SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 2) by DavePolaschek on Wednesday July 25 2018, @01:59PM (13 children)
I have a website. Went online in the mid-90s. But due to ISP buyouts and transfers and such, plus me not having updated the site for five years, setting up https would be a major bit of work. Hell, I don't even know who to contact to update my DNS without consulting whois at this point. And transferring the domain to another registrar is something I'm dreading.
So I'm faced with a decision. Update a site that costs me $40/month just to keep online (because I use more than the 10MB included hosting space that comes for $10/month) and spend weeks corresponding with various people to get the server configured correctly, or just pull the plug. Which do you think I'll go with?
(Score: 2) by DrkShadow on Wednesday July 25 2018, @02:26PM (9 children)
Option C: Ignore the abuses of large corporations.
Everyone here is talking about one privacy-violating, intrusive browser. There are a handful of others. Ignore the one.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:56PM (8 children)
To which of the "handful of others" will you be switching? Firefox already shows a "not secure" warning if you try to fill in a form on a cleartext website. Go sign up for a commenting account on Explosm.net (home of the webcomic Cyanide & Happiness) to see this in action.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:01PM
Try Slimjet, a chromium with all the phone-home stuff removed. I use mostly Pale Moon, a firefox derivative with the same. Or Qupzilla, or Vivaldi, or TorBrowser. Install & use multiple browsers. Confuse the advertising AI. Promote honest alternatives. Don't dedicate yourself to a single point of failure, however you define it. Or to a single corporation.
(Score: 2) by jmorris on Wednesday July 25 2018, @05:18PM (5 children)
Oh it gets better than that. The morons at Moz corp repost that warning dialog with every keystroke, and because they are morons it eats random keystrokes (dunno about Windows but it does on both Devuan and CentOS) in the process. Try configuring a piece of network gear with that nonsense going on with password entry boxes. And no it isn't "insecure", the damned thing is on my desk being initially configured and if anyone thinks every piece of network gear is going to ship with a unique name and a real certificate in the system just to avoid that initial connect to http://192.168.0.1 [192.168.0.1] to configure it without a browser bitching they are insane in the brain. If Moz still had competent people they would at least trap the reserved internal ips and suppress the warning for those.
(Score: 2) by Pino P on Wednesday July 25 2018, @05:48PM (2 children)
An attacker on a public hotspot in a coffee shop controls "the reserved internal ips" on that network. If you have some reliable way of distinguishing a private home WLAN from a coffee shop WLAN, I'd like to hear about it.
(Score: 2) by jmorris on Wednesday July 25 2018, @05:58PM (1 child)
If you can come up with a viable attack against http://192.168.x.x, [168.x.x,] http://10.x.x.x, [x.x.x,] etc. addresses that would actually work in the real world, lets hear it. If they allowed anything that resolved to a 192.168.0.0/16 THAT might have possibilities, but since a random WiFi controls DNS and can trap any unencrypted traffic they already have a lot of ways to attack.
(Score: 2) by toddestan on Thursday July 26 2018, @03:15AM
Easy. You log onto someone else's wi-fi. They set up their DNS so ebay.com or facebook.com or soylentnew.org or whatever to point to a server they control with a 192.168.x.x or 10.x.x.x address. Granted, if you were paying attention you might notice that it's not https, but if you don't and put in your username and password then you've been pwned.
I agree though that in the case where it's my own network and I don't need to worry about an attack like that, it's a pain in the ass.
(Score: 2) by NewNic on Wednesday July 25 2018, @06:12PM (1 child)
Just tried it. Firefox on CentOS 7. I didn't get missing keystrokes.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:48PM
Well it is jmorris, he's probably heavily infected with NSA malware building up a dossier for the day when he finally snaps.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:21PM
Ditto
The only one that I can think of that has ongoing developer support, where the product is intended to be secure out of the box, is TOR browser. Everything browser in the top 10 can be regarded as institutionally compromised.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:39PM (1 child)
I am assuming it is a small personal site.
$40/month is a lot for a small site. I pay about $13/month for shared hosting. That is after the cheap intro. That includes SSL and email, and unlimited storage (within reason). You are giving up a nice weekend getaway every year or two for no reason. Checkout current shared hosting prices.
Your pay for moving to a new hosting provider would be HUNDREDS of dollars an hour.
(Score: 2) by DavePolaschek on Thursday July 26 2018, @01:13PM
Transferring the domain is more headache than I want at this point, let alone moving the site. More likely, I'll just pull the plug.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:50PM
Set up the transfer to Gandi or Namecheap already. Then you can sign up for hosting at any of several virtual private server (VPS) providers at $10 per month or less. Even a VPS on Amazon Elastic Compute Cloud (EC2) is cheaper than that, and you can use an S3 bucket for large static resources such as images and video.