SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @01:29PM
I tend to agree.
While https may increase resistance to MITM, it also makes reverse engineering web site and browser functionality vastly more difficult. Which is to say fixing security problems above TCP gets harder. And it would seem quite a coincidence, that reverse engineering Googles vast client side surveillance drag net gets harder about the same time they get spanked for billions of dollars of privacy violations.
More importantly MITM attacks violate existing computer intrusion laws in many states. So this is a technical solution, that gives up a freedom (the freedom to reverse engineer) to combat an act that is already a crime. So you ask: "Why doesn't Google file charges on behalf of their customers?"
The answer is of course self evident.
Overall, SSL everywhere drives up administrative complexity (and costs) for the WWW, and corresponding drives up the costs of free speech. If the related criminal statutes were enforced at the ISP level it wouldn't be neccessary. But clearly they aren't. So this really works for the ISP view that the web is really just a fancy broadcast cable TV network, and that full duplex digital interpersonal communications are just a fad.
What happens after, is predictable. The big software vendors, the social media sites, and the ISP's will merge, and then they will proprieterize http itself. Breaking the whole Internet. If existing laws were enforced against corporations, as they are enforced against indeviduals, this wouldn't happen. Thanks SCOTUS for that.
Clearly the liquidation of NN has already had a huge effect. When Google loads faster on TOR transmitted across transoceanic boundaries than it does over clearnet, obviously the carrier is selectively throttling competitors. So the "going dark" complaint by the FBI, can be largely said to have been caused by the FCC killing NN. By failing to defend the civil rights of everyone, the state has compelled the tech sector to defend itself.
I think SSL everywhere is a defensive move on Googles part. And it wouldn't be neccessary if NN and related Constitutional rights were actually defended by the states when it comes to ISP interference with third party interpersonal communications. What SSL everywhere prevents, is already a crime. It just isn't prosecuted against corporations. If the state won't protect the public, then the public has the right to protect itself.
One thing that should be noted by the shorts, is that there is a LOT of equipment in the networks of certain ISPs that becomes redundant if SSL everywhere becomes highly adopted. Which is to say that there are some switch companies that specialize in this kind of product, that will likely fail. And the companies that buy those products will also have to endure a great deal of expense at reengineering their networks, to remove all of the dirtbag surveillanceware that no longer works.
So there will be at least one good thing that comes out of this.