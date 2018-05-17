Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 36
Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.
Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.
Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.
The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.
It might do. It rather depends what the lock icon looks like - Donald Sinden, a turnip, a Mandelbrot set...
You never know with Google.
I was confused by the summary and so I RTFA.
The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."
They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.
Overall, I approve, the "everything's OK alarm" can go.
This is hardly new, but a continuation of the trend from all browsers to push people away from sites that don't use HTTPS.
with HTTPS being essentially free now, this makes sense.
Good analogy. Bumpers do fuck all to save lives. They are disposable pieces of plastic that don't dampen any crash impact with all of the life saving features of cars having been transferred to the crumple zones in the body.
What? Did your analogy not got the way you wanted it to? Flashing the word "Secure" for www.payipal.com is not good security practice. It's confusing to the users to tell them to not type their password in on pages that say Secure. Instead add a tiny indication showing encryption status,
A bit off topic, but bumpers are designed to lessen the impact when you hit a pedestrian.
If I was hit by a car, I'd rather it be the softer plastic bumper than the metal behind it. I think "broken legs" are a better alternative to "severed legs"
How about ... (Score:4, Insightful)
To keep going with the car analogy... why am I only warned when the stop sign is 4-way? That's the only time I don't want to be warned.
Why would you not want to be warned?
(Disclaimer: we don't really have stop signs here, not the way they do in the US. They've always seemed a bit condescending to me...)
You mean like the exclamation mark that is drawn on an insecure webpage, the one which when you click says in bright red "Your connection to this site is not secure" Is that the insecure indicator you are talking about?
If anyone from Mozilla is here. (Score:1)
You do know they're only talking about getting rid of the word "Secure", right? Chrome is keeping the green lock icon, which is all that Firefox displays now as well.
Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.
There'll still be a warning indicator on non-HTTPS sites.
lol (Score:2)
Not secure already shows an exclamation mark which when clicked gives you a big red warning text about the connection not being secure.
Stupid move (Score:2)
So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat!
/sarcasm
HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.
We should be focusing on indications of proper EV certificates rather than confusing users.
The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.
Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.
HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs
Get with the times.
All UI must now be compatible with the lowest common denominator: a smartphone in portrait orientation.
Google's taking over where Microsoft left off (Score:2)
MS was infamous for Embrace, Extend, Extinguish
First thing that comes to mind is RSS. Built a killer infrastructure for apps to use, then killed it, killing apps and nuking unwary folks' subscriptions.
Now this. Let's make security better... ok, it's better? Let's pretend it'll stay that way without further attention and reduce or remove its visibility.
popcorn.
Only show/show only (Score:2)
"And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.
It's a start (Score:2)
Because the less attention you can bring to the fact that "apple.com [xn--80ak6aa92e.com]" is "secure", there'll be less people getting confused.
For the context, an old version of chrome displayed that url as apple.com, and the user would be unaware of the difference. It also displayed "secure", thus visitors would have a false feeling of being connected to the correct site.
The only reason to draw attention to a "secure" site is if it's got one of those "verified" certificates that show something special in the address bar. And
Bloody hell what a horrible synopsis. (Score:2)
Geez, this summary totally missed the entire point here and linked story only gets to it, well down on the page. If the connection is insecure, the browser is going to notify you of that with either a "insecure message" if there is no input controls (web forms) and a red icon and red text if there is a web form on the page.
The entire thing is that there's no need to highlight the default, and damn it if your site isn't using HTTPS by default now you should just resign from your damn job, which is HTTPS.
