back to article From July, Chrome will name and shame insecure HTTP websites

Three years ago, Google's search engine began favoring in its results websites that use encrypted HTTPS connections. Sites that secure their content get a boost over websites that used plain-old boring insecure HTTP. In a "carrot and stick" model, that's the carrot: rewarding security with greater search visibility. Later …

vir
Bronze badge

Good Strategy?

Or just further training users to ignore security warnings? Plus, who actually checks for the "Secure" icon when they're not entering personal information into a form?

29
3
Silver badge

Re: Good Strategy?

Instead they could just show http(s) prefix and make inspecting certificates easy, but this is so yesterday.

13
1
Silver badge

Re: Good Strategy?

Have to agree here - why the hell they buried it under F12 -> move the tabs right -> Security is anyone's guess.

Much easier when users could just click on the padlock to get information about certificates.

14
1

Re: Good Strategy?

Thank you kind stranger, I've been looking for the view certificate option for months now!

4
0
Silver badge

Re: Good Strategy?

"Thank you kind stranger, I've been looking for the view certificate option for months now!"

Seconded, I resorted to opening sites in IE to check certs as its the same as its always been in there!

1
0
Anonymous Coward

Chrome now installs Spyware that silently scans all files called software_reporter_tool.exe"

Yesterday I came back, my notebook running with full fan speed, was hot. Good that I had ProcessExplorer running. It was a new EXE that scanned all my files and tried to upload the log file (incl. filenames and running processes) to Google server! The software_reporter_tool.exe gets silently installed and runs only in idle, when you are not using Windows 7/8/10. And even if you delete the EXE, it gets re-installed the next day by Chrome update process.

@TheRegister: please write an article, we need a public outcry, so that Google stops this spyware

See: https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/

C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\SwReporter\VERSION\software_reporter_tool.exe

On a lot of forums people are complaining for almost two years now, as the process is very sneaky it's hard to spot it being active. Yet it runs on all Windows-PCs that have Chrome installed.

What is worse is that Google employees provide false information on their Google Group forums to downplay the functionality, how to deactivate it (no, there is no entry in the software control panel!).

The only way to get rid of it, is to delete the files, but keep the "\SwReporter" folder, but remove all permissions, effectively lock out everyone, so that even one himself cannot open it anymore with Explorer.

I urge everyone to install a Chromium Windows build, or Brave, Vivaldi, etc.

5
0

Re: Chrome now installs Spyware that silently scans all files called software_reporter_tool.exe"

I had something similar on Linux with chrome. It was running one of their test suits which put my fan in turbo, kept doing it for 2 days on and off. I couldn't work out what it was actually doing other than two new chrome processes started and took all processor resources.

I understand (although totally disagree and hate) that today's climate is all about giving up all details of everything you do on a PC but there's never a button that says "don't do it" or "don't do it now I want my computer back!". It's all very secretive.

2
0
Silver badge
Meh

Meh

I'm not sure I see the value in creating a bunch more aggregate traffic and load for essentially trivial traffic (e.g. reading tech news sites) as opposed to protecting critical information such as login info and credit card details. Maybe I'm not paranoid enough.

14
5

Re: Meh

"I don't see the value"

There is benefit to encrypting everything - the bad guys can't tell what is valuable from what is prosaic. Too much noise - not security by obscurity, but raising the cost for having to decrypt everything.

15
2
Silver badge

Re: Meh

Man-in-the-middle malware attacks.

ISPs have been caught modifying and injecting ads.

You can't do that on HTTPS. Not without flagging a bunch of warnings.

However, it does remove/destroy all the capacity of centralised caching (e.g. in workplaces) for simple things like images and static pages. But I can't say that's a bad part of the trade-off... pretty much the cacheability of websites has plummeted in recent years because of video, CDN, advertising, etc. anyway.

There's no reason NOT to encrypt. And a hundred TO encrypt.

Now if we could just worry about end-to-end encryption for all email, then we might actually be living in the 21st century a bit.

27
3
Anonymous Coward

Re: Meh

As Lee D said.

"I'm not sure I see the value in creating a bunch more aggregate traffic and load for essentially trivial traffic". Without SSL, that "trivial traffic" could be modified - that might not be a risk to you, as the content provider, but it is a risk to your users who could as Lee D said end up infected. You may not see your content as valuable, but I guarantee your users see their computer/data as valuable.

As techies living in the server room, it's easy to forget your users need protecting too.

11
0
Silver badge

Re: Meh

> ISPs have been caught modifying and injecting ads.

MitM could even inject coin miners.

> However, it does remove/destroy all the capacity of centralised caching (e.g. in workplaces)

It removes it for byod stuff, but company issue kit can have a MitM trusted CA to sign your fake certs.

