posted by
cmn32480
on Sunday September 11 2016, @05:48PM
from the there's-gotta-be-a-downside-to-this dept.
from the there's-gotta-be-a-downside-to-this dept.
According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.
This discussion has been archived.
No new comments can be posted.
Google to Start Punishing HTTP-Only Sites
|
Log In/Create an Account
| Top
| 63 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Insightful) by Anonymous Coward on Sunday September 11 2016, @05:52PM
Remember when google was the cool search engine that helped you find things? Instead of trying to hide things from you?
(Score: 1) by Francis on Sunday September 11 2016, @06:00PM
Hide things from you? Unless you are an employee of a spy organization, then how are they hiding things from you?
These days the overhead for HTTPS is relatively easily provided as opposed to when the standard was first created. There's security problems that come from sites that use HTTPS for a couple things, but don't secure the whole visit. At bare minimum it can make it challenging for users to know if their log in details are being handled securely or not. I know some sites I've been to hide the HTTPS by just using it for the log in details and nothing else on the page.
(Score: 5, Insightful) by GungnirSniper on Sunday September 11 2016, @06:03PM
Google is using its massive power to push and punish sites based not on the information relevant to the user's query but according to Google's concept of what's a good site or bad site. Mostly this has been good, but could easily lead to framing of information and events. They are the largest gatekeeper now, and with that comes scrutiny.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 3, Insightful) by Francis on Sunday September 11 2016, @06:07PM
If you're still using Google, then this isn't likely to be a problem. I stopped using their search engine years ago because the results are crap, they spy excessively on the users and they keep trying to forcefeed things they think I want rather than what I ask for.
(Score: 5, Informative) by Immerman on Sunday September 11 2016, @06:36PM
Their results are crap? What search engine are you using then? Everything else I've tried makes Google look positively psychic in comparison.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @07:23PM
I've discovered that if I know what I am looking for, but not where it is, Bing tends to do better than Google. When I don't know what I am looking for Google is better.
For example, looking for docs for projects and libraries or HOWTOs vs. finding a library to do something.
(Score: 1) by Francis on Sunday September 11 2016, @08:26PM
I've found Bing to be similar to Google in terms of quality. But, I personally use duckduckgo most of the time. Results are generally better and they don't try to guess what I'm wanting to find, they give what I ask for.
Google was never a good search engine it was fast and had a larger index, but mainly because it didn't try to understand what it was looking for. To this day it's still a crude search engine that has problems with things like finding terms that are near each other, but not next to each other and There's a ton of crap links for link farm sites on the first couple pages whenever I use it.
(Score: 4, Informative) by isostatic on Sunday September 11 2016, @11:31PM
DuckDuckGo is terrible. I use it as a default, and if guess 40% of the time I end up going to google instead after ddg fails.
(Score: 1) by Francis on Monday September 12 2016, @12:25AM
It depends what you're looking for. I find that even just typing in error messages into the major search engines tends to be rather inconsistent. And god help you if you're looking for something more complicated or where there's multiple ways of phrasing it.
For all the efforts at making the search engines smarter, they're even dumber than they were 15 years ago.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:26AM
For a proper judgement/comparison you should then switch to using Google by default and seeing what percentage it fails and switch to ddg if Google fails to see if ddg does better.
(Score: 2) by isostatic on Monday September 12 2016, @02:39PM
I used to use google, and never felt the need to go elsewhere
However in a vain attempt to reclaim some control over my online presence I moved to DDG. It works half the time, maybe even most of the time.
Here's a query I just used though
tuc conference 2016
As I wanted to know when it's finished.
https://www.tuc.org.uk/events/congress-2016 [tuc.org.uk]
Would be a page I expect to come up with - which is the page for the TUC conference 2016.
DDG comes up with
https://www.tuc.org.uk/equality-issues/gender-equality/tuc-womens-conference [tuc.org.uk]
Which is a conference from 2015. Second result was the TUC homepage, and it's not until about result 8 that the TUC 2016 conference is mentioned, and it's a copy of the program.
Google comes up with the right page as the first result.
lib dem conference 2016
comes up with the right result on DDG, so no need to go to google for that.
(Score: 2) by TheRaven on Monday September 12 2016, @09:20AM
sudo mod me up
(Score: 0) by Anonymous Coward on Monday September 12 2016, @11:46AM
"just stick !bing or !google in the search box"
!g works as a shorthand for !google.
