back to article Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 …

Page:

  1. Tromos
    Joke

    it's likely that Microsoft, Apple and Mozilla will follow suit

    But only after Apple invent it first.

    1. Anonymous Coward
      Anonymous Coward

      Fuck Google, I will use HTTP when I want !!

      HTTP is good enough for almost everything. Hell Amazon was HTTP between 1995 and 2017. (Only their login page used HTTPS, but no other page) If HTTP is good enough for Amazon, it's good enough for 99,9% of websites anyway. And banking websites use HTTPS since forever.

      So this HTTPS movement is sponsored by NSA. So that only NSA can intercept traffic, while no other party can. But it means a lot of downsides, like when you are behind a proxy. So in 99% of web traffic HTTP is fine, yet a sponsored movement forces HTTPS. And all their front-shops (Google, Micro-$haft) enforce HTTPS. Fuck them.

      And let's not forget LAN (local area network), HTTP is fine enough there too ...get of my lawn you insensitive bastard (GOOO/M$$)

      And this centralized Let's Encrypt is shaddy - guess who is behind it, and can encrypt every of those websites with one key. Oh it's NSA. And guess why Let's Encrypt has to be dongled with a root process to update the cert every 60 days - so they can slip in a new cert when they need "special access". Not everyone is that dumb, but many are careless. And weren't all these HTTPS-websites vulnerable and very accessible to everyone, because of backdoors ("hearthbleed").

      1. ravenstar68

        Re: Fuck Google, I will use HTTP when I want !!

        You need to understand how certificates work.

        The certificate system provides a chain of certificates which end with a trusted root certificate. The list of Trusted Root Certificates is kept on the local machine and updated by the OS.

        However it's not the root certificates that are used to encrypt data, it's the actual server certificate.

        So what you could do if you were that concerned is set your cron job to create it's own new certificate and than send a certificate signing request off to Let's Encrypt every 60 days instead.

        The real problem with TLS is that not only do companies and institutions MITM TLS connections, but a good proportion of security software does as well.

        While their purpose is benign, this IMHO is a bad choice by the security vendors as it means if your security software is indeed pulling a MITM attack - you lose the chain of trust.

      2. Martin-73 Silver badge

        Re: Fuck Google, I will use HTTP when I want !!

        I think you might be going into tinfoil hat territory with mention of the NSA, but I do agree that some things are fine over HTTP. My own site for example is an early 2000s hodgepodge of usefulish info on telephone wiring and a few pinouts of popular connectors that were useful to me so I shared them with the world.

        Nothing for Ivan (or Donald) to snoop on... so https is unnecessary

    2. alexmorco

      Re: it's likely that Microsoft, Apple and Mozilla will follow suit

      By changing URLs in the WP dashboard, all the site URLs should also be changed. If it doesn’t, you may want to force SSL to WordPress login area by configuring SSL in the wp-config.php file.

      In the wp-config.php file, add below lines of code where it says “That’s all, stop editing!”. For more you can visit: https://www.cloudways.com/blog/add-free-ssl-certificate-to-wordpress-websites

  2. Christian Berger

    It's funny to see that now...

    since the certificate system of TLS has been largely compromised to a point where some countries and companies MITM every connection, Google decides that HTTP is insecure.

    I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP). If you want to track a user today, you use one of the many ad-services to do so.

    If Google had security in mind, they'd warn about websites using Javascript. Particularly when those scripts are loaded from external servers. They would gradually work on reducing the numbers of features webbrowsers need to implement to make web browsers smaller and therefore more secure.

    We now are at a point when browsers are the most complex single pieces of software a regular person comes into contact with. We now are at a point where TLS, the protocol that is supposed to save us all, is so complex that there's just a handfull of implementations around.

    This is not a healthy situation.

    1. Lee D Silver badge

      Re: It's funny to see that now...

      "to a point where some countries and companies MITM every connection,"

      They can only do that if you have physical access to the machines at either end, that's kind of the point of encryption. Commercial MITM requires you to trust a certificate that you would not encounter in the wild and would not be trusted by default in your browser.

      Governments may be different but, pretty much, they can demand you just send them the data, they don't have to decrypt it - but to decrypt it requires the end-point's co-operation. You can't sniff a connection to Facebook from a Chinese PC without Facebook or the browser manufacturer being complicit - and you can't "break" it by using other certs without cert-pinning going ape and warning the user.

      However, that said, working in a school I have a *legal requirement* to monitor every web access. Thus I have no option but to MITM every connection with an internal cert, and denying anything that doesn't present or tries to bypass that cert.

      Unfortunately, it's just not as simple as "just work out what pages the user is looking at that they shouldn't" any more.

      And that's just a UK school. Imagine what some of the big companies that deal with industrial espionage, military projects, etc. have to do to comply with what they need to..

      1. Christian Berger

        Re: It's funny to see that now...

        Well in those countries and those governments they simply roll out their own CA. It's a huge security nightmare, of course, but that's a completely different problem.

      2. brainbone

        Re: They can only do that if...

        Unfortunately, no.

        On a visit to the KAUST campus in Saudi Arabia a few years back, the network connections available there MITM'd every HTTPS request with valid/signed wild-card certificates they were able to obtain from "trusted" CAs.

        HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.

        1. Anonymous Coward
          Anonymous Coward

          Re: They can only do that if...

          Actually, the complete, accurate statement is "you really can't trust HTTPS".

          Time to design something better?

