SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 5, Insightful) by c0lo on Wednesday July 25 2018, @07:07AM (9 children)
Engineering point of view? You are of course, right.
Real-world point of view? Let everything go encrypted, even if it doesn't need to.
Let the "copy all traffic" be an expensive proposition for NSA and their ilk.
Let the "encrypted communication" be the norm rather than the exception that triggers those letter-agencies' suspicion.
Let "HTTPS everywhere" be a step in regaining the privacy for all.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by epitaxial on Wednesday July 25 2018, @12:31PM (4 children)
I'm pretty sure the feds hold all the SSL keys to begin with.
(Score: 2) by c0lo on Wednesday July 25 2018, @12:58PM (3 children)
Unless the hosting entity does not share the private key with the feds, this cannot happen - correctly done, the private key should never leave the server.
The private/public key pair is generated on the server, then the public key goes with the Certificate Signing Request to the CA but the private key should (ideally) never leave the server that would host the Web Server.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:16PM (1 child)
i thought this was all about google maintaining better control of data via the fact it doesnt matter if its encrypted if they host it, and second, its good pr to pretend they care.
people lost control a long time ago, so this at least is like a politician being 'tough on crime' by doing nothing much themselves aside from providing severe punishment that doesnt fit the crime.
(Score: 2) by c0lo on Wednesday July 25 2018, @02:35PM
Speaking of which... What exactly is the malfeasance Google is accused of if Chrome signals to the user a site using plain HTTP is insecure? It's not like they are lying, is it?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:40PM
The Feds can decrypt SSL traffic no problem. It would give them a slightly higher overhead but not crazy. The real safety comes from making it hard for non-gov criminals to find the desired traffic. The problem you are having is assuming the crypto and the hardware it runs on doesn't have flaws. They don't even have to be full backdoors since some small flaw in the encryption routine can make it much simpler to crack the encryption if you know what pattern to look for.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @04:15PM
Exactly this. If the many governments weren't intent on hoarding all communication for future analysis, leaving unimportant stuff in the clear would be fine, but because they insist on unwarranted data collection of everything, let's make it as expensive as possible. Bury your banking and online buying habits and your innocuous-today-but-potentially-seditious-by-future-interpretation chats in mundane encrypted cat videos and discussions about that cute guy/gal in third period math class.
(Score: 4, Insightful) by Grishnakh on Wednesday July 25 2018, @04:55PM (2 children)
The problem with this is that it imposes a real-world cost on anyone who wants to create their own little website. Certificates are not free, unless you get one from Let's Encrypt, but LE certs don't work on most of the lowest-cost hosting providers. So basically, this whole "let's go HTTPS everywhere!" trend is simply making it so that small-time website operators are going to disappear and it'll make having a website more expensive. Great job for democratization, guys.
(Score: 2) by c0lo on Wednesday July 25 2018, @10:58PM
I'm hosting with Bluehost for a couple of hobby websites. In the light of the "HTTPS everywhere" they offered SSL certificates with no modifications in the price of hosting - see for yourself [bluehost.com] all their plans have "SSL certificate included".
I have no doubts that Bluehost is not the only hosting service to do it.
I'm repeating my question: what has Google done wrong in signalling the connection to a site in insecure?
They don't lie about it, just notify the visitors. The access to the site is not blocked.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by urza9814 on Thursday July 26 2018, @04:03PM
What exactly do you mean that LE certs won't work on low cost hosting providers? You can get a .key and .crt file from LE and deploy those exactly the same way you'd deploy any other SSL cert. There might be some truly bottom end hosts that don't support HTTPS in any way, but that's hardly something to blame on LE alone. And there's plenty of cheap or even free hosting options that do support SSL. Might take a bit of time to get it set up, but that should be expected on a bottom tier host. EVERYTHING is going to take a bit of time to get set up on one of those services. And if you really have NO IDEA what you're doing, you should be using a more basic service like Wordpress.com -- it's free, they set up SSL automatically, and they won't let you disable it even if you wanted to.
I can understand that not every single site necessarily needs to be secure, and not every webmaster is going to want to spend the time to set that up...and if that's the case, if they intentionally want their site to be insecure, then that's fine. But let the users know so people aren't putting their credit cards or other sensitive information into that site. But "I can't afford it" or "my host doesn't support it" really isn't a valid excuse anymore.