maybe it's different where you live, but where I live, you do get a warning when the cross traffic doesn't stop. Something like this [wikimedia.org]. 4-WAY stop is a useful indicator letting me know that, after having come to a stop, I can start moving without waiting for the other guy to go, because if I came to a stop first, now I have the right-of-way. Without the 4-WAY stop indicator, I would have to try to look for the other guy's stop sign, before I feel safe to go after having stopped for my own stop sign.

            • by bondsbw ( 888959 )

              We have (to my knowledge) just one sign like that in our metro area, full of stop sign intersections which are not 4-WAY.

              I still maintain that knowing who doesn't stop is a safety concern, making it much more important than knowing that everyone stops for convenience. Besides, if you know that there aren't any who don't stop, you have the same info.

              • by novakyu ( 636495 )

                So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

                My neighborhood is similar (very few intersections where one road that is not larger than the other does not have stop signs), and I would not wish my 4

                • by bondsbw ( 888959 )

                  So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.

                  I never said that. We have MANY intersections between two streets of equal size which are not 4-WAY. Only one of those has the yellow sign you linked previously.

                  Several streets have drainage dips in the directions that do not stop, but flat grade in the directions with stop signs. It's backwards from the way that seems natural. It makes it easy for someone who notices the big concrete dips instead of the stop sign which is behind a van parked on the curb to make the wrong decision.

          • With our more organcailly-developed road system we just don't seem to ever have this issue. There's usually a main road, with a white dotted line down the middle, and any adjoining roads have a yellow line across them which is "yield." Signs are usually just for speed limits, everything else seems to be conveyed through road markings.

            Then again I live on a small island so it's not even much like the UK itself.

    • ... an insecure indicator?

      You mean like the exclamation mark that is drawn on an insecure webpage, the one which when you click says in bright red "Your connection to this site is not secure" Is that the insecure indicator you are talking about?

    • by AmiMoJo ( 196126 )

      They have that. If you go to an insecure site there is a red maker now. Things like password auto-fill are disabled.

  • Please make sure that Firefox dosen't do this.
    • You do know they're only talking about getting rid of the word "Secure", right? Chrome is keeping the green lock icon, which is all that Firefox displays now as well.

    • Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.

      There'll still be a warning indicator on non-HTTPS sites.

      • So how would I view the cert info once they take that away? Right now it's a quick two clicks starting with that "secure" lock to see if the cert is real or a proxy's man in the middle cert (they usually don't MitM on financial and shopping sites, but how do I know the particular one I am going to is on the whitelist?).

    • by AHuxley ( 892839 )
      Dont GUI like google is the way to stay away from getting an evil GUI
  • âoeit's not necessary to draw the user's attention to the Secure indicator anymoreâ hope they make it red when its not secure then rofl
    • Not secure already shows an exclamation mark which when clicked gives you a big red warning text about the connection not being secure.

  • It's an abjectly stupid move but leave it to corporations to do dumb shit just for some manager to justify their jobs. As another poster wrote, "It will be back."
    • So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat! /sarcasm

      HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.

      • We should be focusing on indications of proper EV certificates rather than confusing users.

        The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.

        Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.

        HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs

        • We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

          I think what you are upset about is that the CAs are a note arbiter of good character. There have been very few cases of certificates miss issued or trust problems with CAs. The fact that these issues where CAs have been

          • We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.

            We should be focusing on indications of proper EV certificates rather than confusing users.

            EV certs require CAs to do more work. Hint: They won't. They'll do the bare minimum, and eventually less than that, just as they did for standard certs.

            I think what you are upset about is that the CAs are a note arbiter of good character.

            I'm not quite sure what you mean by this, but what I'm upset with is the fact that CAs exist, are "trusted" by browsers, and do nothing to earn that trust. To the contrary, they have shown they are completely untrustworthy. Even with a trustworthy CA, a state actor can compromise them without anyone else knowing. The entire concept of having an authori

    • by Ksevio ( 865461 )
      They're removing the "Secure" indicator, but not the "Insecure" indicator which is arguably more important to know these days
  • MS was infamous for Embrace, Extend, Extinguish

    First thing that comes to mind is RSS. Built a killer infrastructure for apps to use, then killed it, killing apps and nuking unwary folks' subscriptions.

