back to article Google Chrome update to label HTTP-only sites insecure within WEEKS

A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings. Game of Thrones septa ringing bell of shame From July, Chrome will name and shame insecure HTTP websites READ MORE The changes will come for surfers once Chrome 68 stable …

Anonymous Coward

If only it were that easy

to convert a site to HTTPS.

For most individuals and small businesses it is beyond their capabilities. The whole process is a mess

How many small businesses with just products on view and no ordering will bother until their web traffic dries up.

So Google how about providing idiot proof guides to help the technical illiterate with their auto created site working on HTTPS...?

Don't even get me started on Certificate Renewal problems.

58
11
Silver badge

Re: If only it were that easy

The AC is correct, it's a massive mistake by Google/Alphabet. Sites not using SSL/TLS shouldn't be 'shamed' like bad cats.

52
5

Re: If only it were that easy

"idiot proof guides" - see httpsiseasy.com

2
35
DJV
Silver badge

@Roger Greenwood

That's for Cloudfare ONLY! Doesn't help anyone using anything else! Sigh...

20
0
Bronze badge

Re: If only it were that easy

If a business just has an information page or blog with no visitor login, no downloadable applications, and minimal JavaScript, I can see that this will be a challenge. But, anything more sophisticated calls for suitable security, which means doing the work or outsourcing.

10
2

This post has been deleted by its author

Re: @Roger Greenwood

Worse still, Cloudflare is a giant security hole waiting to be abused.

13
2
Silver badge

Re: If only it were that easy

Even a plain information site can be MITM'd. Remember the Chinese Cannon?

3
8
Silver badge

Re: If only it were that easy

"Don't even get me started on Certificate Renewal problems."

...or sites which are HTTPS but user certs that your browser doesn't know about so users then click to accept every unknown cert they come across.

9
2

Re: If only it were that easy

I.e. anything with any real user interaction.

0
0

Re: If only it were that easy

It *is* that easy and it is also free: here's my blog entry describing the process:

https://bhoew.com/blog/en/17

2
2
Silver badge

Re: If only it were that easy

Easy is a matter of perspective. Some of us like to just put up a page or two on random servers for people to see something and it's not appropriate to be doing certs for everything like that. Not everybody has one server that has everything they do on it. Some people have lots of servers that are just part of their personal net environment. Why is it that there is always the assumption that a site is some big deal that's "developed" and lots of time and effort is spent on it? Frankly, working on assumption is not a wise perspective.

5
0

Re: If only it were that easy

If the company which hosts your website doesn't already offer automated https certs via LetsEncrypt, get a new (and better) hosting company.

(And if you are hosting the website in-house, then the technical skills required to handle certificate installation and renewal are just some of the many that your in-house IT staff really ought to have.)

3
1
Silver badge

Re: If only it were that easy

@ Dave559 You seem to assume that only businesses use the internet. Lots of private people, hobbyists and even kids run servers and use the internet freely for enjoyment and general communications. Perhaps you're not a server guy (obviously) and perhaps you only use the net for corporate or business purposes, but please don't ignore the general public's right to basic internet freedoms.

"If the company which hosts your website doesn't already offer automated https certs via LetsEncrypt, get a new (and better) hosting company."

You're not talking about servers, you're talking about shared hosting. Not everybody buys that kind of package which is mostly (though not totally) aimed at beginners. Some of us prefer to run servers and enjoy the freedom of using the internet without paying somebody else to do the administration and telling us how to host a site. Perhaps the best way to explain it is to liken it to cooking at home. Some people like to just get the ingredients and cook for themselves whereas shared hosting is like eating at a restaurant.

Regarding moving to another hosting provider, people with dozens of sites aren't going to find moving all that easy. That said, hosting providers have a problem here too. No doubt they'll be able to do some fancy scripting to provide LetsEncrypt to each of their customers in some transparent way, but it's going to take a while for them to get it done.

