SoylentNews is people
SoylentNews
Google will remove secure website indicators in Chrome 117:
Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness, will soon be changed with a new icon that doesn't imply that a site is secure or should be trusted.
While first introduced to show that a website was using HTTPS encryption to encrypt connections, the lock symbol is no longer needed given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS.
These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of the lock icon to trick the targets into thinking they're safe from attacks.
"This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon," Google said.
[...] The lock icon will be changed in Chrome 117 with a "variant of the tune icon," a user interface element commonly linked to app settings and designed to show that it's a clickable item.
[...] This move was first announced almost two years ago, in August 2021, when the company revealed that secure website indicators are no longer needed and would be removed from Google Chrome's address bar since over 90% of connections are made over HTTPS.
"When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly," Google said.
[...] It's worth noting that Google Chrome will continue to alert users of insecure plaintext HTTP connections on all platforms.
(Score: 5, Insightful) by MIRV888 on Saturday May 06, @06:22AM (4 children)
Well there's your problem right there.
There are other browsers that you can secure more transparently.
(Score: 2, Interesting) by Anonymous Coward on Saturday May 06, @09:02AM (2 children)
Sure there are other browsers, but as a practical matter will the commercial websites that I need to use to run my tiny company work with those browsers?
Here's one example, one customer wants invoices submitted through a SAP/Ariba system. It stopped working with Firefox a couple of years ago and I grudgingly switched to Chrome for awhile. Now, it works with Firefox again (and I've switched back)...go figure.
Another, computer audio doesn't work (for me) with Zoom or WebEx opened in a browser tab--I have to phone in to conferences. Chrome will give me audio in a browser tab.
(Score: 4, Informative) by hendrikboom on Saturday May 06, @01:04PM (1 child)
Yup.
I've noticed something similar.
Quoting from my public bookmarks page [pooq.com]:
(Score: 0) by Anonymous Coward on Saturday May 06, @06:16PM
> So I use both together.
Clever! I'll try that next time. The other day with Zoom, Chrome video froze after a few minutes, but the audio kept working. Never occurred to me to try with Firefox, I think that will get the video.
Thanks!!
(Score: 1, Informative) by Anonymous Coward on Saturday May 06, @11:11AM
I dunno, Firefox also did some URL hiding: https://bugzilla.mozilla.org/show_bug.cgi?id=691147 [mozilla.org]
So they too might follow Chrome down the road of making things harder for the people who care while not doing a thing for stupid and the careless.
(Score: 4, Touché) by driverless on Saturday May 06, @07:17AM (3 children)
Or to put it another way, we've been paying CAs billions of dollars for the last 30 years for something that, in the browser vendor's own words, doesn't actually work.
Do we get our money back now?
(Score: 0) by Anonymous Coward on Saturday May 06, @08:51AM
> Do we get our money back now?
Only some suckers get a refund, in this case I think the answer is no.
For other cases (like the current craze of shorting the stocks of target banks), society/government seems to be favoring a refund to "suckers"/depositors that are above the USA $250K deposit insurance limit.
Example: the simple website we put up for our B-to-B company was like a printed paper brochure, no commenting, no commerce. In any common sense view, changing to https served no purpose at all. So we didn't add a cert. Sometime in the last few years our webhost (StableHost) added one for us. I don't think we even had to check a box, it was just automatic(?), I believe through CPanel.
(Score: 3, Insightful) by turgid on Saturday May 06, @01:44PM
They're two separate problems. Here, phishing is being conflated with the security of the connection. This problem requires a different solution.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Opportunist on Sunday May 07, @05:51PM
It does work, it just does not automatically mean you can switch off your brain because the connection is secure. If you enter your credentials to scammersite.com/bankofamerica because a link in an email sent you there and you think it's safe because scammersite.com got its very legit certificates, then it's your fault for not understanding what certificates mean.
Certificates only mean that you really are talking to the page the url of which you entered. Not that you're talking to the page you want to talk to. Certificates may be much, but they ain't magical nor psychic.
(Score: 4, Interesting) by Rosco P. Coltrane on Saturday May 06, @09:28AM (5 children)
Running plain old http on port 443, so the user believes he's hitting a https server. One good way to tell something's fishy is looking at the padlock icon.
So this will be a thing again?
Everything is a race to the bottom now. Browsers should give you more tools to navigate the complicated online world, not fewers. That is not the technological future I was promised in the 80's...
(Score: 3, Insightful) by turgid on Saturday May 06, @01:45PM
Why take responsibility for your own actions when scapegoats are plentiful?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Interesting) by SomeGuy on Saturday May 06, @06:22PM (3 children)
You are falling for the exact same fallacy they mention in the article.
HTTPS has never, EVER, meant that a web site or server is "secure". It has only ever meant that the connection BETWEEN the two is allegedly secure.
The entire point is that bad guys do not use plain HTTP any more. Hence, all of the big to-do about it in the browser user interface is worse than pointless now.
Pull up a web site, you see the lock icon, you enter your password.... and the bad guy take it because somehow that was their site or they took control of the actual server.
And if you think that plain HTTP is going away, I've recently had the need to look up piles of different business web sites, and it is quite surprising how many use only plain HTTP. (often HTTPS is also enabled but the certificate is long expired because those pesky IT employees were just expensive deadweight).
(Score: 5, Interesting) by Rosco P. Coltrane on Saturday May 06, @07:11PM (2 children)
No I don't. I'm perfectly aware that bad websites that serve up malware over https are still bad website. What I'm saying is, if someone runs a plain http server on port 443, that's a giant red flag, but you can't tell it's happening without the padlock icon.
And my point is, if you can't tell easily whether the traffic is truly encrypted or not on port 443, you can bet your ass they'll start using it again.
(Score: 2) by GloomMower on Sunday May 07, @12:49PM
> And my point is, if you can't tell easily whether the traffic is truly encrypted or not on port 443, you can bet your ass they'll start using it again.
So, right now if you go to a http website a big warning icon shows. I doubt that is going away, only the lock when it is https.
So the strategy is, be minimal when https which is 90% of websites, and show warning when http.
(Score: 0) by Anonymous Coward on Sunday May 07, @02:56PM
You'd see the 443 though. e.g. ʜᴛᴛᴘ://soylentnews.org:443/
So if you got fooled by that you're not much better than those who'd get fooled whether it's http or https. Also if soylentnews was pwned so badly that it was running http on port 443 it's so pwned you shouldn't be logging on to it whether it was doing that or not...
And FWIW how many cases was it where people were phished because the site was http and not https vs they were phished because the names in the url vaguely looked similar and the site looked similar.
On a related note Microsoft uses so many different domains it's hard for a "normal" person to figure out what is a legit Microsoft url. I wonder whether it's on purpose - they want their customers/users to get phished?
(Score: 2) by Opportunist on Sunday May 07, @05:53PM
"It is encrypted and the certificate is valid, so I can safely enter my credentials to www.bankomurrica.com"
There is no technical solution for user stupidity. Sorry.
(Score: 0) by Anonymous Coward on Tuesday May 09, @11:07AM
So many better Chromium-based browsers out there that work will all websites, and people still use the feature-poor Chrome? Even Edge is better.