Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Google The Internet

Chrome Will Soon Let You Turn On An HTTPS-First Mode (theverge.com) 64

On Wednesday, Google announced it will soon offer an HTTPS-first option in Chrome, which will try to upgrade page loads to HTTPS. "If you flip this option on, the browser will also show a full-page warning when you try to load up a site that doesn't support HTTPS," adds The Verge. From the report: HTTPS is a more secure version of HTTP (yes, the "S" stands for "secure"), and many of the websites you visit every day likely already support it. Since HTTPS encrypts your traffic, it's a helpful privacy tool for when you're using public Wi-Fi or to keep your ISP from snooping on the contents of your browsing. Google has been encouraging HTTPS adoption with moves like marking insecure sites with a "Not secure" label in the URL bar and using https:// in the address bar by default when you're typing in a URL. For now, this HTTPS-First Mode will be just an option, but the company says it will "explore" making the mode the default in the future. The HTTPS-First Mode will be available starting with Chrome 94, according to Google. Currently, that release is set for September 21st. And HTTP connections will still be supported, the company says. Google is also "re-examining" the lock icon in the URL bar. Google explains in a blog post: "As we approach an HTTPS-first future, we're also re-examining the lock icon that browsers typically show when a site loads over HTTPS. In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it's only the connection that's secure. In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon."

The company plans to swap the lock icon with a downward-facing arrow starting with Chrome 93. Though, the "Not Secure" label will still be shown for sites that aren't secure.
This discussion has been archived. No new comments can be posted.

Chrome Will Soon Let You Turn On An HTTPS-First Mode

Comments Filter:
  • by Lije Baley ( 88936 ) on Thursday July 15, 2021 @07:47PM (#61586881)

    Let me know when they have an HTTP mode, for when I'm like just doing the 99% of my web surfing that doesn't need HTTPS.

    • What really sucks is once it upgrades the site to HTTPS its hell to connect as HTTP again. This is extremely frustrating when I setup a lot of different equipment that often share the same default IP. Some are http only and some are https only. Theres no way to permanently mark a site to never force https. You have to delete the damn setting following every single time it successfully makes an https connection. Otherwise the next http device you need to setup will keep failing because port 443 is not activ
      • Can you setup something like stunnel? I haven't tried it but it would have the additional advantage that your browser would always see the same certificate regardless of the equipment stunnel was connecting to. And I'm pretty sure stunnel itself has options to not check certificates.

        I haven't used stunnel for donkey's years. I used to expose some HTTP only cameras as HTTPS via stunnel. But I wouldn't dream of doing that now and everything has to go via a vpn to my local LAN so no longer do I need to care ab

      • by AmiMoJo ( 196126 )

        It should fall back to HTTP if there is no response from HTTPS. That's how it appears to be implemented, try HTTPS and if that fails try HTTP.

        • I have. Ive literally retyped the https as http only to watch it go right behind me and change it back to https. I have to go in and delete the url from the chrome settings so it wont auto-https for it. The next time https works its right back to refusing http.
      • What really sucks is once it upgrades the site to HTTPS its hell to connect as HTTP again.

        Even worse is when a site's certificate expires and it won't let you connect at all. No option to say "it's a page of cat pictures, not a fucking bank!". Nothing.

        The only thing you can do when that happens is to break out a copy of Firefox.

    • the 99% of my web surfing that doesn't need HTTPS.

      If 99 percent is on a private intranet, I see your point.

      But otherwise, when you are visiting a public HTTP site, how can you be sure that an ISP or other malicious actor between you and the server has not inserted malicious script into the HTML document or falsified the data in the article you are reading?

      • I can't be sure of that with HTTPS either. It's more likely that I'll crash my car going to the store, but I'm still driving.

        • Actually, you can. That's one of the two points https has. Confidentiality is, funny enough, the lesser important part of it. What actually really matters is integrity.

          • I can be sure of no MITM, but that's about it. I could still be connecting to a typo site with a good cert...or I could be getting malicious info or scripts from ads, or the site itself. Or a determined actor can just do whatever, despite https.
            Most of the time though, my only concern is the "legit" content hacking my brain.

      • by Gabest ( 852807 )

        The 99% is where I am not logged in on the INTERNET. And of that 1%, 99% do not have any value. Not a bank account or such.

        • Wait until https is the only way it connects. It's coming. And everyone's Intranets will be cactus. I'm running a LAMP stack on an IoT box that hasn't seen updates in 3 years. I'm anticipating a client side browser update will break it before anything else.
    • It doesn't? You really don't care whether you get to see the page you surfed to or someone's fake page?

      • You overestimate my level of trust in the "real" page.

        • That's not even the point, the point is that some malicious actor can inject something to make you think the "real" page did it, tricking you into disbelieving the "real" page due to believing that it was them.

  • Getting signed certificates costs roughly $20/year for a decent security certificate, or roughly $40/year for a modest wildcard certificate. It can add up very quickly. if you don't handle them well.

