Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 102
Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.
It will be back (Score:3, Insightful)
Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.
Re: (Score:1)
Re: (Score:3, Insightful)
Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.
Re: (Score:2)
Re: (Score:3, Informative)
The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.
Re: (Score:1)
It might do. It rather depends what the lock icon looks like - Donald Sinden, a turnip, a Mandelbrot set...
You never know with Google.
Re: (Score:1)
New reality from Google don't trust it. Forever in Beta, they will scrap it after selling, break it to suit them with total disregard to the people who already bought it, delete features an
Re: (Score:2, Informative)
I was confused by the summary and so I RTFA.
The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."
They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.
Overall, I approve, the "everything's OK alarm" can go.
Re: (Score:1)
This is hardly new, but a continuation of the trend from all browsers to push people away from sites that don't use HTTPS.
with HTTPS being essentially free now, this makes sense.
Re: It will be back (Score:1)
And with Google having their hooks inro so many webpages now, they feel nobody but them should be able to monitor.
Re: (Score:1)
Why are self signed certs as bad as HTTP?
I'd think they gaurentee that you're at the correct size after your first visit (protecting from MITM), and prevent snooping from non MITM parties always.
Re: (Score:1)
Safari already treats self-signed certs as second class citizens. Websockets (for example) will not work with self signed certs in Safari.
Re: (Score:2)
The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."
Those who are accustomed to looking for the word "Secure" because thousands of web pages told them to are going to be astonished by this change. Emphasize both conditions and the typical user will make the wise choice.
Re: It will be back (Score:2)
Re: (Score:2)
Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.
Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.
What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status,
Re: (Score:2)
A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian.
If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"
Re: (Score:2)
Re: (Score:2)
Now that the analogy has been properly torpedoed
Writing things in ALL CAPS does not torpedo anything. You effectively admitted yourself that there's a very very narrow set of cases where this will make a difference... kind of like the very narrow set of cases where the word "Secure" makes a difference.
Point is, bumpers mattered in the 60s, just like DV certificates and the word secure mattered in the 90s. However when we made crumple zones, bumpers effectively ceased mattering, and when we moved to EV certification in 2005 combined with the fact that it
Re: (Score:2)
What? Did your analogy not got the way you wanted it to?
What? Does conceptual thinking evade you?
Re: (Score:2)
What? Does conceptual thinking evade you?
Given the way the conversation went I would postulate precisely the opposite.
How about ... (Score:5, Insightful)
Re: (Score:2)
To keep going with the car analogy... why am I only warned when the stop sign is 4-way? That's the only time I don't want to be warned.
Re: (Score:2)
Why would you not want to be warned?
(Disclaimer: we don't really have stop signs here, not the way they do in the US. They've always seemed a bit condescending to me...)
Re: (Score:2)
Here we have a small sign attached that says 4-WAY.
But what I need to know is who doesn't have to stop. That is much more important than knowing that everybody has to stop. We are effectively trained to look at the sign, and in the absence of a 4-WAY indicator, look around to see which other directions have stop signs. Except we are looking at the silver backing which is much less visible in many cases, particularly in the dark or where trees/bushes may be overgrown.
Bad UI.
Re: (Score:2)
Um, maybe it's different where you live, but where I live, you do get a warning when the cross traffic doesn't stop. Something like this [wikimedia.org]. 4-WAY stop is a useful indicator letting me know that, after having come to a stop, I can start moving without waiting for the other guy to go, because if I came to a stop first, now I have the right-of-way. Without the 4-WAY stop indicator, I would have to try to look for the other guy's stop sign, before I feel safe to go after having stopped for my own stop sign.
Re: (Score:2)
We have (to my knowledge) just one sign like that in our metro area, full of stop sign intersections which are not 4-WAY.
I still maintain that knowing who doesn't stop is a safety concern, making it much more important than knowing that everyone stops for convenience. Besides, if you know that there aren't any who don't stop, you have the same info.
Re: (Score:2)
So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.