3
2

Re: If only it were that easy

We moved 70+ sites (our own and clients') from a poor provider (part of the Paragon Group) to two much smaller UK hosts (split our sites/ client sites). Both providers moved the sites for us at no extra charge. We now have free certificates (tso wanted to charge £50 per year for each site), we pay less in hosting fees, have better performance, and great service when we need help - they actually have people who know what they're talking about. Average response to ticket has gone from 8 hours to about 40 minutes.

We did our research, talked to quite a few companies, and then made the choices - haven't regretted it.

2
0

Re: If only it were that easy

@Ole Juul: Your assumptions are wrong, I’m afraid. Even value shared hosting accounts run on a server, of course, and the hosting company that I use for my own personal website (on an inexpensive but good value and not CMOT-cheap shared hosting account) has had control panel “Tick to enable LetsEncrypt” for almost a year now. It really genuinely couldn’t be easier.

At work, I’m actually currently updating our servers with LetsEncrypt certs (once you have RTFM and configured your preferred ACME agent, they’re really not hard to initialise and then automatically renew via cron (and if I wanted to have a play server at home, I could just as easily do pretty much the same there too).

If you’re running a public facing CMS on a home server, and your login credentials aren’t encrypted, then, as I’m sure you know, your CMS login is unfortunately all too ripe for being sniffed off the network. Are you sure that every WiFi hotspot or other access point you connect to is entirely trustable? That’s just one reason why secure communications are a good thing.

3
0
Silver badge

The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS.

For millions of sites, which don't require any user input, and merely serve pages of information, there is no reason to use HTTPS, and to label them "insecure" is just scaremongering.

74
10
Anonymous Coward

I think you miss the point ...

hence downvote.

In this case, it seems to me that Google are trying - with what tools they have at their disposal - to foster an internet environment where security - at least to the level that HTTPS can provide - is something the

average user doesn't need to concern themselves with. Too much.

Googles focus is the end-customer ^H^H^H^H^H^H^H^ user. Not the middleman website operator.

We need to bear in mind that there have been - and probably still are - websites which trip browser security warnings, and to which the operators (banks, financial institutions, governments) response is "ignore any security warnings".

10
33
Silver badge

Re: I think you miss the point ...

to foster an internet environment where security - at least to the level that HTTPS can provide - is something the average user doesn't need to concern themselves with

I appreciate that.

But what they will achieve, instead, is that the end user will see scary warnings when browsing perfectly innocent, and safe, websites.

42
6
Anonymous Coward

Re: I think you miss the point ...

"But what they will achieve, instead, is that the end user will see scary warnings when browsing perfectly innocent, and safe, websites."

Too many warnings on otherwise safe sites will lead the public to ignore the warnings anywhere. aka crying wolf.

40
1
Silver badge

Re: I think you miss the point ...

NO unencrypted website can really be considered safe anymore due to increasing MITM attacks like the Chinese Cannon and Verdon Supercookie. Malate can be injected even into a vanilla HTML page, on the fly, by an agent sniffing for ANY unencrypted Web traffic to hijack.

14
5
Silver badge

well, if you like ISPs injecting ads into your otherwise ad-free websites (https://www.infoworld.com/article/2925839/net-neutrality/code-injection-new-low-isps.html) then, sure, go and continue using http only

I prefer to read what the author intended to be on the website, and http doesn't ensure that.

11
3
Anonymous Coward

Re: I think you miss the point ...

This. We've just written a guide explaining why this is not an issue so that our tech support people can address concerns raised by users.

Why? Because it was easier than building a system to manage certificates and server configuration for the hundreds of domains we manage, on which where there's no real advantage to using https (the few where there is an advantage have been using https for years, manually configured).

So we are going to be actively training users to ignore these warnings, which devalues the message - a segment of these users are not literate enough to differentiate and are likely to ignore all "This is not secure" warnings from now on. Which is really not an ideal outcome.

(This wasn't my decision, it was a management decision - the attitude was "what's the cheapest way to deal with this?". And I don't think that attitude is going to be all that uncommon)

I don't think this alarmist and incorrect labelling is doing anyone a service.

