SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 3, Insightful) by Anonymous Coward on Wednesday July 25 2018, @10:18AM (5 children)
But modern Internet is phasing out static sites. See, the static site sits here in the server, is sometimes updated, and serves as a source of information all time. The knowledge exchange here cannot be easily monetized.
In modern Internet, human contact became commodity too. And this is a step towards eliminating static sites and going back to the "oral history", but this time paid per post.
And really, don't tell me that adding cert from Let's Encrypt is free - it just isn't, most cheap hosting providers require more money for it than going with VPS and hiring a geek to take care of it.
(Score: 2) by c0lo on Wednesday July 25 2018, @11:11PM (4 children)
Bluehost [bluehost.com] - all plans with SSL included
hostgator [hostgator.com] - all plans with free SSL included
siteground [siteground.com] - all plans with "All essential features" including free SSL/HTTPS
a2hosting [a2hosting.com] - all plans with free SSL
Oh, fuck it: visit this [hostingfacts.com] - the first non-ad link that popped into a Google-search for "hosting providers" - the above are the first 4 entries in that list. Continue browsing the list, I'm willing to bet all of them will offer free SSL with their plans.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by rob_on_earth on Thursday July 26 2018, @09:22AM (1 child)
Sadly, usually one free SSL per account, not per Domain.
(Score: 3, Interesting) by c0lo on Thursday July 26 2018, @12:04PM
Hint: you can create one account per each domain/site you want to host.
Incidentally, this is how my sites are registered/hosted - the login name is usually derived from the domain name rather than your chosen username/email.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @09:51AM (1 child)
In my conditions and for static site Your proposals are in this "more expensive" category, reserved usually for regional e-shops and small corporate sites.
Usually in such situations static sites are hosted in providers with 1/4 of Bluehost's simplest plan price. Seriously, there are small services with domain, a few GBs, one database usually not used, and some server side scripting. No shell, no ability to run own programs, no Java on server, just plain hosting with quota.
(Score: 2) by c0lo on Thursday July 26 2018, @11:57AM
You'll have to ask yourself the question: is it your site or the site of your readers? Don't worry, your choice, I'm not interested in your answer, much less interested in judging your choice.
If it is your site, why do you need to make it public?
If it is your readers' why do you feel you can take the decision in their name to keep them unprotected against an ISP (Comcast [infoworld.com]) so willing [netgate.com] to inject ads and trackers [thehackernews.com] in their traffic or to hijack their searches [eff.org] or redirect typoed domain names [wikipedia.org]?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford