Google Is Working On an HTTPS-Only Mode For Chrome

An anonymous reader writes: Following in the footsteps of browsers like Mozilla Firefox and Microsoft Edge, Google Chrome is also in line to receive an HTTPS-Only Mode that will upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible.

Currently, the new Chrome HTTPS-Only Mode is still under development in Chrome Canary distributions. Work is being done to add specific settings in the browser's interface, and no actual HTTP-to-HTTPS functionality is currently present. The feature is expected to be ready for Chrome 93, set to be released later this fall.

Only?

[rlp]

"that will upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible"

I don't think that word means what you think it means.

Re:

[OrangeTide]

I'm not sure exactly what Chrome will offer, but in Firefox there are 3 choices:

HTTPS-Only Mode
HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS.
Learn more [mozilla.org]

• * Enable HTTPS-Only Mode in all windows
• * Enable HTTPS-Only Mode in private windows only
• * Don’t enable HTTPS-Only Mode

A simple substitution of HTTP:// to HTTPS:// is essentially how it is done. If it can't find the HTTPS then it will prompt the user to continue to HTTP. It's not true https-only mode, but rather a HTTPS first then prompt to continue on failure mode.

P.S. slashdot though my first draft was "ascii art", I had to remove some ironic hyphens. But somehow other accounts get total horseshit through, probably through the mobile APIs.

Re:

[DontBeAMoran]

Indeed, I am not able to conceive what they mean by "upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible".

I might as well read "upgrade all unencrypted HTTP connections to something else we control, in order to gather even more information about you, where possible".

I think what Google's really working on

[rubberDerrick]

is a Chrome-only mode for HTTPS.

Hooray for planned obsolescence

[ZiggyZiggyZig]

How many older machines are now utterly unusable because their root certificates expired and they basically can't browse the web anymore? I thought only Android devices were affected, but I spotted that on older Macs at work.

What would it have cost to build in a mechanism to keep updating the root certificates forever? Nothing, but hey, let's just find another way to get people to throw away their still usable hardware after 3 years...

Re:

[paxmees]

Don't they use new versions of the protocols? I believe some browsers let you update the root certificates manually.

Re:

[xack]

It happened to Windows XP and Vista. Unless you use install a browser like Mypal from a usb stick you can't connect to the internet anymore. Even Windows 7 is starting to malfunction on some sites.

I expect after https becomes mandatory they will try to phase out ipv4 as well. This combined with the Windows 11 fiasco.

Re:Hooray for planned obsolescence

[lsllll]

I expect after https becomes mandatory they will try to phase out ipv4 as well.

Crap. I guess I'll have to go re-enable ipv6 in all the places I disabled.

Re:

[OrangeTide]

to be fair, you can't re-install a computer without a USB stick or CD. the BIOS/EFI doesn't boot from the Internet (yet). While you're copying the obsolete OS setup files, maybe toss in a recent browser or some new root certificates.

Re:

[bn-7bc]

well news flash ipv4 only should have been dead a few years ago, we dont want a situation with increasing use of cgnat, I don't object to ipv4 staying around but then only as a last resort for those legacy devices that can't/won't be upgraded for the rest of the internet dual stack shuld be the default expectation poth on the network and application layer. I know having to bear the costs sucks, but at the correct time we don't have a choice if we want peer to peer apps to remain working more than a few year

Re:

[DontBeAMoran]

Older Macs? What the hell is that? All Mac users are required to buy a whole new computer every five years! /sarcasm

Posted from a 2010 Mac mini.
Please hurry up with the next M1X/M2 Mac mini, Apple, this old Core 2 Duo is annoyingly slow in 2021.

Fucking Losers

[lsllll]

Between Google pushing SSL down everyone's throat and Apple not accepting SSL certificates issued for over 398 days, I don't know which entity to hate more. This creates a ton of work for admins for many sites whose content does NOT need to be encrypted.

Also, before you jump down my throat with "Just use Let's Encrypt and have it automatically renew your certs", know that not everything that uses SSL is a web server.