12
7
Silver badge

Most CMS systems, like WordPress, now have automated scripts for putting in certs from letsencrypt, for example. This makes it relatively easy to update.

4
1

It isnt the encryption that is the problem

as much as the authentication.

Well actually it is ALSO the encryption since that absolutely trashes multiple sites hosted on the same IP address.

So unless you run a massively wild-card certificate that covers ALL virtual hosts and do some nifty coding, you are also now being forced to find a server with a hosting company that is IPV6 capable and hope to heck that your visitors also are IPV6.

Cos no way are you ginna get 150 IPV4 addresses to run a host of little personal and SME web sites

1
10
Silver badge

@Tomato42

If your ISP is injecting ads into the content of sites it is your problem and your responsibility to change ISP, nothing to do with the websites you visit. Perhaps try paying a decent sum for your internet access instead of going with the cheapest bargain basement option.

If your TV went on fire would you expect someone from the BBC to come fix it?

7
3
Silver badge

Re: It isnt the encryption that is the problem

@itzman the virtual hosts all use the same IP-address and the cert is for the domain name. This has been possible for over a decade - heck, I was doing this in my test environment running under WAMP and LAMP back at the beginning of the decade.

10
0

Re: @Tomato42

In the US, ISPs are mostly a local monopoly. You get your local cableco... or maybe Verizon if you're lucky. No real choice.

And when we've seen Verizon, Comcast, AT&T all MITM traffic...

And then you have people using Starbucks WiFi (are you sure you're on the Starbucks hotspot and not someone pretending to be it?) and other free hotspots...

Basically, the underlying transport must be considered insecure.

5
0

Re: It isnt the encryption that is the problem

You can run 150 web sites off one IPv4 address with TLS. It's called SNI. It's been around for ages. Unless your devices are really old it'll just work.

That's how it is done.

That said, I don't agree with this move by Google. It's poorly considered and will mislead people again. The problem with "secure" is that it is not secure - it's just encrypted between you and the point it terminates at. The site could have a web page under HTTPS that is spewing out all your details openly - it's not in any way an indicator of secure.

14
0

"The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS."

That may be what it is "designed" to do. It may have other effects such as to drive users away from Chrome. I trun

Or perhaps Google just did it to deliberately piss people off just because they can. It is called the Ryanair school of management.

5
0
Anonymous Coward

"putting in certs from letsencrypt, for example"

Which just makes them "encrypted", not "secure".... the two terms have very different meanings.

5
0

The WordPress sites have taken about 1 hour on average, with most of the time chasing down links and images that didn't get changed by search/replace. Some bigger sites took 4 hours.

2
0
Anonymous Coward

Google Chrome

Never used it, never will. #OpSecMatters

21
2
Gold badge

Re: Google Chrome

#HastagsAreBloodyAnnoying

#ThisAin'tTwitter

Not that I'm a fan of Chrome. Or sometimes disgusted with Google. Here they're using their ill-gotten monopoly power to control the internet for everyone, but with nobody's permission.

Worse, they're doing it in a stupid way. False positives in security warnings absolutely destroy security. And that idiot security researcher quotes as saying people should be able to trust all websites unless told otherwise fails to understand both people and the internet.

10
0
Silver badge

What about public wifi

When I go to Aldi my phone tells me it has connected to Aldi Free Wifi. Everything then stops working until I actively start a browser and go to an http site and the Aldi router/proxy/gubbins can intercept it, show me an advert for Aldi, then redirect me to where I pretended I wanted to go.

All my bookmarks are by now https and I have to think hard for an http. Currently I am using BBC news site. What will public wifi operators do if http disappears?

9
2

Re: What about public wifi

I don’t think WiFi needs http to work, most newer devices can automatically recognize they’re in a captive portal network and show the splash page, without opening a plain http web page anymore

5
2
Silver badge

Re: What about public wifi

"When I go to Aldi my phone tells me it has connected to Aldi Free Wifi."

