Stories
Slash Boxes
Comments

SoylentNews is people

Google to Start Punishing HTTP-Only Sites

posted by cmn32480 on Sunday September 11 2016, @05:48PM   Printer-friendly
from the there's-gotta-be-a-downside-to-this dept.

SomeGuy writes:

According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google to Start Punishing HTTP-Only Sites | Log In/Create an Account | Top | 63 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by jmorris on Sunday September 11 2016, @09:27PM

    by jmorris (4844) on Sunday September 11 2016, @09:27PM (#400389)

    3. everybody goes HTTPS (say goodbye to caching or welcome to ISP/CDN MITM), which means that:

    Everybody ignores the importance of that one. Caching is good, https breaks it unless your ISP breaks https to fix it and that breaks security for those times you need it.

    Https everywhere also breaks every captive portal in the world. There is, by definition, no solution to that problem. Nobody sane is going to allow every Starbucks and McDonalds to place a wildcard certificate on their device and once you have a browser that simply refuses to view an http:// prefix you are boned. And even if you are that stupid it becomes a catch-22. You never see the captive portal screen offering to install the wildcard. The best that can be done is hang signs with a URL to an https server with the portal. Good luck getting people to actually do that though.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Monday September 12 2016, @04:11AM

    by Anonymous Coward on Monday September 12 2016, @04:11AM (#400518)

    Captive portals are a broken concept anyway... but then again, mobile devices, at least, special-case them. I assume recent desktop OSes probably do, too (although I haven't used a laptop on a connection with a captive portal in a while).

  • (Score: 2) by NotSanguine on Monday September 12 2016, @03:04PM

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Monday September 12 2016, @03:04PM (#400740) Homepage Journal

    Everybody ignores the importance of that one. Caching is good, https breaks it unless your ISP breaks https to fix it and that breaks security for those times you need it.

    Caching is good only if bandwidth is a limited resource. Which it doesn't have to be.

    What's more, I'd be happy with pages load ing a little slower (i.e., no caching) if it means my traffic can be encrypted.

    I suppose that's just my personal preference, but it is my preference.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr

  • (Score: 2) by Pino P on Monday September 12 2016, @03:46PM

    by Pino P (4721) on Monday September 12 2016, @03:46PM (#400766) Journal

    The solution is to switch from captive portals to something like RADIUS authentication [wikipedia.org], wherein the hotspot's terms of use can be presented as an Access Challenge.