1
0
Silver badge

Re: Meh

But then how would we perform lovely hacks like this ?

http://www.ex-parrot.com/pete/upside-down-ternet.html

0
0
Anonymous Coward

Well done Google, NOT

Amazon.com works fine with HTTP-only (except for its login page), at least for more than two decades (1995-2017). HTTP is completely fine for most websites. And if you are doing e-commerce, or banking, such sites have HTTPS support anyway. This is a war or HTTP for no good reason. The reason is with HTTPS you traffic is unique and you can be traced very easily.

And of course Email is still sent in plain text, and there is no lobbing for S/MIME and GPG at all - because the browser cartel (who also is the email cartel) doesn't care about data privacy at all, it's all about spying the end user and tracking them. And HTTPS is a good vehicle to create an ad-monopoly on top of it. And don't forget about LAN and IoT where HTTP is irreplaceable, realistically. Getting users to install self-signed SSL certs on their LAN devices looks shady and simply doesn't work.

And the best joke is their Let's Encrypt thingy, guess what you allow them root access to your server by running their code on your server, and they can slip you in another cert or read your data, and make your server more vulnerable (Heartbleed anyone - only HTTPS servers were insecure) And to push Let's Encrypt, they stop trusting Symantec, GeoTrust, RapidSSL and Thawte certificats! And show a big "NOT SECURE" warning for all HTTP websites. WTF, this is so evil! Screw the browser cartel (Goo, Moz, M$) for destroying the web.

8
13
Anonymous Coward

Re: Well done Google, NOT

Actually, I think my tin-foil hat may be a bit tight today, you might want to take that with a pinch of salt....

0
0
Silver badge

Re: Meh

"...Man-in-the-middle malware attacks..."

Except, when you work at many places using Bluecoat et al, they are MITM appliances.

Amazing how many tech folks still don't get that concept.

2
0

Re: Meh

As a trivial example of why it's a GOOD thing to encrypt all pages, even ones that don't have a form on them to collect your data, consider this: You have a bunch of pages that just have some content on them, no forms. They DO have a link to your login page (which itself uses HTTPS). Without HTTPS, it's very simple for requests for those content-only pages to be intercepted and altered before they're sent on to the customer - so the customer receives all the same content with a login link which looks the same but which now actually sends the user to a malicious site which harvests his/her login details.

If HTTPS is mandated for all pages, that kind of attack just cannot happen. HTTPS doesn't just protect data that you send, it guarantees that the data (i.e. the HTML/Javascripts) that you've received is what was intended by the site owner.

5
1

Re: Meh

> raising the cost for having to decrypt everything

But since the name of the site you are accessing is visible *in clear text* at the start of the TLS session, thanks to SNI, it's pretty easy to weed out the traffic worth attacking.

1
0
Silver badge

Re: Meh

Pre SNI, you could only have been 1 HTTPS cert per IP address*. So a pretty trivial reverse DNS lookup will would have revealed the site you were visiting**. HTTPS won't stop a MitM knowing that you went to en.wikipedia.org. But they cannot see the specific pages within Wikipedia that you visited.

*It was technically possible to do multiple subdomains with a wildcard (eg *.theregister.co.uk could multi tennant forums and www and whatever else on the same IP address). It was technically possible to do a SAN cert (eg, Google could have got a single certificate for google.com, YouTube.com, gmail.com etc.) But for the most part, if you wanted HTTPS (pre SNI), you had to buy a dedicated IP address for it.

**TOR or a VPN through a trustworthy provider are your friends to that end.

0
0

Re: Meh

as to the no reason not to encrypt argument - I'd beg to differ. Encryption costs money, which will have come some from somewhere. With the pervasive advertising/profiling/re-selling of user data business model that will in all likely hood mean the even further dissemination of the user’s data and a corresponding tightening of their/our filter-bubble.

0
1
Silver badge
Facepalm

Dumb move

Just because the connection between the website and the browser is or isn't encrypted, doesn't automatically imply that the website is also (in)secure to use. I know this sounds obvious but you have to keep in mind that plenty of IT illiterates will also be using this system, and I for one can easily imagine situations where some might even ignore possible risks because "the website is secure" while it's not.

It's plain out nonsense that a website which doesn't ask for any user input would be more secure if it uses HTTPS vs. HTTP.

Sure, you can get free certificates. But if your hosting provider doesn't support SSL you have no other option but to get a more expensive subscription. If you actually care for this nonsense of course.

15
4

Re: Dumb move

>> It's plain out nonsense that a website which doesn't ask for any user input would be more secure if it uses HTTPS vs. HTTP.