This sounds like you're allowing your phone to automatically connect to open WiFi hotspots when it sees them. If so, I strongly urge you to turn that off -- it's a really, truly terrible idea for a whole bunch of reasons.

18
0
Silver badge

Re: What about public wifi

This sounds like you're allowing your phone to automatically connect to open WiFi hotspots when it sees them. If so, I strongly urge you to turn that off -- it's a really, truly terrible idea for a whole bunch of reasons.

Even if for no other reason than saving battery! Having WiFi on requires power, using up battery life. Should only turn on WiFi explicitly when you want it to be on, e.g. at home connected to your WiFi, at a friends house connected to theirs, etc.

7
0
Silver badge

Re: What about public wifi

Indeed -- leaving WiFi on is, all by itself, a pretty bad idea (from a security/privacy point of view, but the battery point is valid as well).

Personally, I use Tasker to periodically check the phone's GPS location, and when it finds itself near a WiFi AP that I am willing to use, it automatically turns the WiFi on and connects. When it leaves the range of that AP, it turns the WiFi off. In this way, I get the best of both worlds -- my WiFi is off most of the time, but I don't have to remember to turn it on and off myself.

1
0

Re: What about public wifi

"Personally, I use Tasker to periodically check the phone's GPS location, and when it finds itself near a WiFi AP that I am willing to use"

GPS is also a bit of battery drain you can turn off. I use cell tower locations for the same thing, coz that part of the phone is always turned on anyway.

1
0

It's not "browsing" anymore..

So my browser is gonna tell me that every time I access my print server's config page? Will I be able to tell it to add exceptions for future visits? I doubt it.

31
0
Silver badge

Re: It's not "browsing" anymore..

Can you do https to a 192. address?

4
1

Re: It's not "browsing" anymore..

Can you do https to a 192. address?

Yes, provided whatever equipment is on that address supports https, but to the best of my knowledge you can't buy a certificate for it from any legitimate certificate provider, so unless you also run your own certificate authority and can deploy a trust certificate to any of your devices that need to access it, or deploy every self signed certificate to the devices, you will continue to have to jump through an ever increasing number of hoops every time you want to browse to it.

15
5
Silver badge

Re: It's not "browsing" anymore..

This means that things like router configuration webpages will be marked as "insecure".

It would be more reasonable to exclude 10.x.x.x and 192.168.x.x from this, but apparently Google decided otherwise.

15
2
Anonymous Coward

Re: It's not "browsing" anymore..

"It would be more reasonable to exclude 10.x.x.x and 192.168.x.x from this, but apparently Google decided otherwise."

Large company intranets may use those address ranges for all their devices.

4
2
Silver badge

Re: "Large company intranets may use those address ranges for all their devices."

And Google is the authority to decide to flag those large company intranets as insecure.

Sure.

12
1

Re: It's not "browsing" anymore..

"Can you do https to a 192. address?"

"Yes, provided whatever equipment is on that address supports https, but to the best of my knowledge you can't buy a certificate for it from any legitimate certificate provider,"

Certificates are for domain names, not IP addresses. You could for example, hang a web server off an external IP, and a free domain name from afraid.org, for long enough to get a valid free Lets Encrypt certificate, then stick that domain name in your internal hosts file/s, pointing to your internal 192. address. Done, dusted, accepted by all browsers. Probably pointless getting a paid certificate for this sort of thing, but you could do that to.

2
1
Silver badge

Re: It's not "browsing" anymore..

So trivial then for every home user with a wifi printer, security camera, weather monitor etc

5
0

Re: It's not "browsing" anymore..

"Certificates are for domain names, not IP addresses."

Nope, SteveK had it just right. IP addresses can be used in certificates but, as with domain names, commercial CAs (that browsers trust it off the box) must verify them, which isn't possible for RFC1918 addresses. This doesn't inhibit an internal CA.

4
1

Re: It's not "browsing" anymore..

Yep. I tried setting a network printer to use HTTPS, and it created a self-signed certificate which Chrome and Firefox refused to connect to. I had to set it back to HTTP...

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018