back to article Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP. If you use the ad giant's Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red …

  1. No Quarter

    Thin end of the whatsit.

    Can wholly understand the password and credit card part but keen about the roadmap wanting all web sites to have a security certificate in the future. It is another cost to most web site owners for very little apparent benefit.

    1. Adam 1

      Re: Thin end of the whatsit.

      I'm sure it's not to thwart network level (ISP level) ad blockers. Clearly that is an unintentional side effect.

    2. goldcd

      It's pretty minimal cost

      I just renewed my SSL cert and I think it cost me £20 to get it signed and maybe 30 mins of trying to remind myself how to drive openssl.

      In the grand scheme of keeping my little hobby site up and running, nothing.

      1. Lobrau

        Re: It's pretty minimal cost

        Realise this might be a bit late for you but have you considered LetsEncrypt?

        AFAIK they don't do EV certificates but if you want a bog-standard one then it's free.

        Unless some of you have technical horror stories from them that you'd care to share?

        1. Ole Juul

          Re: It's pretty minimal cost

          "Realise this might be a bit late for you but have you considered LetsEncrypt?"

          Don't know if you were referring to me, but in any case, yes I have. It works fine and is not too difficult for those of us with a little experience. It is nevertheless more work and understanding that should be required for newcomers or casual users of the net. That sort of thing is fine but for basic sites only serves to have more stuff done and determined by concerns like, you guessed it, Google.

      2. Christoph

        Re: It's pretty minimal cost

        "I just renewed my SSL cert and I think it cost me £20 to get it signed and maybe 30 mins of trying to remind myself how to drive openssl."

        It's trivially easy for someone who knows what they are doing.

        It is not trivially easy for a little old lady who wants to put up a couple of pages with pictures of her cats and her grandchildren.

        1. The Mole

          Re: It's pretty minimal cost

          "It is not trivially easy for a little old lady who wants to put up a couple of pages with pictures of her cats and her grandchildren."

          A little old lady will not be setting up her own webserver, she will be using a hosting provider which will do all the work for her. If she is setting up her own web server and and ensuring that it is kept up to date and secure then I'm sure a bit of certificate management isn't beyond her abilities either.

          1. John Lilburne

            Re: It's pretty minimal cost

            "she will be using a hosting provider which will do all the work for her."

            It is pretty damn easy to get a 'little-old-lady.net' domain and have it set up with wordpress or typepad, or something else, she can also have some photo gallert installed too. Godaddy can do it within an hour. Why should 'little-old-lady.net' need certing and fecking about with openssl (a software installation that wasn't needed)?

      3. frank 3

        Re: It's pretty minimal cost

        yeah, and I work for an agency with about 100 sites to look after.

        For each one, I have to cost this for the client, discuss it with them, agree the timings, execute it, test that the site still works as expected with no SEO impacts and then keep track of all those certs in a year's time.

        So that's a couple of weeks up the swanny.

        For *no frickin' benefit to anyone*.

        Oh, and my clients will blame me because I'm the messenger. Cost to them for no benefit. Yay!

        The ones that stored personal data already had certs. *sigh*

        Thanks for massively wasting my time Google.

        1. Robin Bradshaw

          Re: It's pretty minimal cost

          It will have a tiny positive SEO impact, if your clients care about such things you should perhaps have been looking at this already :)

          https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

      4. Mage Silver badge
        Pirate

        Re: It's pretty minimal cost

        No, it's not. It's x3 more expensive than a domain name, and my multiple domains already cost more than my hosting. It would make my total annual cost about 2.5x higher, just for the certificates. However I'd also need a far more expensive hosting package, something to do with issues of HTTPS and shared IPs? At any rate even if you have a cert, my hosting company charges a lot more.

        No-one (other than me for updates) logs into my sites. They all are backed up. The SQL server access is only possible on the site, not remotely.

        I use SFTP.

        HTTPS is way too expensive unless you are making money from the site, or eCommerce. Even for selling, it's possible to use 3rd party payment such as PayPal where you get the customer details from PayPal later (using their HTTPS) and the customer never logs on to your own site, nor ever gives you card details.

        This is to suit Gooogle.

        1. John Lilburne

          Re: It's pretty minimal cost

          "This is to suit Gooogle."

          meta name='googlebot' content='noindex'

          Range block this little lot at the htaccess level.

          64.233.160.0 - 64.233.191.255

          66.102.0.0 - 66.102.15.255

          66.249.64.0 - 66.249.95.255

          72.14.192.0 - 72.14.255.255

          74.125.0.0 - 74.125.255.255

          209.85.128.0 - 209.85.255.255

          216.239.32.0 - 216.239.63.255

          Time to turn Google dark.