My neighborhood is similar (very few intersections where one road that is not larger than the other does not have stop signs), and I would not wish my 4
Re: (Score:2)
So, what you have is not a difference in signage---what you actually have is city planner's correct choice that 4-way stops are safer than intersections with two roads of equal width somehow being treated differently, with one set of roads getting stop signs and the other not getting it. So they only use the latter when they have a good reason to justify it.
I never said that. We have MANY intersections between two streets of equal size which are not 4-WAY. Only one of those has the yellow sign you linked previously.
Several streets have drainage dips in the directions that do not stop, but flat grade in the directions with stop signs. It's backwards from the way that seems natural. It makes it easy for someone who notices the big concrete dips instead of the stop sign which is behind a van parked on the curb to make the wrong decision.
Re: (Score:2)
With our more organcailly-developed road system we just don't seem to ever have this issue. There's usually a main road, with a white dotted line down the middle, and any adjoining roads have a yellow line across them which is "yield." Signs are usually just for speed limits, everything else seems to be conveyed through road markings.
Then again I live on a small island so it's not even much like the UK itself.
Re: (Score:2)
You mean like the exclamation mark that is drawn on an insecure webpage, the one which when you click says in bright red "Your connection to this site is not secure" Is that the insecure indicator you are talking about?
Re: (Score:2)
They have that. If you go to an insecure site there is a red maker now. Things like password auto-fill are disabled.
If anyone from Mozilla is here. (Score:1)
Re: (Score:2)
You do know they're only talking about getting rid of the word "Secure", right? Chrome is keeping the green lock icon, which is all that Firefox displays now as well.
Re: (Score:3)
Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.
There'll still be a warning indicator on non-HTTPS sites.
Re: (Score:2)
So how would I view the cert info once they take that away? Right now it's a quick two clicks starting with that "secure" lock to see if the cert is real or a proxy's man in the middle cert (they usually don't MitM on financial and shopping sites, but how do I know the particular one I am going to is on the whitelist?).
Re: (Score:2)
They're phasing out the lock eventually, too.
Re: (Score:2)
What do you get out of this?
Re: (Score:2)
lol (Score:2)
Re: (Score:2)
Not secure already shows an exclamation mark which when clicked gives you a big red warning text about the connection not being secure.
Stupid move (Score:2)
Re: (Score:3)
So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat! /sarcasm
HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.
Re: (Score:3)
We should be focusing on indications of proper EV certificates rather than confusing users.
The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.
Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.
HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs
Re: (Score:2)
We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.
I think what you are upset about is that the CAs are a note arbiter of good character. There have been very few cases of certificates miss issued or trust problems with CAs. The fact that these issues where CAs have been
Re: (Score:2)
We're not telling anyone to do any more work or telling anyone to change any practices. What we are doing is trying to roll back the stupid suggestion that an encrypted channel implies complete trust. It was a broken suggestion to the users and has nothing to do with the trusted authorities.
We should be focusing on indications of proper EV certificates rather than confusing users.
EV certs require CAs to do more work. Hint: They won't. They'll do the bare minimum, and eventually less than that, just as they did for standard certs.
I think what you are upset about is that the CAs are a note arbiter of good character.
I'm not quite sure what you mean by this, but what I'm upset with is the fact that CAs exist, are "trusted" by browsers, and do nothing to earn that trust. To the contrary, they have shown they are completely untrustworthy. Even with a trustworthy CA, a state actor can compromise them without anyone else knowing. The entire concept of having an authori
Re: (Score:2)
Re: (Score:3)
Get with the times.
All UI must now be compatible with the lowest common denominator: a smartphone in portrait orientation.
Re: (Score:2)
Re: (Score:3)
In a just universe, it'd be one that administers an electric shock in response to using an apostrophe for the plural.
Google's taking over where Microsoft left off (Score:2)
MS was infamous for Embrace, Extend, Extinguish
First thing that comes to mind is RSS. Built a killer infrastructure for apps to use, then killed it, killing apps and nuking unwary folks' subscriptions.
Now this. Let's make security better... ok, it's better? Let's pretend it'll stay that way without further attention and reduce or remove its visibility.
popcorn.
Only show/show only (Score:3)
and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:
"And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.