No it's not nonsense at all. A website that doesn't use HTTPS can have its pages, as displayed in the browser, modified in any way by simple MITM efforts. That's trivial to do and therefore it is most certainly less secure than if it used HTTP.

(NOTE: That's not to say it IS secure if it uses HTTPS just that it's more secure as there are less attack vectors).

14
4
Bronze badge

Re: Dumb move

Google's actions are Suspect.

Its also much more secure if your website only connects to one server. Instead of sidelining info to Google Facebook and friends.

What are the chances of chrome saying that a site that only visits _one_ secure destination is more secure than one riddled with ads?

Google likes ssl because it inhibits competition from seeing referer headers which they already know.

Chrome sends everything you type even local network hosts off to the chocolate factory. No way that is secure. They don't care about security or privacy unless its _also_ an earner for them.

Anything that makes the web more expensive for server owners is good for Google.

13
3
Silver badge
Coat

Re: Dumb move

"Chrome sends everything you type even local network hosts off to the chocolate factory. No way that is secure. They don't care about security or privacy unless its _also_ an earner for them."

Just for fun, why not have your site browser sniff - and if it detects Chrome, display some appropriate text about the slurp-tastic nature of Google.

8
1
Orv
Silver badge

Re: Dumb move

Chrome sends everything you type even local network hosts off to the chocolate factory.

Settings, Advanced, Privacy and Security.

Uncheck "Use a prediction service to help complete searches and URLs typed in the address bar."

2
0
Silver badge
Coat

Re: Dumb move

"Just for fun, why not have your site browser sniff - and if it detects Chrome, display some appropriate text about the slurp-tastic nature of Google."

Wow. Now I know we've gone full circle - anyone here remember "Netscape crippled" sites?

3
0
Silver badge

yet more encouragement ...

... to abandon efforts at running your own website and go with one of the big hosting companies.

Bah humbug.

14
7
Silver badge

Re: yet more encouragement ...

Setting up a website to use HTTPS is simple, though. This shouldn't be much, if any, impediment even to the smallest of site operators.

6
4

Re: yet more encouragement ...

SSL certificates are free and take little effort to install, add virtually no load or problems for your website and require at most a renewal every now and then. If that's all it takes to dissuade you from self-hosting…

4
3
Orv
Silver badge

Re: yet more encouragement ...

Agreed, if you can't even put in that level of effort, self-hosting may not be for you. I mean, even SSL aside, you do have to keep up with security fixes and such. It's not fire-and-forget.

5
4
Bronze badge

Re: yet more encouragement ...

The world of software as we know it is a mess because widely used applications like browsers are targeted at the needs of a relatively narrow group of users. These users, the ones that use the Web for information and entertainment, are the most numerous but realistically all they do is browse websites, consume multimedia streams and get served advertisements. Since the 'push' needed to monetize these sites demands that users run scripts there's a problem with ensuring the integrity of what's being pushed at you. The result is an ever narrowing of browser capabilities even as the things get bulkier and bulkier (and consume more and more resources).

This leaves other users like SCADA systems out in the cold. These users can't rely on upgrading their software every five minutes to fix vulnerabilities and get whatever the latest and greatest is, they need consistent, reliable, code that's stable for years. Communication between the units is a bit simplistic, but then it doesn't need to be anything more (you certainly can't rely on the whole IoT house of cards -- its too slow and too unreliable -- too many potential points of failure). Bottom line is its a real pain when Chrome or whatever won't open a webpage because it doesn't think its secure (well, it isn't, but realistically its none of its business -- sure, its useful to protect unsophisticated users from themselves but everyone else should be keeping things hygenic).

4
1

This post has been deleted by its author

Anonymous Coward

Re: yet more encouragement ...

> SSL certificates are free

The best joke is the browser cartel's Let's Encrypt campaign. It's "FREE". Yeah "free" as Facebook. You are the product. You allow them root access to your server by running their code on your server, and they can slip you in another cert or read your data, and make your server more vulnerable (Heartbleed anyone - only HTTPS servers were insecure).

And to push Let's Encrypt, they stop trusting Symantec, GeoTrust, RapidSSL and Thawte certificats! And show a big "NOT SECURE" warning for all HTTP websites. WTF, this is so evil!

Screw the browser cartel (Goo, Moz, M$) for destroying the web.

2
10
Anonymous Coward

Re: yet more encouragement ...

"... You allow them root access to your server by running their code on your server"

You don't have to allow any of their code on your server. You can manually get the certs or use a number of other scripts to auto-renew.

They highlight hundreds of different scripts and clients you can use on their website: https://letsencrypt.org/docs/client-options/

Their recommended one Certbot is maintained by the EFF and has a link in it's main menu to the source code https://github.com/certbot/certbot. It doesn't get much more transparent than that.

