Stories
Slash Boxes
Comments

SoylentNews is people

Google to Start Punishing HTTP-Only Sites

posted by cmn32480 on Sunday September 11 2016, @05:48PM   Printer-friendly
from the there's-gotta-be-a-downside-to-this dept.

SomeGuy writes:

According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google to Start Punishing HTTP-Only Sites | Log In/Create an Account | Top | 63 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Pino P on Monday September 12 2016, @03:36PM

    by Pino P (4721) on Monday September 12 2016, @03:36PM (#400759) Journal

    My personal server is subscribed to a dynamic dns provider and has a LE cert. Both together took maybe ten minutes to set up automatic renewals for.

    How did you get a Let's Encrypt cert for a subdomain at a dynamic DNS provider? I thought LE's rate limits [letsencrypt.org] forbade issuing more than 20 certificates per domain per week. So if 20 other customers of the same dynamic DNS provider have been issued a certificate in the past 168 hours, you get the rate limit error message instead of a certificate. LE does make an exception for DNS providers on the Public Suffix List, but I've read on LE official forums and the PSL's issue tracker on GitHub that since LE entered general availability, there's been a huge backlog for dynamic DNS providers that want onto the PSL.

    And do "automatic renewals for" the dynamic DNS provider include a recurring fee?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by The Mighty Buzzard on Monday September 12 2016, @05:23PM

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday September 12 2016, @05:23PM (#400820) Homepage Journal

    Well, I was one of the lucky few who made the initial cut for my dyn dns provider but they just got whitelisted recently as well, so I'd be okay now even if I weren't lucky at the outset. My best advice is to pick an already whitelisted provider and redirect to that domain name if you already had another set up on a non-whitelisted provider. Or, you know, annoy your provider and then wait.

    Ye gods no! I wouldn't pay for a subdomain no matter how many bells and whistles they offered. I'd put a record in for tmb.soylentnews.org and update it manually as my ip changed before I paid a dyn dns provider.

    --
    My rights don't end where your fear begins.