    • by jonwil ( 467024 ) on Thursday July 15, 2021 @08:14PM (#61586919)

      Lets Encrypt can provide all of those certificates for free (including wildcard). So how exactly does a "signed certificate" cost that much if Lets Encrypt can do them for free?

      • Lets encrypt can be a real PITA though. It expired every 90 days and automation is not always easy for some applications. For example, network switches or other appliances. There is no good way to keep all those things current on certificates without manually reinstalling every 90 days. Usually they self sign their own cert for 10years but recent browsers have made it difficult to 'go to site anyway' My zimbra server is also a pain to update certificates. Ive tried to automate it but inevitably ev
        • Lets encrypt can be a real PITA though. It expired every 90 days and automation is not always easy for some applications. For example, network switches or other appliances.

          Why does the public need to connect to your network switches? And if the public doesn't, why bother installing globally-trusted certificates? Generate your own root, install it in the trust store of your browsers and use it to sign certificates for the switches. Your browsers will trust your network appliances, no problem, and as a bonus you can't be fooled into trusting anything that isn't your network appliance, because an attacker would (hopefully) have a hard time getting you to sign the certificate for

      • If you are running a public website, a certificate from Let's Encrypt comes at no additional charge other than setting up a cron job to keep it renewed.

        If you are running a private intranet site, such as the administration interface of your router, printer, or NAS, it's a different story. Like other CAs that comply with CA/Browser Forum Baseline Requirements, Let's Encrypt does not issue certificates for private IP addresses (such as those in 10/8 or 192.168/16) or for private top-level domains (such as .lo

        • by jonwil ( 467024 )

          If its all operating over a private intranet and not exposed to the public internet at all (and that includes things accessed by remote users over encrypted VPNs) then do you even need to encrypt the web page at all?

        • You just need to do dns-challenge for internal hosts. As long as they have resolvable names that you use for management (even 1.0.168.192.example.com), it is fine. The goofy IP address route even makes it easy to do wildcard certs for your various VLANs.

          Some things are harder, where there are no easy scripting methods to update certs on equipment, but for nearly everything I have seen there is a way. A few things have taken far too much research to figure out, but it can be done.

          The only things still missin

          • by tepples ( 727027 )

            As long as they have resolvable names

            Which cost money. A home user might not understand why getting a NAS to keep working after the 12-month factory warranty expires costs $15 per year for a domain name.

            that you use for management (even 1.0.168.192.example.com)

            Say your NAS is 192.168.0.27, and you want to configure your ISP-provided Internet gateway's DNS to resolve 27.0.168.192.example.com to 192.168.0.27. How would a home user go about learning how to do this?

            • There are plenty of free domain name services out there where you get some random subdomain you can use for this purpose.

              Using your specific example, and assuming a single host, there are plenty of tutorials out there that will give someone a functional http-challenge certificate, using the router’s name resolution service. dns-challenge is another level of complexity that I wouldn’t want to talk my mom through over the phone, although I could easily set her up on one of my domains with a dedica

              • There are plenty of free domain name services out there where you get some random subdomain you can use for this purpose.

                Are these free domain name services on the Public Suffix List? Because if they're not, a user of Let's Encrypt is likely to run into a rate limit of 20 certificates per domain name per week, across everyone who has a subdomain under that domain name. If they are on the Public Suffix List, the limit is more reasonable: 20 certificates for your subdomain. I seem to remember that when Let's Encrypt launched, the maintainers of the Public Suffix List were swamped with requests from these services to be added. H

            • Maybe by buying a NAS or router that does it for them?

              • A home user might not understand why getting a NAS to keep working after the 12-month factory warranty expires costs $15 per year for a domain name.

                Maybe by buying a NAS or router that does it for them?

                The NAS or router "does it for them" until the warranty expires. After this time, all its HTTPS features stop working. Once the user pays more money to the manufacturer to renew the subscription to the associated dynamic DNS service, the HTTPS features of the NAS or router start working again. Is this sort of planned obsolescence a necessary evil?

                • If they are using a router past the time they get firmware updates for that router, they have bigger problems than HTTPS anyway...

                  • by tepples ( 727027 )

                    In order that I may appreciate the scope of these "bigger problems": How long do major makers of home routers commit to providing firmware updates?

                    • At least the warranty period. Not that I'd care too much, using OpenWRT, but I know that some people can't be assed to know at least the fundamental basics of a machine they want to operate.

        • If that's only for your private network, what keeps you from rolling your own CA and having your clients trust your CA?

          • I guess it's a matter of training less-technical home users in 1. the use of command line tools, such as Filippo Valsorda's mkcert [github.com]; 2. setting up split-horizon DNS to resolve names internally; and 3. configuring the major Windows, macOS, iOS, and Android browsers to trust a private CA.

            • Which of these things cannot be accomplished by a script?

              • by tepples ( 727027 )

                Which of these things cannot be accomplished by a script?