Re:

[OrangeTide]

We should demand that FTP and Gopher be added back into these browser.

But more seriously, I think it would be reasonable for unencrypted and self-signed certificates to default to having JavaScript disabled. I'd even be willing for there to be a legacy mode in these browser where it is limited to HTML 4.x/3.x and no fonts, script, or other nonsense. Keep the old internet working, while moving forward on the latest technology and security.

Re:

[bn-7bc]

Well ftp over https/tls, clear text datatransfer on public networks has seen their time in the sun, and getting a cert is not that complicated and in many instances (all devices that can run certbot, they don't even need to be publicly accessible see:dns verification")can have them for free and renewal is automated as long as the firewaal in front of it allows access to a few well known servers

Re:

[OrangeTide]

authoritarians would love a centrally controlled Internet where only people "on the list" can publish data. There is simply no need to encrypt, let alone sign, all information that passed through these wires.

Re:

[iggymanz]

actually for some of my personal domains I have web server that does nothing but renew the let's encrypt and then stuff into postfix cert file and restart for TLS mail. There are creative ways to use the free certs for other than web serving content.

Re:

[lsllll]

How would you get a certificate from LE for a server that's not on the internet (behind firewall)? Or how would you update a certificate on a hardware (well, still software) load-balancer?

Re:

[iggymanz]

there is alternative of working with LE by putting TXT record in DNS you control. Moving it to your on-internet server could be done by non-internet means, there are other ways of hooking up computers that have existed for decades like serial, bi-directional parallel, shared storage on non-tcp protocol... or non tcp/ip networking like decnet

dns-01

[daniel23]

The second method of ACME-challenges uses TXT records on your name server. github lists 173 repositories tagged dns-01 so there is some choise of examples

Re:

[lsllll]

I knew about TXT records, but sometimes externally available DNS servers are not authoritative and/or resolve internal domain names.

Re:

[tepples]

If you are using made-up TLDs for hostnames on an internal network, try these steps:
1. Create your own root certificate and intermediate certificate using OpenSSL or whatever else.
2. Trust the root certificate on all clients that connect to your internal network.
3. Use the intermediate certificate to issue server certificates.

Re:

[iggymanz]

we're talking about your nameserver though that is authoritative for your domain, you'll be putting TXT record in that for LE to side to see. How is that not perfect?

Re:

[i.r.id10t]

I know of several different organizations that use real DNS names for internal-only stuff. DNS names are registered and have NS servers listed but no other records are available on the internet. On the intranet where you can reach our internal DNS servers we've lots of A and CNAME records

Re:

[DontBeAMoran]

Between Google pushing SSL down everyone's throat and Apple not accepting SSL certificates issued for over 398 days, I don't know which entity to hate more.

That's an easy question. The answer is Microsoft, of course!

Re:

[thegarbz]

This creates a ton of work for admins for many sites whose content does NOT need to be encrypted.

You don't get to decide if someone is being persecuted for accessing your content. I'm happy that this is creating work for Admins. It's about time they realised that it's not up to them to decide if security is important for their users.

Re:

[lsllll]

lol. Dude, are you that naive that you think the governments of China and Iran can't decrypt SSL to inspect what their people are reading and posting? Ever heard of Blue Coat Proxy?

Re:

[thegarbz]

You're naïve to think that everyone is being persecuted by some ultra capable government agency. In other news I don't have a lock on my front door because I'm worried about James Bond breaking in.

Re:

[iggymanz]

You don't have an argument, if Kim Jung Jellybelly wants to make accessing a particular website a capital offence that part of the traffic isn't encrypted. Which particular manifesto you read or porn story or picture you looked at doesn't matter, you'll be standing on the X for the mortar shell.

Meanwhile, most the governments in the world don't give a shit what content you see, let's handle the majority and you neurotic people that worry about edge cases can shiver in your safe space.

Re:

[thegarbz]

You don't have an argument, if Kim Jung Jellybelly wants to make accessing a particular website a capital offence that part of the traffic isn't encrypted.