        2. Kiwi

          Re: It's pretty minimal cost @mage

          However I'd also need a far more expensive hosting package, something to do with issues of HTTPS and shared IPs?

          Played with LetsEncrypt on my puny little bog-standard LAMP server. More than one site on the machine. HTTPS is enforced, no HTTP (though I must have a look with a browser that doesn't do HTTPS, if I can find one!)

          No issues with multiple sites, works as well as any other shared-IP system.

          I have come across "this causes problems" or "you must pay because it means work for us" things from ISPs though, eg static IP's which aren't standard over here and do tend to cost $10/mo (few seconds maybe couple of minutes to set it up in ISP database and let customer know it's done, once set it's set so how come monthly charges? whereas reverse DNS to your own domain doesn't cost a dime to get done!), so anyway.. Yeah, sometimes ISP's etc claim "takes effort" or "causes issues" when it probably doesn't.

          (Disclosure : I have run small web and email servers for some years, so far no major security issues and no data breaches that I am aware of, neither obvious hacks (site defacement) or personal/company data showing up in the wrong place, but I am far from expert!)

      5. TheVogon

        Re: It's pretty minimal cost

        "I just renewed my SSL cert and I think it cost me £20 to get it signed "

        Why would you pay for a basic SSL cert?! See https://www.startssl.com/

    3. a_yank_lurker

      Re: Thin end of the whatsit.

      To many websites have features that require a login. How many of these sites have even considered have a certificate and a secure connection?

      1. Ole Juul

        Re: Thin end of the whatsit.

        Fine, let the ones that require a login use https. They should. However, lots of us like to just throw up a static page here and there, and there is no reason we should have to deal with that kind of thing. In that case it's a complication that serves only to empower the big guys and screw the common folk for whom the internet should remain simple, direct, and easily available. Google with its elitist attitude is not everybody's friend.

      2. Anonymous Coward
        Anonymous Coward

        Re: Thin end of the whatsit.

        Just, a login doesn't require only an encrypted connection. It *must* require also an *authenticated* connection - you must ensure you're really talking to the right endpoint.

        Something that would require proper vetting of the certificate application. Which unfortunately it's not what often happens - because vetting has costs. "Free for all" certificates will not help much.

      3. BillG
        Facepalm

        Re: Thin end of the whatsit.

        Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP.

        Passwords. That will include El Reg.

    4. Anonymous Coward
      Anonymous Coward

      Re: Thin end of the whatsit.

      This a warning that the site you are visiting is not secure - if it' son http, then it isn't. If you are browsing little, old lady cat pictures then you won't care that the site isn't secure. Many people still think of https as being for banking not for regular logins or that it can be used to track your movement around the web and is a privacy concern. Many people also think that incognito mode means people can't see where you are browsing.

      Even The Register refuses to use an HTTPS login, which means that anyone in IT can see their password, see their 'anonymous' posts and see where they're been criticising their company, boss, team etc.

      If it took a bit of a nudge to get sites like this to add an encrypted log in then, that would be a positive.

      1. TheVogon

        Re: Thin end of the whatsit.

        "If you are browsing little, old lady cat pictures then you won't care that the site isn't secure"

        You might do if the urls are along the lines of http://little-old-ladies-pussies.com

    5. Anonymous Coward
      Anonymous Coward

      Re: Thin end of the whatsit.

      "Google Chrome to shame leaky non-HTTPS sites from January"

      Presumably if you cared about your personal information leaking, then you wouldn't be using Chrome though....Google Slurps all your data like The Borg...

    6. joostlinux

      Re: Thin end of the whatsit.

      Take a look at Letsencrypt.org. Have multiple certificates and it's literally as easy as pressing a button.

  2. Anonymous Coward
    WTF?

    Dumb idea IMO..

    Dumb on many levels.

    Have we already forgotten about running out of IPv4 addresses? A website which uses plain HTTP allows the webserver to perform name based lookups. In other words: you can host several websites using 1 single IP address. Enforcing HTTPS takes this advantage away due to its structure, HTTPS needs a dedicated IP address for a website. So basically... While we're in the middle of struggling with running out of IPv4 addresses Google tries to push the demand for IP addresses even more forward.

    Second, just as obvious: by marking all HTTP using websites as insecure people will become more immune to such warnings. And that can have serious effects when they actually do come across insecure websites. Because how are they going to notice the difference? Worse: would they still care as much? I can picture it now: "Meh, Google calls all the websites I visit insecure these days and nothing bad happened, so how bad could this site be? <clicks>".