    Now this. Let's make security better... ok, it's better? Let's pretend it'll stay that way without further attention and reduce or remove its visibility.

    popcorn.

  • by wonkey_monkey ( 2592601 ) on Thursday May 17, 2018 @05:47PM (#56629314) Homepage

    and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

    "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

    • by WallyL ( 4154209 )

      and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

      "And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

      Show only a lock sign? How would a person be able to tell what URL the browser is showing? Oh, that's right, people are already scared of URLs...

      • Show only a lock sign instead in a lock sign plus the word secure.

        If you're going to pedantic, why not go the whole hog and say "What, so every website will be just a giant lock sign?"

  • Because the less attention you can bring to the fact that "apple.com [xn--80ak6aa92e.com]" is "secure", there'll be less people getting confused.

    For the context, an old version of chrome displayed that url as apple.com, and the user would be unaware of the difference. It also displayed "secure", thus visitors would have a false feeling of being connected to the correct site.

    The only reason to draw attention to a "secure" site is if it's got one of those "verified" certificates that show something special in the address bar. And

  • Geez, this summary totally missed the entire point here and linked story only gets to it, well down on the page. If the connection is insecure, the browser is going to notify you of that with either a "insecure message" if there is no input controls (web forms) and a red icon and red text if there is a web form on the page.

    The entire thing is that there's no need to highlight the default, and damn it if your site isn't using HTTPS by default now you should just resign from your damn job, which is HTTPS.

    And

    • wrong, autism boy.

      plenty of sensors and controllers need http to configure, and no one is going to scrap an HVAC unit to make you happy.

      that has nothing to do with IQ of employers. I'm worried about yours though

      • plenty of sensors and controllers need http to configure

        If a place has a bare Internet facing HVAC controller with no in-between, then there's a ton of problems that no level of "a green icon in the corner" is going to fix. I did said "Production Site" and if you have a brain cell left in you, you know exactly what that means. But yeah, go ahead and put a insecure HVAC directly on the Internet, I'm sure that will pan well for you.

        • who said it was internet facing?

          the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny. that kind of goody-goody attitude can go to hell

          • who said it was internet facing?

            If it's not then shut the fuck up as I already pointed out that entire case in the first comment.

            the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny

            When the majority of folks using web browsers are morons, yes, yes we do. Your edge case can go to hell. No one took away your precious http, you still have, it just has a red icon now. That's because you and your fucking HVAC system, can't speak a pretty basic fucking protocol and apparently it was made to be completely unupdatable, which also sounds brilliant. So for your corner case, the the millions of o

            • no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

              • no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.

                If you're heading down that road, let me just go ahead and cut to the chase. All traffic on the Internet should be secure, thinking otherwise is dumb. The content of that traffic doesn't matter, **all traffic** on the **Internet** should be **secure**. Full stop. Whatever, reason a person thinks that "this content" shouldn't be secure, usually boils down to subjective logic and lack of any clear rationale argument. Now you can sit there and conjure up reasons, why this content "could" be sent insecure.

  • I would have welcomed any option of sending plain text packets+signature (and there are many) so as to keep the Web open and allow people managing it to gain insights from its contents. Sadly, tech news I read makes it look like everybody is under attack and the only solution is end-to-end encryption. Until you reach Facebook's servers, that is.

  • by THE_WELL_HUNG_OYSTER ( 2473494 ) on Thursday May 17, 2018 @07:56PM (#56629866)
    It's only a matter of time until Chrome either blocks http or users are forced to click a security exception button before an http site will load (like sites with invalid SSL certs today).
    • That's stupid. Let's hope they will not do that.

      Not everything deserves or has to be encrypted.. especially not in LANs, etc..
      • by novakyu ( 636495 )

        Um, you were on the right track up until you said "especially not in LANs". How often do you load up stuff in your Web browser from your LAN?

        The correct response is "Not everything deserves or has to be encrypted." (Just end with the period; no further qualification needed.)

  • Warn about insecure instead of giving a "well done" to normal practice. As long as EV certificates [wikipedia.org] still show in green it's fine with me.

The party adjourned to a hot tub, yes. Fully clothed, I might add. -- IBM employee, testifying in California State Supreme Court

Working...