You're a special kind of retard if you think that's how it works. Or that you think we're talking about Kim Jung Jellybelly. While you accused me of "hollywood style" thinking, I encourage you to at least pull your head out of the sand (or your ass, if that's the dark ignorant place you stuck it).

Re:

[bn-7bc]

This is because certificate revocation is so broken that it's useless, so the only shore fire way to limit the damage from stolen/leaked private keys, that applee has any control over, and hence can give their users any quartiers about, is to reface any certificate older than x days. Ok a key and a cert that has been compromised for a year is a big thing, but that appears to be the minimum cert validity time thats does not earn apple pitchforks and molotovs (not literally tho). I'd rather have lazy webmaste

Re:

[bill_mcgonigle]

> that not everything that uses SSL is a web server.

For those I use Acme's DNS mode and distribute the certs with devops. Pain to set up, once.

Re:

[Waccoon]

Not to mention the other little things people never talk about:

1. pushing SSL exclusively so alternatives are unlikely to arise and end users can't choose what they need. Screw competition!
2. Certificates expire and everything breaks in ways that end users can't fix. I HATE this.
3. I need the latest certificates and permission via a 3rd party just to communicate with a router a few feet away from me... on my own desk.
4. Browsers putting up scary error messages, making people believe that unencrypted pages will hack

Re:

[Bu11etmagnet]

> Between Google pushing SSL down everyone's throat and Apple not accepting SSL certificates issued for over 398 days, I don't know which entity to hate more.

Why choose? Hate'em both, equally.

Now if only TLS was worth anything...

[BAReFO0t]

Take a look at the list of CAs your browser blindly trusts.

I'll bet you money, you don't even know, let alone trust, most of them, and even consider some openly hostile.

TLS is all nice, if, and only if, it's your own CA and root certificate. Otherwise it's security theater and we just got lucky until now. ...mostly... we think ...

Then again, Chrome is Google's little tentacle sucker, so I'm probably being silly here. :)

Re:

[lsllll]

Don't know why you got modded down. Someone pro-SSL must have a lot of mod points because they modded my post down, too. But your point is right. It is insane that commercial proxy servers at corporate level can decrypt all your SSL traffic by generating fake certificates for any website you're visiting and playing MITM on your data. Of course, the answer is to not use corporate networks for anything you want to be private, or tunnel your traffic through your external server.

Re:

[Junta]

While this is terrible, it's a feature the user should easily be aware of and be able to block.

For example, my company has internal CAs. I explicitly remove them as root ca and impose nameconstraints so they can't mess with internet traffic, even though they ostensibly don't try to do it, I don't trust them to have such a key. It's nice to have a web of trust with some features to manage it, and I can't think of another key management strategy that works for some third-party attestation. Without it, you a

Re:

[amorsen]

There are two major bugs in TLS PKI.

1) Only one CA can authenticate a key. You cannot buy a certificate from 10 different providers for the same key. Enabling this would make it possible to remove the bad CAs, because sensible sites would be certified by multiple authorities. As it is, we are stuck with a year-long process to remove even the worst offenders. PGP does this much better.

2) CAs and intermediates have to be trusted for everything. If I like to have mycoolname.local on my internal network, I need

Re:

[Junta]

1) Absolutely, there is no emphasis on relative reputation of a CA and how it is represented in a browser, and no sane mechanism to have multi-authority signing

2) Well, there are nameconstraints. It's a pain because to actually implement it, each local user needs to make their own CA and use that to impose name constraints by cross-certifying, e.g. https://www.marcanoonline.com/... [marcanoonline.com]. Of course, a CA can constrain itself, but that's a bit silly since the consumer of the CA is more likely to want to pick how

Re: Now if only TLS was worth anything...

[BAReFO0t]

Nah, I'm systematically modded down by Slashdot admins.
Somehow I became their enemy, and now it almost did not matter what I say. Anything not buried below other comments, that was not cheering for what they wanted, got modded down.
Seems they do not understand that any criticism is only me wishing things were better. For everyone. Including them. They always seem to think I want to harm them or hate then.
Maybe cultural differences lost in translation...