    As also stated in the article: it's not as if the use of HTTPS ensures safety. That's plain out bollocks. Don't believe me? How about that story on the SSL skeleton key? Or what about the story earlier this year about a Compromised HTTPS website.

    Third: we already established time and time again that there are dozens of CA's out there who don't exactly take safety very seriously. Remember those articles about easily obtaining certificates for known domains? Like getting one for Mozilla? There has been a recent issue as well, but I wasn't able to find the article so quickly.

    Even so... HTTPS is no guarantee for security. And I think it's stupid if someone tries to make it look as if it does. Makes me wonder: I know Google sells domains, do they also sell certificates by any chance? Conflict of interest perhaps?

    1. Anonymous Coward
      Anonymous Coward

      Re: Dumb idea IMO..

      "HTTPS needs a dedicated IP address for a website."

      Uhh SNI?

    2. Justin Pasher

      Re: Dumb idea IMO..

      The one-IP-address-per-site thing is very rarely an issue nowadays. Just use shared IP addresses and SNI. Unless you're trying to support IE on Windows XP, you'll rarely find a case where anything remotely modern doesn't support it.

      1. richardcox13

        Re: Dumb idea IMO..

        > Unless you're trying to support IE on Windows XP, you'll rarely find a case

        Make that pre-SP2 Windows XP. SNI client support was added in SP2.

        If your client's are using Windows XP without SP2, then they have bigger problems than a few security warnings. But as Chrome now requires at least Windows 7, they won't get the warnings anyway.

    3. Shrek

      Re: Dumb idea IMO..

      As others have said this isn't really an issue any more with SNI, see here for more info regarding Apache.

    4. John Lilburne

      Re: Dumb idea IMO..

      Dunno about selling certificates but they sell ads, and extra costs on websites may make them more likely to signup fort Adsense to reclaim a bit of the cost.

    5. Adam 1

      Re: Dumb idea IMO..

      It's also just the last endpoint. It tells you nothing about what happens after that server receives your credentials.

      Tip El Reg:

      If you want to want to stop our narky comments about this forum's lack of HTTPS, just hide behind cloudflare or equivalent. They'll serve us HTTPS then talk to you over HTTP. Defeats part of the purpose of HTTPS but at least we get a padlock icon hey.

    6. goldcd

      erm no...

      you need an IP to host domains, yes.

      But you can put as many domains as you like on the IP (or subdomains) - and then you can generate certs and get them signed for the domains as wildcards, or subdomains as you see fit.

      I really should have just replied 'bollocks'

    7. martinusher Silver badge

      Re: Dumb idea IMO..

      One of the more irritating things about modern software is that it just piles hack upon hack. The original purpose of the web was to serve information but the needs of e-commerce, advertising and so on made it imperative that it 'push' information to a user's desktop. This wasn't something that the protocol was designed to do so it just introduced security issues. The only way people can think of fixing the security issues is encrypting everything which carries the risk of holes being found in the encryption protocol (its never the actual coding that's the issue, its the way that its used is typically the weakness, and the more stuff that's encrypted (especially stuff where you happen to know the plaintext) the better the chance of finding a hole.

      Instead of constantly patching and fudging this mechanism needs to be dealt with properly once and for all. We can start with CGI, a travesty (and a fruitful source of security issues), hit Javascript (a viable scripting language that's widely abused).....build something that works from the ground up. I'm prepared to sacrifice bells and whistles for something that works properly.....the question is, in this marketing driven world, whether everyone else is prepared to.

      1. DaLo

        Re: Dumb idea IMO..

        "build something that works from the ground up"

        Ah yes -- good ol' XKCD to the rescue https://xkcd.com/927/

    8. Jess

      Re: Google calls all the websites I visit insecure these days..

      A very good point.

      They really need to have a distinction between not private and insecure.

      Have they really never heard of the fable The Boy Who Cried Wolf?

    9. Anonymous Coward
      Anonymous Coward

      Re: Dumb idea IMO..

      What bollocks is this?

      I run several sites on a single box personally and implemented SSL on each with no problem. All on a single IP.

      I think you're getting confused with subdomains. Unless you have a wildcard cert for a domain a cert can only be used on a site for the domain specified in the cert.

      Also, I dont know avout the rest of the web masters in here but I use nginx as a reverse proxy load balancer for my infrastructure which handles the SSL.

      My actual web servers have no SSL. Nor are they directly exposed to the web (i.e. no inbound route except for nginx).

      To the chap that is allowing direct access to his clients web servers from the web...tut tut. *wags finger*

  3. Stuart Moore
    WTF?

    So, does this mean

    ... that The Register will finally support HTTPS?

    1. choleric

      Re: So, does this mean

      Apart from articles about Yahoo!