I also often use !gm (Google Maps), !gscholar, !gtranslate, !w (Wikipedia)...
(Just checked, !b works as !bing.)
(Score: 2) by TheRaven on Monday September 12 2016, @01:54PM
sudo mod me up
(Score: 2) by Immerman on Sunday September 11 2016, @11:37PM
Hmm, I haven't been terribly impressed with Bing - not as bad as most, but still seems to be 75% irrelevant results. Google seems to usually be the opposite, especially in response to a well-phrased natural language query.
>Google was never a good search engine...
Clearly you have forgotten Yahoo, Excite, etc. before Google came along - when you felt lucky to get a relevant search result on only the third page. I suppose on some absolute goodness scale it might not be great, but it completely blew the socks off everything else available.
Even today Firefox continuously pisses me off by switching the default search engine back to Yahoo, where I still feel lucky to find more than one or two relevant results on the first page.
(Score: 1) by Francis on Monday September 12 2016, @12:20AM
None of the engines were good, hence why Google was able to get a foothold. It was just as bad as the other search engines, but it was fast and had a larger database of sites that were cataloged more frequently. It used to be a bit of a rite of passage going from search engine to search engine and none of them were really any good.
I've found Bing to be about as good as Google. Most of the time when I'm on Google I find the first couple pages to be full of things that are irrelevant, or are full of largely worthless resources there to capture clicks for ad revenue like how to and expert sex change and what have you.
I find that unless I happen to know what I'm looking for and type in the exact correct phrase that I wind up spending a lot of time manually screening out shit matches. As often as not I find that unless I choose the exact correct set of synonyms for what I'm looking for that the site is expecting that I wind up going through a huge amount of irrelevant items. And God help you if you're searching for something and don't know consecutive words. Last time I checked Google didn't even have a keyword for near, which meant that if the words appeared anywhere in the page in any order, even if they were literally the first and last word in the document, it would still match.
But really, none of the search engines are particularly good. I give DDG a lot of credit for the basic things like not distorting the results trying to give me what I think I want rather than what I want.
Perhaps it's the stuff I'm looking for, but I've yet to find a search engine that really gets it right and I think that Google has been very bad for the search engine market as there's been very little forward progress in the last decade on search technology. Most of the improvements have been in dealing with SEO strategies that put garbage on the first place. And that wouldn't be a problem if there were more search engines available.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:54AM
You haven't used Google in the 1990'es.
Altavista had a large index. No matter what I searched for, it would give about a billion results. And the one I was looking for would be around result number 437,126,984.
Google would return maybe a hundred results for the same search words, and the one I was looking for was often number one and nearly always on the first page of results.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:49AM
Agreed on the results being crap[1]. The search quality has been going down for years. Which is why I don't understand how Microsoft manages to keep Bing even worse.
Unfortunately, I haven't been able to find a better search engine.
[1] It gets really "funny", when I get results with the text "words not found on the page:", followed by whatever I'm searching for. Hey Google, if you already know that what I'm searching for is not in the page, don't return that page.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @06:10PM
http://www.mirror.co.uk/tech/google-fighting-isis-changing-what-7331274 [mirror.co.uk]
That is *exactly* what they are doing.
Mark my words this will come back on them. Once the media companies figure it out. They are going to want major filtering of everything.
(Score: 2) by Immerman on Sunday September 11 2016, @11:41PM
How is it punishing you to flag your website as insecure for allowing the government (and anyone else who cares to) to record exactly what I'm browsing?
Now, if they use that as reason to push you down the search results, then yeah, I've got a problem. But I didn't notice any mention of that.
(Score: 3, Insightful) by GungnirSniper on Monday September 12 2016, @01:08AM
Mostly because my homepage is about as relevant to confidentiality as a newspaper article.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Monday September 12 2016, @06:30AM
Your ISP’s script injection with a 0-day exploit on the other hand...
(Score: 3, Insightful) by TheRaven on Monday September 12 2016, @09:23AM
sudo mod me up
(Score: 2) by Immerman on Monday September 12 2016, @02:53PM
Agreed. There's a reason librarians have stood strong against government attempts to gain access the books people choose to read.
(Score: 2) by JNCF on Monday September 12 2016, @01:45AM
Now, if they use that as reason to push you down the search results, then yeah, I've got a problem. But I didn't notice any mention of that.
