Stories
Slash Boxes
Comments

SoylentNews is people

Google to Start Punishing HTTP-Only Sites

posted by cmn32480 on Sunday September 11 2016, @05:48PM   Printer-friendly
from the there's-gotta-be-a-downside-to-this dept.

SomeGuy writes:

According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google to Start Punishing HTTP-Only Sites | Log In/Create an Account | Top | 63 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by Gravis on Sunday September 11 2016, @07:00PM

    by Gravis (4596) on Sunday September 11 2016, @07:00PM (#400354)

    essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.

    this is a very naive view of TLS. what it fails to mention is...

    1. TLS has several algorithms that can be used [wikipedia.org] so that if any of them are compromised, the server can simply not use it and still have every client be able to connect. you have to be at least a decade out of date before you completely lose access.
    2. TLS implementations are offloaded to libraries [wikipedia.org] and a library that can be updated so that even if your program is out of date, your security is still up to date.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 1, Informative) by Anonymous Coward on Sunday September 11 2016, @09:21PM

    by Anonymous Coward on Sunday September 11 2016, @09:21PM (#400388)

    so that even if your program is out of date, your security is still up to date
    Or like my grandparents router that has not seen an update for 3 years? or my cablemodem that has not seen an update for 2.

    But at least my browser is probably secure!

  • (Score: 3, Insightful) by shortscreen on Monday September 12 2016, @09:04AM

    by shortscreen (2252) on Monday September 12 2016, @09:04AM (#400594) Journal

    On the last version of real Opera (12.whatever) I am starting to see sites that refuse to connect. "Fatal Error: Unable to Establish Secure Connection." I assume this has something to do with the HTTPS fad.

    • (Score: 3, Interesting) by Aiwendil on Monday September 12 2016, @05:18PM

      by Aiwendil (531) on Monday September 12 2016, @05:18PM (#400815) Journal

      I'm stuck at bith the rock and the hard place..
      Both in that O12 refuses any letsencrypt-certs ansĀ“d that some of my old routers still using ssl old enough (only inside a lan) that it requires me to tell firefox to violate security in order to use it..

      So basically I'm at the point of needing four browsers just in order to surf..