      From the article:

      "... any website that does not use a security certificate will feature a red exclamation mark..." If there are bonus gratuitous marks of exclamation to be had why not take them?

    2. Anonymous Coward
      Anonymous Coward

      @Stuart Moore - Re: So, does this mean

      Why should they do that ? There's nothing secret on their pages, all it is public information available to anyone and you don't have to enter any credit card information. What would anyone get from spying on our visit to El Reg pages ? No matter if a website is using HTTPS or not, Google gets all the information it wants, thank you very much! So why bother ?

      1. Adam 1

        Re: @Stuart Moore - So, does this mean

        1. People are lazy and use the same handles and passwords elsewhere. Think of all the people who are not as security literate as yourself but come here often because they like DevOps.

        2. Not only can people read HTTP in a MitM attack, but they can actively change the communications. They can replace the El Reg ads with something more sinister, inject JavaScript or even change your comment so that instead of fiercely agreeing with Stuart, you appear to disagree with him.

        1. allthecoolshortnamesweretaken
          Coffee/keyboard

          Re: @Stuart Moore - So, does this mean

          "Think of all the people who are not as security literate as yourself but come here often because they like DevOps."

          Thank you, Adam 1 - you just made my day (see icon)!

      2. Anonymous Coward
        Anonymous Coward

        Re: @AC - So, does this mean

        Okay, to show you what a problem this could be: Post your username and password on this site and see if it makes any difference.

        As your login isn't secure anyone in your company could potentially grab this anyway and see what you are saying about the IT where you work. Anyone who works where you connect from public WiFi could do the same. Anyone at your upstream providers could also, along with anyone who sets up a Rogue AP with the same non-authenticated SSID as one you have used before.

  4. bazza Silver badge

    Really?

    So why does a news website (BBC, The Register's articles, etc) have to go to https? It's not like there's anything to hide, except for those users in countries where accessing such websites is the problem (in which case https won't help).

    And last time I looked the Certificate Authority system didn't seem to be a good guarantee that a website was in fact what it claimed to be.

    1. VinceH

      Re: Really?

      If GryzzlGoogle says it must be so, then it must be so. It is, after all, their internet.

    2. asdf

      Re: Really?

      > It's not like there's anything to hide

      Except for your user login password which is plaintext. Even if everybody with a brain uses a one site password its still bad form. Also the more web traffic in general that is encrypted the better it is for privacy of all. Encrypting the mundane noise is important as well. Agree on the CA system being fundamentally broken but chancing some people reading your traffic is better than making it so anybody for eternity can always do so.

    3. inmypjs Silver badge

      Re: Really?

      "why does a news website (BBC, The Register's articles, etc) have to go to https?"

      So google via their browser, analytics and advert splurge will be the only ones able to watch and record what you do on those sites.

      1. Swarthy
        Alert

        Re: Really?

        Lemme see...

        The reason given by El Reg for not having HTTPS is that their ad broker won't do HTTPS, and they refuse to half-ass security: full ass, or no ass.

        If they get a black eye from a lack of HTTPS, then they will be more inclined to transition to a broker who will do HTTPS to remove the warning.

        Google Ads provides ads over HTTPS.

        Profit?

    4. Marcel
      Megaphone

      Re: Really?

      You visit BBC and The Reg's website because you believe they bring you reliable news. If it's over HTTP it's not reliable anymore. And maybe you don't give a damn about privacy, but I do. So please let me visit sites over HTTPS and you keep visiting the non-secure version of it.

      1. Anonymous Coward
        Anonymous Coward

        @Marcel - Re: Really?

        You're naive if you really believe that HTTPS sites will show you reliable information.

        1. Graham Dawson Silver badge
          Facepalm

          Re: @Marcel - Really?

          Reliable as in not tampered with between source and client.

        2. TimB

          Re: @Marcel - Really?

          You mean your browser will still return the secure version of a site even if the page contains no links to unbiased sources? That just sounds like a poor implementation of HTTPS to me.

    5. Voland's right hand Silver badge

      Re: Really?

      So that there is no-one to interfere with Google in monetizing your traffic.

      The moment a site goes https it can no longer be transparently proxied. If you look at Android releases, only 5 onwards (grudgingly) provides some level of half-decent proxy support. That is for a reason.

  5. Kevin McMurtrie Silver badge
    Thumb Down

    "a long-term plan to mark all HTTP sites as non-secure"

    HTTPS is really, really slow and I'm not a fan of Google's hacks to improve it. How about a long-term plan to make digital signatures work better? Most online content is public so all that matters is delivery integrity.

