SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 4, Insightful) by jmorris on Wednesday July 25 2018, @07:34AM (7 children)
So https magically makes webmasters stop embedding ads and scripts from criminals? At least some of them pay, seen legit ad impression rates lately? It is fucking retards like you that are responsible for this mad dash to encrypt even the ads.
You know what https everywhere is going to end up doing? Make the web less secure. Everybody who has a captive portal or web filter is now under pressure to break https, especially people like me under federal mandates demanding me to "implement a technical measure" to control access to smut. Before, almost all https was stuff that needed to be private so it could pass unmolested. Now it is only a matter of time before I have to gimp the browser certificates to allow filtering again. Both on lab PCs and come up with some sort of app to gimp devices when connected to our WiFi. For now I'm working on simply IP blocking any address known to have naughty bits but with shared IP virtual hosting being such a big thing that ain't gonna hold long.
(Score: 5, Interesting) by c0lo on Wednesday July 25 2018, @07:49AM (1 child)
Webmasters? No.
The ISP injecting their content (read: ads) inside your traffic? Yes.
Generally speaking: any MITM become harder and will be easier to detect.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by curunir_wolf on Wednesday July 25 2018, @08:33PM
Which is exactly why Google is doing this: to protect their ad revenue. It does the same thing in other, insidious ways. How many websites have Google Analytics? Yea, so Google can track all that traffic, right back to the user, and target ads.
It's all about Google trying to protect their business model. And causing additional expense for anyone hosting web pages. It's evil folks. Evil for the sake of money.
I am a crackpot
(Score: 1, Informative) by Anonymous Coward on Wednesday July 25 2018, @07:54AM (4 children)
That's... quite informative. You sure you wanted to post it?
In any case, now it is in the open! Welcome out of the closet and into the light, jmorris.
(Score: 3, Interesting) by jmorris on Wednesday July 25 2018, @05:02PM (3 children)
I'm not an anonymous coward, people who have been here for a while probably already know. I am a librarian in the United States where we have something called CIPA (Children's Internet Protection Act) and it requires anyone receiving Federal Funds (as in the Schools and Libraries Corporation funded from your phone bill's Universal Service Fund line entry) to "implement a technical measure to control access" to smut by children. Breaking the shit out of https is now a matter of time now. All of the major vendors of commercial products to industry already offer the feature. In some industries with a captive fleet of PCs it is quickly becoming a "best practice", apparently it is being pushed hard where there are mandates for records retention too.
The crypto weenies hosed us again. They believed they could be absolutists on privacy since their precious unbreakable crypto would force the world to give it to them. Nope, The System is quickly adopting a form of rubber hose cryptanalysis to demand the system be allowed to continue snooping. In the end the crypto will still be unbreakable but firmly in the control of The System.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:53PM (1 child)
why don't you use a whitelist for kids' internet?
I honestly don't see any other reasonable option.
and obviously no search engine access, since they can google/bing for porn, and the images are displayed right there in the search results.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @09:17PM
Try Bing Video. You can play the videos right in your browser and get past all the content blocks. We ended up blocking Bing completely for awhile where I work, took ages for someone on staff to actually notice and complain
(Score: 2) by urza9814 on Thursday July 26 2018, @04:11PM
Breaking HTTPS on computer under your own control should not be difficult. Never was. And if you aren't doing it already, it would seem that you're already violating that law, you just haven't been caught yet. Plenty of corporations have been doing this for decades already. More people doing it or knowing about it doesn't make anything less secure -- if anything it improves security by increasing awareness of "attacks" which have been possible since the beginning of HTTPS. But not really, because that's not really an "attack" since you're MITM-ing your own traffic. Sure, you can alter the traffic being seen by your clients, but you could also do that through a browser plugin or a system virus or a number of other methods because you already have full control over both the PCs and network! Calling that "insecure" is like saying my PC is insecure because it lets me install Linux. That's not a security flaw, that's me being in control of my own devices.
You make the PCs connect through a proxy, and the proxy decrypts, checks, and re-encrypts with its own certs. You control the endpoints, so you can force them to trust the proxy's certs. Where's the problem exactly?