Re: (Score:2)
and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:
"And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.
Show only a lock sign? How would a person be able to tell what URL the browser is showing? Oh, that's right, people are already scared of URLs...
Re: (Score:2)
Show only a lock sign instead in a lock sign plus the word secure.
If you're going to pedantic, why not go the whole hog and say "What, so every website will be just a giant lock sign?"
It's a start (Score:2)
Because the less attention you can bring to the fact that "apple.com [xn--80ak6aa92e.com]" is "secure", there'll be less people getting confused.
For the context, an old version of chrome displayed that url as apple.com, and the user would be unaware of the difference. It also displayed "secure", thus visitors would have a false feeling of being connected to the correct site.
The only reason to draw attention to a "secure" site is if it's got one of those "verified" certificates that show something special in the address bar. And
Bloody hell what a horrible synopsis. (Score:2)
Geez, this summary totally missed the entire point here and linked story only gets to it, well down on the page. If the connection is insecure, the browser is going to notify you of that with either a "insecure message" if there is no input controls (web forms) and a red icon and red text if there is a web form on the page.
The entire thing is that there's no need to highlight the default, and damn it if your site isn't using HTTPS by default now you should just resign from your damn job, which is HTTPS.
And
Re: (Score:2)
Re: (Score:2)
wrong, autism boy.
plenty of sensors and controllers need http to configure, and no one is going to scrap an HVAC unit to make you happy.
that has nothing to do with IQ of employers. I'm worried about yours though
Re: (Score:2)
plenty of sensors and controllers need http to configure
If a place has a bare Internet facing HVAC controller with no in-between, then there's a ton of problems that no level of "a green icon in the corner" is going to fix. I did said "Production Site" and if you have a brain cell left in you, you know exactly what that means. But yeah, go ahead and put a insecure HVAC directly on the Internet, I'm sure that will pan well for you.
Re: (Score:2)
who said it was internet facing?
the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny. that kind of goody-goody attitude can go to hell
Re: (Score:2)
who said it was internet facing?
If it's not then shut the fuck up as I already pointed out that entire case in the first comment.
the need for browser to do http is real and we don't need browser programmers trying to be everyone's nagging nanny
When the majority of folks using web browsers are morons, yes, yes we do. Your edge case can go to hell. No one took away your precious http, you still have, it just has a red icon now. That's because you and your fucking HVAC system, can't speak a pretty basic fucking protocol and apparently it was made to be completely unupdatable, which also sounds brilliant. So for your corner case, the the millions of o
Re: (Score:2)
no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.
Re: (Score:2)
no edge case to read text in public domain online, don't need http for that either. nor for a dozen other things.
If you're heading down that road, let me just go ahead and cut to the chase. All traffic on the Internet should be secure, thinking otherwise is dumb. The content of that traffic doesn't matter, **all traffic** on the **Internet** should be **secure**. Full stop. Whatever, reason a person thinks that "this content" shouldn't be secure, usually boils down to subjective logic and lack of any clear rationale argument. Now you can sit there and conjure up reasons, why this content "could" be sent insecure.
Re: (Score:2)
http blocked within 5 years (Score:3)
Re: (Score:2)
Not everything deserves or has to be encrypted.. especially not in LANs, etc..
Re: (Score:2)
Um, you were on the right track up until you said "especially not in LANs". How often do you load up stuff in your Web browser from your LAN?
The correct response is "Not everything deserves or has to be encrypted." (Just end with the period; no further qualification needed.)
Re: (Score:2)
No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.
Re: (Score:2)
No, I'm one of those users who thinks SFTP is unnecessary for anonymous FTP access.
What https does is twofold: 1. Encrypt, 2. Prevent MITM attacks.
Even your anonymous FTP download could be MITMed and you have no guarantee that you're even talking to the right server.
Re: (Score:2)
What if I'm downloading (or making available) a content (like some text material) that I don't care if it was MITM'd? Should I still be forced to use SFTP? Just because I don't want (because I don't need) encryption doesn't mean I need to be STFU'd.
Good move (Score:2)