    1. asdf

      Re: "a long-term plan to mark all HTTP sites as non-secure"

      > Most online content is public

      But not necessarily all your customers/users want everyone to know exactly who sees it (tor needs https for end to end privacy) and how they interact with it.

    2. Adam 1

      Re: "a long-term plan to mark all HTTP sites as non-secure"

      > HTTPS is really, really slow

      No. Not even close. When Google switched on HTTPS for Gmail by default 6 years ago, they found it increased CPU load by less than 1℅ and network traffic by 2%

      https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

      With multiplexing in HTTP/2, HTTPS more often than not outperforms HTTP.

      If there is a difference it is in transparent proxies.

      I do however add my +1 to some sort of digital signature standard for delivering non private pages in a way that the client can tell they haven't been tampered and where the transparent proxies can still operate.

    3. Robin Bradshaw

      Re: "a long-term plan to mark all HTTP sites as non-secure"

      "HTTPS is really, really slow"

      Your doing it wrong

      https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

  6. John Lilburne

    Fuck Google and the Adsense Whore they rode in on.

    There are a wealth of websites that don't sell shit, don't shove loads of ads all over it, and whether login passwords leak is of no consequence. Really what does it matter if your password for logging into commenting on this site leaks? Or on 1000s of other sites.

    Besides one basic security rule is don't install software that you don't bloody well need.

    1. Charles 9

      Re: Fuck Google and the Adsense Whore they rode in on.

      Two words: Chinese Cannon. Silent HTTP Switcheroonies WILL be weaponized in the future.

  7. Drew 11

    Not yet

    Maybe once the browser manufacturers finally support DNSSEC and DANE and we can ditch the CA system?

    Oh, and once it doesn't require a degree in computer science to get the darn certs running properly in BIND/Apache/Postfix/Dovecot etc...

    1. Anonymous Coward
      Anonymous Coward

      @Drew 11 - Re: Not yet

      Degree in computer science ? Man, you must be on something. To me the ability to read and understand English is enough to do that stuff.

  8. Anonymous Coward
    Anonymous Coward

    American ISPs

    So long as unencrypted pages exist, US ISPs will be tempted to inject their own adverts into them.

    1. Swarthy
      Paris Hilton

      Re: American ISPs

      US ISPs specifically? Has someone forgotten Phorm?

  9. itzman

    Not to mention multi-hosting

    ...isn't it not strictly kosher to have https attached to more than one named site on a single IP address?

    1. Dan 55 Silver badge

      Re: Not to mention multi-hosting

      Yes it is not strictly kosher, if you've travelled back in time to 2005.

  10. i1ya
    Thumb Up

    This is proper and important step and I hope other browsers will do the same

    It is much more simple to force webmasters (relatively small and less dumb part of humanity) to add HTTPS to all dynamic sites than to teach everyone on Internet to not to re-use passwords. Considering broad SNI support and free SSL certificates from Let's Encrypt, we don't have excuses for NOT using HTTPS anymore. Yes, I will need to spend some extra time on sites that I maintain, but I hope that eventually web will become a bit safer for an average person.

    1. OtotheJ

      Re: This is proper and important step and I hope other browsers will do the same

      But the reality is that most webmasters of small sites will not implement a cert and as others have mentioned, Chrome will become the boy who cried wolf.

      I'll stick to Edge :-)

      1. Charles 9

        Re: This is proper and important step and I hope other browsers will do the same

        "But the reality is that most webmasters of small sites will not implement a cert and as others have mentioned, Chrome will become the boy who cried wolf."

        So what happens when webmasters find their sites are being shunned because they don't use HTTPS? Doesn't this become a "sink or swim" situation?

    2. toughluck

      Re: This is proper and important step and I hope other browsers will do the same

      Yeah, right. Instead of having three security states (secure/not secure/don't care) for the average user, they will now have two (secure/not secure).

      The users were trained to see the green padlock as a security mechanism and to only expect it on sites where they do shopping, banking, e-mail, etc., and that they should only follow bookmarked sites and check the certificate.

      This is going to train users to ignore the certificates completely and if they end up on their "banking" site, they will see a green padlock because the phishing operation used a free SSL certificate from Let's Encrypt.

      Really a brilliant idea.

      HTTP simply wasn't built for this -- it was devised to be one-way only. Two-way communication was strictly e-mail, Usenet, IRC, FTP or telnet, followed by transport layer security for them.

      1. Charles 9

        Re: This is proper and important step and I hope other browsers will do the same

        "HTTP simply wasn't built for this -- it was devised to be one-way only. Two-way communication was strictly e-mail, Usenet, IRC, FTP or telnet, followed by transport layer security for them."

