Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday September 11 2016, @05:48PM   Printer-friendly
from the there's-gotta-be-a-downside-to-this dept.

According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by theluggage on Monday September 12 2016, @12:11PM

    by theluggage (1797) on Monday September 12 2016, @12:11PM (#400648)

    This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:

    Does that mean they're actually going to take it into consideration (which would involve considering the possibility that flagging all HTTP pages would be a step to far), or is it the usual "taking into consideration" (we'll discuss it a bit in committee and then go ahead and do what we've already decided to do)?

    Passwords and credit cards? Fine - frankly I'd rather not put credit card info into a site that doesn't have extended verification, let alone a HTTP one. However - how reliably can you detect this if the page is using AJAX or Javascript? False security is worse than no security.

    Incognito mode? Fine: you've specifically asked the browser to get paranoid.

    Any old HTTP page? Sorry, no, that's just crying wolf - if you're that concerned about being monitored or spoofed, turn on Incognito mode.

    "Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently"

    Really? Quick, call the Journal of Urso-Sylvanian Scatology (incorporating Pontifical Denomination Studies)!

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by JNCF on Monday September 12 2016, @08:56PM

    by JNCF (4317) on Monday September 12 2016, @08:56PM (#400922) Journal

    Flagging all HTTP sites seems like a step too far right now. I don't think they've committed to a firm timetable. If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.

    • (Score: 2) by theluggage on Tuesday September 13 2016, @04:13PM

      by theluggage (1797) on Tuesday September 13 2016, @04:13PM (#401365)

      If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.

      That last 20% of http sites is gonna take a long time to shift. - run by people in their copious free time, on zero budget, with hosting companies that aren't falling over themselves to add Lets Encrypt support to make it click & drool (no, that's not always essential, but it makes it much easier, especially with Let's Encrypt's short-lived certs).