Chrome devs hatch plan to mark all HTTP traffic insecure

Re: Nice try

May as well mark everything as insecure because HTTPS is shit.

And your superior replacement is...?

Re: I'd consider "broken HTTPS" far more insecure than HTTP

A broken HTTPS, i.e. something like a MITM or other attack, should set off alarm bells even in the brains of a clueless surfer, but it won't if it shares the same indication as half the sites he browses!

The problem is that it is impossible for the user to know whether there is a MITM if they're not using HTTPS. This proposal is to stop naively acting like HTTP is somehow magically a better environment than, for example, a site which uses a self-signed cert.

Google's engineers are idiots living in their ivory tower, not understanding that not everyone is an ubergeek who implicitly understands this stuff.

So because some people can't be helped, we should throw everyone else under the bus? There is a wide swath of people between "ubergeek" (who don't need this warning to understand) and "dufus"; and some of those people are capable of understanding, if they're given the right cues.

They think they're being clever and will encourage site owners to switch to HTTPS, but there's no point for a lot of sites to ever do so.

If a site doesn't want to prevent MITM attackers injecting malware into requests to their website (among other things) then sure, there's no point.

HTTPS is also about privacy

HTTPS not only provides security for stuff like passwords, it also brings privacy. A snooper can tell that you've visited a website, but they cannot tell what pages you actually viewed on that site since all that information is transferred after the secure connection is established.

I for one welcome the day when ALL websites use an encrypted connection. It's not going to cost website owners a penny (from mid-2015) but it protects everyone from a range of security and privacy issues.

Re: Time to buy stock in VeriSign/Symantec

Considering the EFF is launching an entirely free, automated CA in 2015 there will be no potential for existings CAs to cash in.

The vast majority of web content has zero security relevance. Who [i]cares[/i] if that cat picture is sent securely?

Do you like your web traffic to have ISP-injected advertising added to it?

Do you enjoy having your ISP add uniquely-identifying tokens to every page request?

Do you enjoy not knowing whether that file you just downloaded from $reputable_site has been tampered with?

Do you like receiving web pages which could be trivially rewritten to directly contain malware?

I don't. That's why I prefer the authentication and privacy offered by TLS.

Who [i]cares[/i] if that cat picture is sent securely?

So why would the warning matter?

What happened to the goal of having an open, accessible Internet with open, simple means of reading and writing content?

That isn't being stopped, but why can't we do that privately and securely?

There are not only 2 states.

Chrome has: 1) A green bar for EV-certs, 2) A green lock for a valid cert, 3) A red strike through the "https" when the security is flawed, 4) No indicator for completely insecure sites

Firefox has: 1) A green bar for EV-certs, 2) A green lock and owner info for a valid cert, 3) A big stonking warning page when the security is flawed, 4) No indicator for completely insecure sites

Without any indicator in the case of 4, the effect is to imply that a complete absence of security is better than partial security (eg. no authentication, but protection from passive interference).

AFAICT, this proposal for Chrome is to treat 4 in a similar manner to 3. This appears sensible to me.

You no longer need a unique IP to get an SSL certificate. That's what SNI is for.

>The warning message doesn't break HTTP, it just educates

Only if it provides useful information - like when the site is asking for customer data.

For a great deal of the web - it's just text, pictures, information. No 'data', no cookies, no nothing.

Something like this is going to scare the pants off surfers, for no good reason.

You are talking about cry babies, with no idea as to who those people are?

If these people run Banking websites, or ecommerce, or anything which does involve the transmitting of personal data between client PC and server, then SSL should be applied and customers using a site like this which is not secure should be warned.

However, what about the situation where the site is a promotional site for a business. It doesn't do ecommerce, and has no data transfer (apart from someone snooping on which pages you visit, which when it comes to a brochure website.... there's probably not that big an issue). In these cases a warning is a bit over the top. The users this is designed to help are the same users that when they see this message are likely to drop their bowels and quickly navigate away from the site. This then results in the website owner seeing a significant drop in traffic.

The other argument against SSL is that Google et al are constantly telling website owners to make their site faster, more responsive etc etc but in my view SSL slows down sites because a) you have the overhead of encryption (which in a dynamic site is not such a big issue because the site is/may be dynamically built based on the user session and should use SSL, but in a static site the content is exactly the same and the overhead is unnecessary) b) the amount of data transferred may be significantly larger if the web page is built up of a lot of components i.e. CSS, javascript, images etc. Each request for a component carries an SSL overhead, and this increases bandwidth and so costs. c) one recommendation form Google was hosting your images/static content on a different domain/sub-domain so that you can get around the max connections per domain limit and also allowing static content to be cached... improving performance. Now you would need a wildcard SSL or move all your static content onto the main domain. This will slow down the site significantly. and d) I think (but it's been some time since I last looked at this) but HTTPS traffic is not cached/cahced in the same way, so if you have lots of images on a page the content won't be cached resulting in a lot more requests on your server, and a lot more content being served.

So the choice here is either get a certificate and slow down your site and increase hosting/bandwidth costs or don't go secure and expect a number of your customers to get scared off because of the warning message telling them that the site will result in them being scammed out of all their money by a Nigerian Prince.

BTW I agree wholeheartedly that any sites where personal or financial data is transmitted should operate securely.

@AC "It seems there are lot of cry babies with HTTP-only sites who have a problem with browsers telling the truth to their visitors..."

Ok, say I run SSL on my 100% public site with no private data anywhere. Will Chrome warn users if my site's been hacked? Not until it's too late for many. Will it tell them if I'm passing their data to insecure 3rd party APIs, or selling any information I collect on them, or giving everything to NSA/GCHQ? Nope.

@David Lawton - The fact that you can get away with MITM filtering of most SSL traffic, even with access to the end user machines (malware does too), does not inspire confidence in SSL.

"Think of the children" == Godwin's Law

Think of the children, screw the rest of us.

If you think those school children aren't smarter than you, and haven't already found ways around your filters then you're wrong.

Re: I don't see the problem with this idea ...

No, the whole concept of HTTPS is broken. It just encrypts data in transit to untrustable servers.

Real security requires (at least) a completely different architecture, where servers only store and transmit encrypted data, never having access to decryption keys. Data would only be encrypted on end-user machines, only within the program(s) that use it. Those programs, and the OS, would need far more robust security than anything in existence today. The whole system would be useless for client-server apps (like websites) and probably less than 100% secure anyhow.

Re: Bit premature

Quote: "Almost every large corp still uses IE8 on XP"

Where are your figures for this?

Granted some corps have been slow at rolling things out, but all of them, without exception, should by now have either completed migration away from XP, or be in the final stages of migration, at least for end-user machines.

Any Corporate users still on XP should have access to the Internet rescinded or at the very least, install a 3rd party browser, and then cripple IE to block it's Internet access (i.e. allow IE access to Intranet only).

Re: Useless feature to make them CA !!!

Wish I could upvote you more than once!