        That's basically saying THE INTERNET wasn't built for this, and it wasn't. It wasn't built on the basis of DIStrust, and there's not much you can really do about it since you can do the same with ANY protocol out there. HTTP is simply the protocol de facto; given how the Internet works, you can do the same with ANY protocol, secured or not, with the right resources, since true attestation is impossible. Indeed, given the resources of states to be able to legally compel any private organization within its borders, we have to assume true attestation cannot be achieved full stop. Sovereignty trumps everything in that regard.

        IOW, there's no turning back. We can't even go back to the Sears catalog since the State is also savvy enough to impersonate Sears...or anyone else they have to, for that matter.

      2. i1ya

        Re: This is proper and important step and I hope other browsers will do the same

        "This is going to train users to ignore the certificates completely and if they end up on their "banking" site, they will see a green padlock because the phishing operation used a free SSL certificate from Let's Encrypt"

        You can't get free certificate unless you prove that you control the site or DNS zone, so that's not the case. And imagine the contrary: some person may log onto banking site that is produced by fishing script, without noticing that green lock has disappeared.

        All these actions are aimed to protect people that are not very computer-literate, but percentage of such people increases every day.

        1. TimB

          Re: This is proper and important step and I hope other browsers will do the same

          But I DO control the DNS and site for natwest.securebanking.site (well, I don't, but for the low low price of £3.99 through my usual registrar, I could), so I'd have no problem making it display the green padlock.

  11. jb99

    Nope

    I won't be using ssl for things that don't need ssl.

    1. Charles 9

      Re: Nope

      EVERYTHING needs SSL. Don't Trust Anyone. ANYTHING in the clear can be messed with.

  12. Dwarf

    Half and Half

    I kind of agree with the concept, but I disagree with the proposed enforcement.

    1. Google doesn't define the Internet standards, that's what the RFC's and standards bodies are for. Both HTTP and HTTPS are valid standards.

    2. Not everything needs HTTPS. The webmaster will know what their data is and its value, For example public data is already public so why hide it during transmission ?

    3. Not every webmaster will understand HTTPS, so the risk of badly configured SSL will be higher.

    4. This will bring extra cost and management overhead, which will be unwelcome for those who run small sites on low budgets (personal blogs and micro-sites etc).

    5. I expect that there will be many expired certificate warnings exactly 1 and 2 years after they switch this on ?

    6. Hosting companies will charge extra as they will get a higher CPU load dealing with the encryption in software, which means lower consolidation densities.

    7. Adding HTTPS to badly configured server doesn't make the information within it secure, so claiming the site is "secure" is misleading, as is claiming that a site hosting public info is insecure just because it runs over HTTP.

    Obligatory link to the Qualys SSL checker

    I wonder how many "ordinary webmasters" would know what to do about the deficiencies stated for a specific site. Suddenly the knowledge bar just got a lot higher. Many wont spend the time to learn and fix, they will just stop when google says "Green Circle"

    1. Anonymous Coward
      Anonymous Coward

      Re: Half and Half

      "2. Not everything needs HTTPS."

      Have you heard of the Chinese Cannon? That transparently MitM's HTTP connections that pass through it and injects malware into every single page it sees. If China can do it, why can't someone else? The exact content doesn't matter anymore, only that it's sent in the clear. In the post-Snowden world, EVERYTHING has to be encrypted or the one that isn't becomes the one that gets you.

      "Many wont spend the time to learn and fix, they will just stop when google says "Green Circle""

      As they say, "Shape Up or Ship Out" Either way, you're no longer a potential unsuspecting malware avenue, and the Internet will thank you.

    2. Kiwi

      Re: Half and Half

      Obligatory link to the Qualys SSL checker

      Did my sites with LetsEncrypt. They get an A with the link you gave (thanks for reminding me to re-check).

      I wonder how many "ordinary webmasters" would know what to do about the deficiencies stated for a specific site. Suddenly the knowledge bar just got a lot higher. Many wont spend the time to learn and fix, they will just stop when google says "Green Circle"

      I often stop for a while at "good enough", but that depends on the site requirements. Also things like page speed tests and so on, which do depend on my available resources, must be in one of their top two levels except for a couple of pages I've done which are heavy on graphics.

      And while I use google's tools to check some stuff, they aren't the key metric. Customer and user experience is. Although sadly I've had to break some sites to fit in with Google's "must be mobile friendly" annoyance - many sites simply will not work on those tiny screens.

  13. Joe Harrison

    Might be bigger pain than looks at first

    On my work machine I regularly trip up on sites which Chrome tells me has failed to prove its identity and is insecure. What it really means is that I don't have a root certificate installed from WhateverCA Inc. I then click "OK go ahead anyway". Sometimes however Chrome refuses to let you continue to that site at all, which I think is called certificate pinning.