I learned to just look for better communities.
And wish

Re:

[iggymanz]

true, it's mostly a scheme for lining the pockets of certain corporations.

there are plenty of ways encryption and ID of site can be done for zero money.

Re:

[bustinbrains]

We COULD have our own private CAs and have them be fully trusted if browser vendors would get off their collective butts and implement DNSSEC DANE TLSA (RFC6698). TLSA certificate usage mode 3 is the solution to browser-based certificate trust stores. Mode 3 lets anyone publish their own self-signed root cert (CA) to DNS and the browser would only trust certificates issued by that root CA for the domain in question. It solves all forms of MITM, cuts out third-party "trust" roots, works for internal netwo

Everywhere

[necro81]

I'm an advocate of using more HTTPS, and encouraging more servers to support it out of the box.

But, I have to wonder: how would this functionality differ from the HTTPS Everywhere [google.com] extension developed by the Electronic Frontier Foundation and Tor?

Re:

[iggymanz]

https isn't necessary for a lot of things. I like the internet connected temp/humidity sensors that use http we have at work. No need to replace them, no need to have https. The browser people need to stop being goody-goodies ramming crap down our throat we don't need and don't want. If I want to use http for something they can keep their nose out of it.

Re:

[thegarbz]

I like the internet connected temp/humidity sensors that use http we have at work.

Otherwise known as sensor traffic which can be intercepted to identify temperature changes which may indicate if a building is empty and therefore a suitable target? That's your temperature sensor. What if someone else is using the same sensor in a more critical application?

The thing is *you* can only decide if HTTPS isn't necessary for *you* and *you alone*. You can't decide if someone else is being persecuted for the content which you or someone else provide them. You can't decide if they are being monit

Re:

[iggymanz]

No dumbass, sensors in a data center that won't reveal jack shit about any humans there, just if the Liebert is acting up again.

Your stupid hollywood scenario has never happened, won't happen. We shouldn't make defaults based on your neurotic runaway imagination. You show why I'm right and anyone opposed has only stupid fantasies about a one in a billion chance of something going wrong.

Moron.

Re:

[thegarbz]

I think we are all truly glad you don't work in security.

Call other people names all you want. Whether someone is a dumbass or a moron is based on what they said, and your post isn't driving the message you think it is.

Re:

[iggymanz]

to further expound on your stupidity, even though I have one cage in there and my $100 ethernet temp/humidity sensor which only ever shows building conditions since 150 W human means nothing and can't be detected with tens of kilowatts of heat dissipating gear on the floor, is in a building that has zero people except front desk 99.9999 percent the time. Assuming anyone even could get my private network to snoop the traffic, why would they bother when anyone could hit the sensor directly with their browser

Working on?

[backslashdot]

Seriously? Shouldn't it be swapping two lines of code to change the order in which it tries out a URL. FFS, developers these days.

LAN Access

[bjwest]

Mozilla needs to allow whitelisting or some other way to disable HTTPS on local servers. I'm tired of having to click a button to allow me access to my media and file servers and Rasperry Pi's connected to my LAN.

Re:

[phantomfive]

Mozilla needs to allow whitelisting or some other way to disable HTTPS on local servers

Host it on port 80 and access it with 'http://'

You're welcome.

Re:

[bjwest]

Mozilla needs to allow whitelisting or some other way to disable HTTPS on local servers

Host it on port 80 and access it with 'http://'

That only works if you have just one server per machine. My media sever, file server and Webmin are all on a single machine each with their own web interface needing a separate port.

You're welcome.

Oh, your one of those smug ass types who feel good about themselves when they think they've solved the problem.

Re:

[phantomfive]

That only works if you have just one server per machine. My media sever, file server and Webmin are all on a single machine each with their own web interface needing a separate port.

ok, host them on different ports and access them using 'http://*:port_num'

In the past, I've created my own root certificate and installed it in all my browsers. Here's a tutorial for how to do it [mozilla.org]. That will work if you aren't anti-https in particular, and just want to avoid your browser giving you warnings.