You're right that this is unrelated, but they've been using HTTPS as a factor in search rankings for a little over two years now. From The Eye of Sauron itself: [googleblog.com]
For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:58AM
So, that's how they keep making search worse...
Ranking irrelevant https sites above relevant howto and faq documents that only a moron would consider sensitive enough to encrypt.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @07:57PM
I guess you've got too much Google-sauce on the brain that you couldn't understand the issue, but the issue is that they are hiding non-HTTPS sites. Tons of websites don't collect user data and have no conceivable reason to use HTTPS. If Google deprioritizes them in search results they are basically shoving unnecessary changes on literally everyone, and yes, hiding stuff.
(Score: 3, Informative) by mcgrew on Monday September 12 2016, @05:48PM
I have two web sites. There is no login, no ads, no cookies, and the tiniest bit of javascript to send phones to a phone-friendly page. There is absolutely no need whatever for either site to have HTTPS, so why should I go to the trouble?
That's just nuts. Yes, if you need a password to get into a site it should be HTTPS, but a static HTML page doesn't need HTTPS.
Carbon, The only element in the known universe to ever gain sentience
(Score: 5, Informative) by theluggage on Sunday September 11 2016, @06:37PM
Remember when google was the cool search engine that helped you find things?
Remember at the top of the summary where it says Google Chrome - i.e. the web browser, not the search engine?
Also, I certainly remember the days when, by default, most browsers popped up a warning dialog when you submitted a form to a non-https page. Its deja-vu all over again.
Flagging all http sites as "Not secure" (even if they're just static pages with no forms) seems a bit tinfoil hat, however, and even though its "just a flag" it seems like a way to train people to ignore red triangles.
(Score: 2) by JNCF on Monday September 12 2016, @03:58AM
it seems like a way to train people to ignore red triangles.
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
(Score: 2) by theluggage on Monday September 12 2016, @12:11PM
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Does that mean they're actually going to take it into consideration (which would involve considering the possibility that flagging all HTTP pages would be a step to far), or is it the usual "taking into consideration" (we'll discuss it a bit in committee and then go ahead and do what we've already decided to do)?
Passwords and credit cards? Fine - frankly I'd rather not put credit card info into a site that doesn't have extended verification, let alone a HTTP one. However - how reliably can you detect this if the page is using AJAX or Javascript? False security is worse than no security.
Incognito mode? Fine: you've specifically asked the browser to get paranoid.
Any old HTTP page? Sorry, no, that's just crying wolf - if you're that concerned about being monitored or spoofed, turn on Incognito mode.
"Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently"
Really? Quick, call the Journal of Urso-Sylvanian Scatology (incorporating Pontifical Denomination Studies)!
(Score: 2) by JNCF on Monday September 12 2016, @08:56PM
Flagging all HTTP sites seems like a step too far right now. I don't think they've committed to a firm timetable. If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
(Score: 2) by theluggage on Tuesday September 13 2016, @04:13PM
If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
That last 20% of http sites is gonna take a long time to shift. - run by people in their copious free time, on zero budget, with hosting companies that aren't falling over themselves to add Lets Encrypt support to make it click & drool (no, that's not always essential, but it makes it much easier, especially with Let's Encrypt's short-lived certs).
(Score: 2) by SomeGuy on Sunday September 11 2016, @07:31PM
Heh, I remember when altavista.digital.com was the cool search engine (well, any search engine at all was cool) that helped you find things. And that little Google startup had to work extra hard finding and indexing content.
(Score: 2) by NotSanguine on Sunday September 11 2016, @06:13PM
From TFS:
It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure".
Sites that communicate only in cleartext are insecure? Why would anyone think that [eff.org]?
I don't use Chrome, but I do use HTTPSEverywhere [eff.org], not because I spend a lot of time doing things others wouldn't approve of, but rather because it's no one's business but mine and the web sites I visit. The sooner all internet content is strongly encrypted the better, IMHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 5, Interesting) by Anonymous Coward on Sunday September 11 2016, @06:30PM
I guess my problem is that I don't want google to force people like me, with a webserver and such as a hobby, from scaring away everyone with my self-signed certificate because I know how to do things but am being punished because of that, as opposed to those that let someone else do the work because Cloud.
Give a warning, tell them my website about fluff and navel gazing is insecure because they are trying to shape the web as something only to be controlled by a benevolent dictator you can trust.