    I certainly could not cope with an increase in this kind of behaviour, which would be the logical consequence if all sites used SSL.

  14. GloomyTrousers

    Silly question...

    ...but how are they going to reliably determine that a site is asking for a credit card number? Am I missing summat? Asking for logins, I suppose you could look for <input type="password"... /> and flag on that basis, but I can't think of a reliable method for credit cards.

  15. Anonymous Coward
    Anonymous Coward

    How does this 'Certificate' play with Private Registration?

    I've got a website that has the optional private registration, supposedly making the Who-Is links from it to me less transparent to the general public.

    If one would eventually need to add all this 'Certificate' nonsense, then how well does that play with private registration?

  16. andy 103

    Many sites have no need at all for HTTPS

    Hmm, I'm not sure I agree with this. If Google could verify that the site in question *needed* HTTPS for a valid reason (e.g. it takes payments on-site, or has a login facility) then fair enough. But to just label all sites as insecure if they don't have it, is a bit silly.

    Let's consider a small business like a cafe where they have a single page site with some totally public information on it. Are they going to shell out for an SSL certificate? They'll just see it as yet another tax and cost for...what exactly?

    The bottom line is that there are quite a lot of sites out there which are for 100% publicly accessible information. These do not require SSL for anything, as far as I'm concerned.

    1. Charles 9

      Re: Many sites have no need at all for HTTPS

      Oh? What if it gets MitM'd by something like the Chinese Cannon? The content is irrelevant: only that it's in the clear and therefore can be injected with malware on the fly.

      1. toughluck

        @Charles 9 Re: Chinese Cannon

        Oh? What if it gets MitM'd by something like the Chinese Cannon?

        My local pizza parlor will no longer list pepperoni because somebody doesn't like it and doesn't want anyone to order it, of course.

        The content is irrelevant: only that it's in the clear and therefore can be injected with malware on the fly.

        I won't accept cross-site side loading, so the malware doesn't get displayed or executed. And if the site is hacked and malware is added at the point of origin, it doesn't matter whether it's HTTP or HTTPS and blindly trusting HTTPS to be safe and secure is even more dangerous.

        1. Charles 9

          Re: @Charles 9 Chinese Cannon

          "I won't accept cross-site side loading, so the malware doesn't get displayed or executed."

          It wouldn't be cross-site but inline. And you can't MitM HTTPS without the certificate's private section, in which case like you said you're beyond screwed. Hopefully, though, safeguarding that should be easier to do.

          1. toughluck

            Re: @Charles 9 Chinese Cannon

            If it's inline, it would also need to point at the same domain and I would need to be able to download it using exactly the same route, so the MitM attack would need to intercept all traffic, not just inject the link to malware.

            In such a case, the attacker would need to control the edge router of either you or the site you're trying to access, in which case it doesn't make much of a difference whether the attacker is using HTTP or HTTPS.

            Of course, your friendly oppressive dictatorship which controls every router might pull it off much easier, but for them, it's just enough to censor the content they don't want you to see, what's the point in spreading malware, and through a MitM attack of all things?

            It's a theoretical attack in the same sense as saying it would be terrible if a hacker was able to put a USB stick loaded with malware in a computer at a nuclear power plant control room. Given that it requires physical access to the room, if somebody can access it, you've got much bigger security issues than that USB stick.

            1. Charles 9

              Re: @Charles 9 Chinese Cannon

              "It's a theoretical attack in the same sense as saying it would be terrible if a hacker was able to put a USB stick loaded with malware in a computer at a nuclear power plant control room. Given that it requires physical access to the room, if somebody can access it, you've got much bigger security issues than that USB stick."

              Given this is the likely avenue of Stuxnet, which if you'll recall jumped an airgap, I wouldn't necessarily call that theoretical.

              "If it's inline, it would also need to point at the same domain and I would need to be able to download it using exactly the same route, so the MitM attack would need to intercept all traffic, not just inject the link to malware."

              The key is to to inject the malware--INLINE--straight into the HTML so it doesn't HAVE to go outside its domain to pwn your connection. Once you're pwned, it can do whatever the damn well it pleases.

              1. toughluck

                Re: @Charles 9 Chinese Cannon

                Do you execute untrusted code (which could be malware) from a http protocol site? I doubt it. If it were https, a lot of people would think it's legit and code would be executed.

                So there's one point down for https.

                As I pointed out, the attacker would have to control the edge router at either end. If they control the edge router at the website you're accessing, they presumably control the web server as well, and at that point they can inject whatever they please into the pages they serve or serve whatever they won't -- and it will all be HTTPS with valid certificates.