Re:

[bjwest]

That only works if you have just one server per machine. My media sever, file server and Webmin are all on a single machine each with their own web interface needing a separate port.

ok, host them on different ports and access them using 'http://*:port_num'

Thank you for telling me how to do something I obviously know how to do and have been doing for years.

In the past, I've created my own root certificate and installed it in all my browsers. Here's a tutorial for how to do it [mozilla.org]. That will work if you aren't anti-https in particular, and just want to avoid your browser giving you warnings.

I'm not anti-https, I'm just anti-having to do something that shouldn't have to be done in the first place. While I'm perfectly capable of setting my own certificate, setting the servers to utilize it if possible (my printer has no way to set up to use HTTPS on it's web interface) takes time that I'd rather not give it. Every Raspberry Pi, Arduino or other do dad I connect would have to be set up for HTTP

Re:

[phantomfive]

Every Raspberry Pi, Arduino or other do dad I connect would have to be set up for HTTPS which is a pain in the ass if it can even be done in the first place.

I have no idea what you are trying to say here. That might be the core of the confusion.

Re:

[Junta]

Well, you can make your own CA and sign their certificates.

If there exists a device that's http-only, then at least it's possible to make a reverse proxy to add https to it, with a certificate of your choosing.

Of course, one could imagine a new protocol identifier, say, 'httpsi://192.168.1.2/", that cannot be accessed through href links and must be IP address, not name resolution, it must be typed manually into the address bar, and then it just makes the location bar blatantly obvious about it not being 'se

Re:

[bjwest]

Well, you can make your own CA and sign their certificates.

If there exists a device that's http-only, then at least it's possible to make a reverse proxy to add https to it, with a certificate of your choosing.

And why not just make a method to access local networks without security? Creating your own CA and signing certificates for a local web service is a bit beyond most home users abilities, and while not a big pain to do for those of us who can, it's still more work than clicking a box that says to remember this unsecured server or even the whole domain from now on.

Of course, one could imagine a new protocol identifier, say, 'httpsi://192.168.1.2/", that cannot be accessed through href links and must be IP address, not name resolution, it must be typed manually into the address bar, and then it just makes the location bar blatantly obvious about it not being 'secure', but not nagging you about the certificate when coming in cold (e.g like ssh known_hosts, with less prompting).

One could similarly imagine 'httpi://' for internal devices that don't do tls, but still want to access locally, if you see fit.

One should not have to imagine things that do not exist to be able to navigate one's local network without jumping through bells and whistles

Re:

[Junta]

As someone no where near a browser or ietf group, all I can do is randomly suggest a scheme and hope that someone that actually matters would come along and consider if something like httpi/httpsi url scheme is attractive for the internal network problem.

Currently, the problem is to cater to internal networking means weakening internet scale access. It would be nice to facilitate internal networks in an entirely distinct way, naturally catering to the things such devices and networks are naturally used/not

DANE/TLSA support

[Todd Knarr]

I wish Google would put DANE (TLSA record) support back in Chrome. The one problem with HTTPS is that while it prevents third-party eavesdropping on communications, it does nothing to prevent attacks that hijack the endpoint itself. If someone can target DNS and change where a domain resolves, as long as their server's supplying a certificate issued by one of the huge number of CAs out there and has an alt name consistent with the domain the browser will blithely accept the hostile server as legitimate. All

Re:

[Generic User Account]

Modern domain validated CA certificates depend on DNS, and DNS is the key to fixing the overly trusting CA stores, so DNS security is a requirement anyway. This makes DANE with DNSSEC the natural replacement for the now unnecessarily complex CA system.

It isn't that way already?

[Impy the Impiuos Imp]

I thought it did already try forcing https to all sites. If it couldn't, it had several layers of tiny-font scare buttons to click through to get to the http plain site.

What are they doing, removing the button and saying "Tough luck!"

Re:

[ayesnymous]

I thought so too, maybe 5 years ago I read they were doing that.