Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday September 11 2016, @05:48PM   Printer-friendly
from the there's-gotta-be-a-downside-to-this dept.

According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Pino P on Monday September 12 2016, @03:43PM

    by Pino P (4721) on Monday September 12 2016, @03:43PM (#400763) Journal

    With StartSSL, the only extra step is that you paste the CSR into a web form instead of passing it to an OpenSSL command line.

    With StartSSL, as with all other CAs that follow the CAB Forum's Baseline Requirements, the machine still needs a valid fully qualified domain name (FQDN). You can't have StartSSL sign a certificate for an RFC 1918 private IP address or for a domain in some made-up TLD such as .local. This means everyone who wants to run a NAS internally on a private home LAN and access the NAS through HTTPS has to buy a domain for that LAN and renew it annually.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by TheRaven on Monday September 12 2016, @03:48PM

    by TheRaven (270) on Monday September 12 2016, @03:48PM (#400767) Journal
    So? If you want to run a device on a private network, without connection to the Internet, then you probably have a far smaller set of client machines to worry about. For this use case, you can be your own CA. Add your own root cert to all of the devices that you care about and sign all of your certs with it. This is totally off topic though, because if you run a device on a private network without connection to the Internet, then it probably won't be listed on Google anyway.
    --
    sudo mod me up
    • (Score: 2) by Pino P on Tuesday September 13 2016, @01:10AM

      by Pino P (4721) on Tuesday September 13 2016, @01:10AM (#401042) Journal

      If you want to run a device on a private network, without connection to the Internet, then you probably have a far smaller set of client machines to worry about.

      But this set would include friends and family visiting my home, who aren't guaranteed to know how to install a trusted root CA on their phone or tablet.

      if you run a device on a private network without connection to the Internet, then it probably won't be listed on Google anyway.

      Clear HTTP will be penalized not only in Google Search but also in Google Chrome, including the copy of Google Chrome on the device of a visiting friend or family member.