                Same applies for the edge router at your end. SSL forwarding as much as they want and they can look into the content you're getting.

                A MitM attack somewhere at a random point between edge routers has almost no chance of succeeding, unless the attacker controls all routers at which point you have a much bigger problem.

                --

                I was expecting you to mention Stuxnet. And let me repeat: The Iranian nuclear program had much bigger problems than Stuxnet if it was able to jump the airgap. Stuxnet only used a vulnerability that was already present.

                1. Charles 9

                  Re: @Charles 9 Chinese Cannon

                  "Do you execute untrusted code (which could be malware) from a http protocol site? I doubt it. If it were https, a lot of people would think it's legit and code would be executed."

                  One, it doesn't have to be code; it could be a direct HTML exploit that has no code in it whatsoever, like a malformed CSS exploit (and CSS is standard in HTML 4+). Two, it can be one of the MANY sites where local script execution is REQUIRED for the site to function (an AJAX setup, for example, JavaScript is the J). And it's too late to say ditch JavaScript and go back to the bad ol' days because consumers expect faster feedback on their actions (especially for time-sensitive stuff like eBay).

                  We are rapidly descending into a DTA world where we need a way to stop even the edge routers from sniffing in (because they could be controlled by a repressive state).

    2. Anonymous Coward
      Anonymous Coward

      Re: Many sites have no need at all for HTTPS

      If Google could verify that the site in question *needed* HTTPS for a valid reason (e.g. it takes payments on-site, or has a login facility) then fair enough.

      This is the first sentence of the article:

      Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP.

  17. Dwarf

    Internal sites

    What about all the internal home based web enabled things we have that don't need a cert like accessing the NAS and a pile of Raspberry Pi's

    1. John H Woods Silver badge

      Re: Internal sites

      "What about all the internal home based web enabled things we have"

      AFAIUI, you'll still be able to do that. You'll get a warning, that's all, which presumably you can override so it does not subsequently appear.

  18. Mike Shepherd

    Unsupported browser

    As volunteer for our local history society, I host and maintain their ASP.NET web site. Our aim is to publish on-line as many of our exhibits as possible, but the site has no membership system, nor does it process payments.

    I've run an SSL site (when this wasn't as straightforward as now), but I don't plan to burden the society (or myself) with obtaining and maintaining a site certificate while we transfer no secret information.

    It will be easy, however, to identify requests from Chrome and to include in our response a warning banner that the browser is unsupported (since it may show spurious security warnings) with links to alternatives.

    1. Charles 9

      Re: Unsupported browser

      But what if you get targeted for something like Chinese Cannon, which doesn't require physical presence (it can be done MitM)?

      1. Charles 9

        Re: Unsupported browser

        And here's another angle. They could just ALTER the content to their pleasing (and your DISpleasing) and there'd be nothing you could do to stop it because it's outside your scope. Again, that was something the Chinese Cannon did, and who's to say no one else could do it? Remember, anything in the clear is like a postcard, and what's to stop ANYONE along the chain SWITCHING the postcard?

    2. Anonymous Coward
      Anonymous Coward

      Re: Unsupported browser

      "It will be easy, however, to identify requests from Chrome and to include in our response a warning banner that the browser is unsupported (since it may show spurious security warnings) with links to alternatives."

      Which will do very little for people on Android phones (most Android browsers are just reskins of the built-in browser) or on Chromebooks (where it's pretty much Chrome or Bust).

      1. stephanh

        Re: Unsupported browser

        Firefox is a great alternative on Android.

        Posted from my Android tablet using Firefox.

        1. Charles 9

          Re: Unsupported browser

          Although I use it myself, I also note that it's not the leanest app out there; my device at least has the specs to run it smoothly. For those with bottom-of-the-line phones, this may prove too cumbersome to use.

    3. Kiwi

      Re: Unsupported browser

      I've run an SSL site (when this wasn't as straightforward as now), but I don't plan to burden the society (or myself) with obtaining and maintaining a site certificate while we transfer no secret information.

      Firstly, thanks for your public service - especially if you're doing it for free. Small private museums can give really great experiences, but often get missed due to lack of visibility.

      I have a few domains and sub domains on one small server, all currently running HTTPS. I did it with the free LetsEncrypt system which so far was quite easy to set up and configure, and means the websites and email (IMAP etc) get proper certs, not self-signed ones. There's also the option to automatically manage the scripts through a cron job so that new ones are set up before the old ones expire. I'll know if that's working right in a few weeks time.

      So far, it really was very easy to set up and get running, most of it automated - though I would always reccomend learning enough to hopefully spot anything dodgy in such a program.

      HTH

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like