Iit is optional whether you use Let's Encrypt or you choose to pay for another provider.

So it might be worth checking the facts before posting?

12
3

Re: yet more encouragement ...

"...SSL certificates are free and take little effort to install, add virtually no load or problems for your website"

This is exactly the problem. Google are training naive users into thinking that just because the site is HTTPS, somehow it's bona fide. When any old idiot can get a cert for free, that's a very dangerous assumption.

5
0
Orv
Silver badge

Re: yet more encouragement ...

I'd argue that if you're running Certbot as root, you're definitely doing it wrong. There's nothing about it that needs root access. It needs write access to the certificate files and possibly your web directories (depending on your validation method), but that doesn't have to involve system root access.

3
0
Anonymous Coward

Let's encrypt?

Really, that is your suggestion? might as well stay with http.

4
13
Silver badge

Re: Let's encrypt?

Yesterday I completed a guide on how to implement let's encrypt, including simple openssl.cnf files and using something other than certbot. Apache on *nix systems. Hopefully useful to some of you.

8
1
Anonymous Coward

Re: Let's encrypt?

The cheapest non-free certificates come at $5 per year and domain. I don't consider paying $15 and handling some certificates every 3 years much of a problem.

So yeah, certificates are practically free.

(V ohl ng uggcf://purncffyfrphevgl.pbz/ rira gubhtu gur anzr erzvaqf zr bs Ubarfg Npuzrq :-)

0
0

Re: Let's encrypt?

@Alain,

You seem to be one of the few that looked into certbot and I see you have your own reasons not to run it on your systems. I don't like the idea that the default install can update the script and replace it with something else running as root. While there has been care to make that harder to MITM, anyone who can get a bad cert installed in the system CA chain might be able to p0wn the server. It is a big enough target surface not to have thousands of people working on that right now.

On my virtual host servers, I use dehydrated which is a simple shell program running as its own user.

I trust all CAs equally but see them as a necessary evil. As soon as I find one that doesn't have a spook or former spook high up in their management, I might trust one more than the others.

1
0
Silver badge

Re: Let's encrypt?

On my virtual host servers, I use dehydrated which is a simple shell program running as its own user.

I looked at dehydrated; I found it complicated, tries to do too much, poor internal documentation. Which is why I wrote what I did.

0
0

"In compliance"

Not doing what Google wants doesn't mean you're not in compliance.

10
2
Orv
Silver badge

Re: "In compliance"

True, but it's not just Google making this call. More and more web tech is TLS only. HTTP2 mostly is. (The spec supports unencrypted connections, but hardly anyone implements it.) Web workers are. The writing is on the wall, the HTTP specs are not going to support plaintext at the same level of functionality as TLS, going forward.

0
2
Silver badge

Re: "In compliance"

Put it this way. There's a reason plaintext Telnet and FTP have been replaced with Secure Shell and Secure FTP. This is no different.

3
5
Silver badge

Re: This is no different.

Us deciding to use stuff and us being told to use stuff are no different?

6
1
Anonymous Coward

Re: This is no different.

You're told to stay on one side of the road. You're told to maintain a pecking order when it comes to crossing streets (both to maintain order). You're told to keep your rubbish under control (reduces fire risk and discourages scavengers).

Now you're told to keep your sites under wraps so they can't be exploited.

No, I don't think it's all that different, honestly.

1
3
Anonymous Coward

The biggest problem I have with this is the term "secure".

Yes, we know what it means but too many "normal" people think it means safe. Even the TV ad over xmas with the robot toy saying "look for the green padlock" made the same mistake - "secure" means nothing in regards to identity. My personal site has the "green padlock" and "secure" in the URL bar simply because I use CloudFlare's DNS - it proves nothing about the ownership of the site or whether it's "safe."

There really needs to be a better term used than "secure". "Private" perhaps?

6
1

"The biggest problem I have with this is the term "secure"."

The biggest problem I have with this is the firm "Google".

9
3
Bronze badge

CA Roots

And who checks to see that the list of trusted CAs used by the browser is actually a list they agree with?

It's all very well having a green locked padlock symbol, but all it tells the typical user is that one of a list of organisations they've never heard of say that the site being accessed is who they say they are. Malware can be delivered down encrypted connections too, and while Lets Encrypt is a commendable effort, it doesn't actually solve the problem of being sure who you (or your software) can trust.

Securely delivered malware will be coming to a browser near you, soon, if it hasn't already arrived.

12
1
Silver badge

Re: CA Roots

This is actually my only criticism of the effort. If the lack of SSL on a site is enough to have it labelled as insecure by the browser, then you could argue that certs that are only signed by the big CAs should be labelled as such, too.

I gave up on considering them "trusted" a few years back.

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018