                Doing these things for all major brands of what the user has: installing the interpreter, accepting arguments, configuring the router, and configuring all browsers while somehow distinguishing itself from malware.

                Installing an interpreter for the language in which a script is written cannot be accomplished by a script in the same language. This means the script needs to be in a language that comes with the operating system. The different major desktop operating systems come with different scripting language

    • Cloudflare is free.

      • by suss ( 158993 ) on Thursday July 15, 2021 @08:55PM (#61586999)

        If you don't mind them being the literal man in the middle. Kind of defeats the purpose of HTTPS...

        • It does not. HTTPS ensures that *unauthorised* people aren't the man in the middle. There's nothing about any encryption scheme we have that prevents someone authorised from being that MITM.

      • In this case, you get what you pay for. Cloudflare is not primarily an SSL signature authority, they're primarily a CDN or Content Delivery Network. I've dealt with Cloudflare with clients who thought they could save a great deal of money and server load. While they can be helpful, the savings were never as great as unofficially promised in their sales calls.

        • For SSL, which you originally complained about, Cloudflare lets you use a self-signed cert and then they use one of their certs to communicate with the client. It gives you free SSL without having to configure anything on your server or worry about renewing certs. This is included with the free tier of Cloudflare.

  • It stands for "encrypted", which is not the same thing.

    • Yeah that's pretty sad given they were attempting to explain what the icon actually means. MOST sites served up via https couldn't be honestly described as "secure". The lock icon tells you NOTHING about the site.

      What it does mean is that your CONNECTION to the site is encrypted. The *connection* is secure, for one definition of secure.

      • I should have re-read that sentence before posting.
        The summary says "fact it's only the connection that's secure".
        That's accurate. The connection to the site is secure, for a meaningful definition of secure. It tells you nothing about the site.

        It's like using an armored truck to drive to a dive bar in the bad part of town, then getting out of the truck and going into the bar. The "getting there" part is secured. What you'll encounter once you get to the site, there's no guarantee.

      • I sort of wish, there was some insignia that showed if a site was secure... but secure as in a third party audited the entire site's stack from server hardware, to physical security at the data center, all the way up to the web service, for any/all potential security exploits. The audits would be planned, as well as random, and would be fairly strict where if shenanigans are detected, the insignia gets pulled immediately.

        Best we seem to have are EV certs though. Would be nice if we had something more thor

        • It would be nice if there was a popular, simple logo that meant something. Probably the best you'll see commonly used is some businesses will mention on their site if they have a SOC 2. SOC 2 is about security of their systems. Not to be confused with SOC 1, which is financial.

          > secure as in a third party audited the entire site's stack from server hardware, to physical security at the data center, all the way up to the web service, for any/all potential security exploits.

          To have a third party actually

    • HTTPS also does a certain amount if authentication, it isn't only encryption. Though, I'd like to see the protocols moving to a place where TCP would require TLS or similar for any connection, and accept any certificate/credential for it. The authentication piece would be managed separately. i.e. encrypt everything by default
  • They need to do it by default, not via some hidden user setting somewhere. Second, they need to get rid of HTTP entirely.

    • Re: (Score:3, Insightful)

      by wardco ( 546670 )
      Nope. That's crap There's thousands of servers that will never be updated to HTTPS, contain no security-sensitive info, and which Chrome would be blind to. HTTPS is not an unalloyed good. Google is being very arrogant forcing their point of view on the open web.
      • Forcing? Switch back to internet explorer 1.0. Nobody is forcing you to do anything.

        • Nobody said anything about them being old. Plenty of web sites don't run SSL/TLS and that's for the best. Just because a web server isn't encrypted doesn't mean there's a problem.

  • How is it different from existing HTTPS Everywhere [eff.org]?
  • So... what am I downloading? Please pick something better for the replacement icon. Something that represents a link or some such.
  • "HTTPS is a more secure version of HTTP (yes, the "S" stands for "secure")"

    Yeah, right!

    The S is short for SSL which means "Secure Socket Layer" or in other words HTTPS is an SSL encrypted connection over HTTP. This means that (probably) your browser and the the web server are the only ones able to read the contents of this website. It means nothing else.

    Add in a certificate and you know someone paid to use a certain DNS name. HTTPS works fine without this (with a self-signed certificate), but your browser w

  • I admit I'm not that knowledgable of https (secure or encrypted?) but what bugs me is newer versions of browsers seem to lack the ability to hover mouse over a link and see what it is on bottom of window before clicking.
  • I don't get how the Chrome/Chromium team read the fine paper from 2016 that they referenced, and then decided a down-arrow should replace the long-ubiquitous lock symbol. The authors of the paper itself concluded after doing several surveys, that the lock symbol is well-understood (only a few % of survey respondents had no idea what it meant), and they recommended using a new lock symbol that scales well and has no color connotations (due to 8% of the male population being color-blind). I totally understan

Genius is ten percent inspiration and fifty percent capital gains.

Working...