But at least let people have the option to get burned.
I guess what this can do is allow me to operate something secretive in plain sight, since if they will punish my hobby in the search results, then maybe less robots and spam and email address harvesters will find me.
Yet that is not how it works. Google and others seem to crawl anyway, and it seems wrong that Google would use my bandwidth to specifically access my site to then punish me for free if they don't like what they find. I never asked for their advice and I find I can't opt out. so much for information wanting to be free.
yeah I can get a free cert with some other organization, but I *should not have to*
(Score: 5, Informative) by The Mighty Buzzard on Sunday September 11 2016, @07:03PM
You don't currently have to but you absolutely should. Unless your visitors have a means of verifying your cert, you're arguably worse off than using plain old http because of the illusion of security*. My personal server is subscribed to a dynamic dns provider and has a LE cert. Both together took maybe ten minutes to set up automatic renewals for.
* Granted the NSA probably has plenty of ways to see through it anyway but our respective ISPs and everyone sharing a network with us do not.
My rights don't end where your fear begins.
(Score: 2) by Username on Sunday September 11 2016, @11:07PM
How exactly does verifying a cert protect anyone? The point when someone is at your ISP, they already have all the keys. It makes no difference. If a server was compromised the CA revoking a cert does nothing either, since whoever compromised the server already has all the information, and the first person to figure this out wouldn’t be the CA, it would be the webmaster. They can switch certs faster than a CA can void, plus saves the added steps of dealing with the CA.
(Score: 2) by TheRaven on Monday September 12 2016, @09:32AM
The next step up the adversary model is someone who can perform a MITM attack. That includes your ISP, anyone whose WiFi hotspot you're using, and so on. If you're using a self-signed cert, and the client isn't doing certificate pinning, then MITM is trivial. Anyone can create a cert that has the same public information in it, just a different key. They establish a connection to the server, you establish a connection to them. Both hops are encrypted, but you don't realise that they're inspecting and potentially tampering with the content. Boxes that do this are mass produced and easy to buy.
The next step up the adversary model is someone who has compromised (either technically or legally) a trusted SSL root. This basically limits you to nation state actors. Certificate Transparency helps against this model, because if two people accessing the same site see different certificates then it's harder to falsify. There are also some special DNS records that you can set to indicate who people should expect to see your cert signed by (though this only works well if you're using DNSSEC). This means that if you signed your cert with SmartCom and someone visits it and sees an encrypted connection with a cert signed by the Turkish national CA, then someone somewhere is probably doing something bad.
Finally, there's the thread model of a targeted attack that actively compromises either the client or the server. You're basically screwed in this situation, but this is a much harder thing to do on a large scale. All of the other attacks can be done on hundreds to hundreds of thousands of clients at a time quite easily.
sudo mod me up
(Score: 2) by The Mighty Buzzard on Monday September 12 2016, @11:59AM
There's a lot more ways to secure TLS than just having a cert nowadays. Look into HPKP especially if you're really interested but be aware that losing your key can lead to permanent bricking of TLS for your website.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @04:20PM
The big three browsers cap HPKP at 60 days. So, while it can screw you over for awhile, it shouldn't be permanent. However, 60 days is a long time on the internet.
(Score: 2) by NotSanguine on Monday September 12 2016, @02:58PM
How exactly does verifying a cert protect anyone?
Not very much. However, encrypted communications across the internet keeps prying eyes that don't control the endpoints from viewing your traffic.
HTTPS is as much (or more) about encryption as it is about identity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Pino P on Monday September 12 2016, @03:36PM
My personal server is subscribed to a dynamic dns provider and has a LE cert. Both together took maybe ten minutes to set up automatic renewals for.
How did you get a Let's Encrypt cert for a subdomain at a dynamic DNS provider? I thought LE's rate limits [letsencrypt.org] forbade issuing more than 20 certificates per domain per week. So if 20 other customers of the same dynamic DNS provider have been issued a certificate in the past 168 hours, you get the rate limit error message instead of a certificate. LE does make an exception for DNS providers on the Public Suffix List, but I've read on LE official forums and the PSL's issue tracker on GitHub that since LE entered general availability, there's been a huge backlog for dynamic DNS providers that want onto the PSL.
And do "automatic renewals for" the dynamic DNS provider include a recurring fee?
(Score: 2) by The Mighty Buzzard on Monday September 12 2016, @05:23PM
Well, I was one of the lucky few who made the initial cut for my dyn dns provider but they just got whitelisted recently as well, so I'd be okay now even if I weren't lucky at the outset. My best advice is to pick an already whitelisted provider and redirect to that domain name if you already had another set up on a non-whitelisted provider. Or, you know, annoy your provider and then wait.
Ye gods no! I wouldn't pay for a subdomain no matter how many bells and whistles they offered. I'd put a record in for tmb.soylentnews.org and update it manually as my ip changed before I paid a dyn dns provider.
My rights don't end where your fear begins.
(Score: 3, Informative) by TheRaven on Monday September 12 2016, @09:25AM
scaring away everyone with my self-signed certificate
Serious question: You've gone to the trouble of generating a certificate and configuring your web server to use it. You've generated a CSR and signed it yourself. That's 95% of the effort in getting a proper certificate, so why would you not go the rest of the way?
sudo mod me up
(Score: 0) by Anonymous Coward on Monday September 12 2016, @02:49PM
Generating a key and a self-signed certificate represents 95% of the effort? You can do that in a single command-line invocation of openssl:
That leaves the other 5% (one-nineteenth of the total effort) to reach out to a third party to get them to sign your key. I think you're either overestimating the difficulty of creating a self-signed key or underestimating the difficulty of dealing with third parties.
(Score: 2) by TheRaven on Monday September 12 2016, @03:17PM
That's not a self-signed cert, that's an unsigned cert. With an unsigned cert, your web server has access to the only private key in the chain. There's no way that you can revoke, and anyone that compromises your web server can generate new certificates that appear to be you.
To generate a self-signed cert, you need to generate a signing cert, a CSR from your unsigned cert, sign the CSR with the signing cert, and (typically, depends a bit on the server) merge the two. When you've done this, you keep the private key for the signing cert on a different machine, and then if your web server is compromised you can revoke the cert, yet keep using other certs signed with your trust root and not need to update any client devices that trust that root. Even if you're not doing revocation, you can create certs with a short lifetime and roll them over every couple of months without surprising clients (same signing cert) and reduce the impact of a compromise.
With StartSSL, the only extra step is that you paste the CSR into a web form instead of passing it to an OpenSSL command line. Actually, if you trust your web browser, you can generate the keypair using the browser's built-in functionality, and then you just need to enter the domain name and copy the cert and key to the correct location, without needing to use the openssl command line at all. With LetsEncrypt, you set up a fairly simple daemon and it will automatically generate and refresh the certs for you.
Generating the key and cert is not the sum total of the effort involved, you also need to configure the server (or servers, if you're also turning on TLS for email, XMPP, and whatever else you run servers for) to use ssl, tell it where to find the key, and so on. When you include these steps, having a third-party sign the cert is, as I said, a tiny fraction of the total effort.
sudo mod me up
(Score: 2) by Pino P on Monday September 12 2016, @03:43PM
With StartSSL, the only extra step is that you paste the CSR into a web form instead of passing it to an OpenSSL command line.
With StartSSL, as with all other CAs that follow the CAB Forum's Baseline Requirements, the machine still needs a valid fully qualified domain name (FQDN). You can't have StartSSL sign a certificate for an RFC 1918 private IP address or for a domain in some made-up TLD such as .local. This means everyone who wants to run a NAS internally on a private home LAN and access the NAS through HTTPS has to buy a domain for that LAN and renew it annually.
(Score: 2) by TheRaven on Monday September 12 2016, @03:48PM
sudo mod me up
(Score: 2) by Pino P on Tuesday September 13 2016, @01:10AM
If you want to run a device on a private network, without connection to the Internet, then you probably have a far smaller set of client machines to worry about.
But this set would include friends and family visiting my home, who aren't guaranteed to know how to install a trusted root CA on their phone or tablet.
if you run a device on a private network without connection to the Internet, then it probably won't be listed on Google anyway.
Clear HTTP will be penalized not only in Google Search but also in Google Chrome, including the copy of Google Chrome on the device of a visiting friend or family member.
(Score: 3, Informative) by Gravis on Sunday September 11 2016, @07:00PM
this is a very naive view of TLS. what it fails to mention is...
(Score: 1, Informative) by Anonymous Coward on Sunday September 11 2016, @09:21PM
so that even if your program is out of date, your security is still up to date
Or like my grandparents router that has not seen an update for 3 years? or my cablemodem that has not seen an update for 2.
But at least my browser is probably secure!
(Score: 3, Insightful) by shortscreen on Monday September 12 2016, @09:04AM
On the last version of real Opera (12.whatever) I am starting to see sites that refuse to connect. "Fatal Error: Unable to Establish Secure Connection." I assume this has something to do with the HTTPS fad.
(Score: 3, Interesting) by Aiwendil on Monday September 12 2016, @05:18PM
I'm stuck at bith the rock and the hard place..
Both in that O12 refuses any letsencrypt-certs ans´d that some of my old routers still using ssl old enough (only inside a lan) that it requires me to tell firefox to violate security in order to use it..
So basically I'm at the point of needing four browsers just in order to surf..
(Score: 5, Insightful) by Bot on Sunday September 11 2016, @07:03PM
1. declare cleartext unsafe (mostly because wireless routers and cellphones are locked and exploitable, but no, you are not gonna fix the real problems)
2. no worries, we offer you free certificates, let's encrypt!!!
3. everybody goes HTTPS (say goodbye to caching or welcome to ISP/CDN MITM), which means that:
3b. everybody depends on a certificate authority in bed with google or microsoft (firefox depends on either)
4. random crisis (the ??? part), government pass emergency laws that forbid 'certain sites' to operate, all you need is to operate on certificate authorities now. The few still using http? TERRORISTS!
5. PROFIT!!!
Account abandoned.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @08:28PM
And that is assuming the encryption algo don't leak extra data or are themselves an attack vector.
And certificate authority gets a license to print money, in the form of wildcard certificates, like ones used by blue coat and such devices?
(Score: 3, Insightful) by jmorris on Sunday September 11 2016, @09:27PM
3. everybody goes HTTPS (say goodbye to caching or welcome to ISP/CDN MITM), which means that:
Everybody ignores the importance of that one. Caching is good, https breaks it unless your ISP breaks https to fix it and that breaks security for those times you need it.
Https everywhere also breaks every captive portal in the world. There is, by definition, no solution to that problem. Nobody sane is going to allow every Starbucks and McDonalds to place a wildcard certificate on their device and once you have a browser that simply refuses to view an http:// prefix you are boned. And even if you are that stupid it becomes a catch-22. You never see the captive portal screen offering to install the wildcard. The best that can be done is hang signs with a URL to an https server with the portal. Good luck getting people to actually do that though.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @04:11AM
Captive portals are a broken concept anyway... but then again, mobile devices, at least, special-case them. I assume recent desktop OSes probably do, too (although I haven't used a laptop on a connection with a captive portal in a while).
(Score: 2) by NotSanguine on Monday September 12 2016, @03:04PM
Everybody ignores the importance of that one. Caching is good, https breaks it unless your ISP breaks https to fix it and that breaks security for those times you need it.
Caching is good only if bandwidth is a limited resource. Which it doesn't have to be.
What's more, I'd be happy with pages load ing a little slower (i.e., no caching) if it means my traffic can be encrypted.
I suppose that's just my personal preference, but it is my preference.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Pino P on Monday September 12 2016, @03:46PM
The solution is to switch from captive portals to something like RADIUS authentication [wikipedia.org], wherein the hotspot's terms of use can be presented as an Access Challenge.
(Score: 2) by darkfeline on Sunday September 11 2016, @10:36PM
So, the choice is between HTTP only and HTTPS only? Allow me to make a unprecedented proposal: why not both HTTP and HTTPS?
And that's ignoring the fact that even cURL handles HTTPS, so you really don't have an excuse to be using a browser that doesn't support it. If your deprecated browser has less features than a small command line utility, you may as well just cURL the webpages and open them up in notepad or something.
"Legacy tools". Even cURL and ed can do it, there's literally no excuse.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Monday September 12 2016, @03:56AM
I see no reason to flag static content as insecure. But maybe the article wasn't quite accurate on Google's future intentions.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @04:45PM
Yes, my sites are insecure. Intentionally so. I have nothing that requires encryption on either end.
What was the problem with that again, Chrome? Anything worth reading needs to be secure? Oh.
I guess you'll just have to deny everyone using your product from my website, then. Sorry, public! Not my fault that Google wants to force the Internet to be something it is not.