          And change the way we use it?

          1. vtcodger Silver badge

            Re: They can only do that if...

            Actually, the complete, accurate statement is "you really can't trust HTTPS".

            Probably true. OTOH I personally don't much care except when money is involved. And I try to do as little as possible involving money on-line. I find that face to face, paper, and/or telephones work better and are less inconvenient than online with proper security and are less scary than online without proper security.

            For me, most of the time, https mostly means I can't view a constantly changing array of sites in one browser or other (I have at least six installed) because their certificates have some subtle or not so subtle flaw this week.

            My guess is that most users will have no idea what Google is about with this HTTPS thing. Depending on implementation details, they will either click through any annoying error messages or will whinge until someone shows them how to switch to a different search engine.

            No, I don't know what to do about all this until folks are ready to accept that online security is a very tough problem, the toolkit we are approaching it with is entirely inadequate, and we may have to stop doing some things (e.g. Javascript) that are surely incompatible with secure computing.

            1. brym

              Re: They can only do that if...

              This is starting to sound alot like the witch-hunt that went on to kill Flash. Except, for JS, it's all just another case of history repeating.

        2. Anonymous Coward
          Anonymous Coward

          Re: They can only do that if...

          > HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.

          And do you trust Let's Encrypt CA? I do NOT.

          Not only is Let's Encrypt centralized and already near monopoly for small and medium websites. They can decrypt all traffic with its central key. And most even run a Let's Encrypt cron job as ROOT on their servers. And the short 60 days cert-life means they can swap you in a new cert - with they I mean NSA and their partners.

          So, HTTP is just as secure for most stuff, and a lot simpler and safer for the server side (think heartbleed backdoor).

          1. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "And do you trust Let's Encrypt CA? I do NOT"

            Let's Encrypt validates websites to exactly the same level as any other standard Certificate Authority (except for EV certs that cost a fortune). The only difference is that they don't have a credit card step in their automated process.

          2. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "They can decrypt all traffic with its central key. "

            I see you don't know how CAs work.

            1. rg287

              Re: They can only do that if...

              I see you don't know how CAs work.

              They don't seem to have much of a handle on TLS1.3, Ephemeral Session Keys or Perfect Forward Secrecy either.

        3. hellwig

          Re: They can only do that if...

          And lets not forget when you use Chrome, GOOGLE gets to decide which CAs you trust and don't trust. Want to know one of the "trusted" CAs? Google! That's right, Google can MITM any Chrome browser traffic they want. And why would Google want to know what you're browsing? Gee, maybe because that's how they make billions of dollars a year?

          I'm not saying they MITM anyone, but I'm only saying that because I wouldn't want to get sued.

          1. Anonymous Coward
            Anonymous Coward

            Re: They can only do that if...

            "That's right, Google can MITM any Chrome browser traffic they want."

            Why would they want to MITM it with certificate trusts, they can and do it in a far easier way, its their browser, they will just send the data they want directly.

            Surprised there wasn't a mention of Microsoft, they have theirs too, we know they don't need to use it, they just send all that data directly.

            That certificate isn't for MITM attacks, its for their issued certs on their services.

            There is a lot of paranoia here.

    2. katrinab Silver badge

      Re: It's funny to see that now...

      "I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP)"

      or you operate a public wifi service, possibly one with the same SSID as a large provider.

    3. Adam 1

      Re: It's funny to see that now...

      > I mean we are long past the time when a passive attacker was a realistic scenario

      It seems to me that no-one has shared this fact with a bunch of airlines, ISPs, pretty much every hotel you have ever stayed at.

      I'm afraid that this is pretty close to par for the course. And you can't actually see those who just track rather than actively manipulate the traffic, but I would be amazed if it wasn't an order of magnitude greater.

      Yes, TLS is imperfect because you need to trust a bunch of CAs some of which have been vaporised after spectacularly failing at their only job™, but in terms of risk management, it is night and day improvement. It's like arguing that there's no point locking your door because authorities could just open it with a carefully placed exclusive.

      Companies cannot MitM a HTTPS website unless they own the computer. If they own the computer, they can just install they're own root CA, but no hotel or airline or internet cafe or ISP can do that to my device.

  3. Anonymous Coward
    Anonymous Coward

    No can do

    My hosting will give me a certificate, but I lose PHP functionality if I do... so I won't. (I believe this is basically down to how it's being hosted in the cloud)

    Some redirects are already broken. I went to strobist.com only to be completely blocked when it redirected to strobist.blogspot.com ... and chrome wouldn't let me put in an exception. However, Firefox let me tell it that I knew what was going on.

    Net result is that a few of us have already gone back to Firefox for daily browsing, because Chrome is just too much up its own arse.

    1. Anonymous Coward
      Anonymous Coward

      Re: No can do

      " I went to strobist.com only to be completely blocked when it redirected to strobist.blogspot.com"

      use the SAN in the certificate

  4. ratfox
    Paris Hilton

    Yay... maybe?

    On one hand, yeah security is good.

    On the other hand, I wouldn't be surprised if the people at Google were completely living in a bubble and did not understand multiple valid reasons for which websites have not switched to HTTPS. I can't even even figure out a dark ulterior motive for Google to do this, but it might simply be out of touch with reality.

    1. teknopaul

      Re: Yay... maybe?

      One perfectly good reason is that you are publishing HTML dont have any tracking cookies and have nothing at all to hide and dont have enough viewers to be a target.

      I'm all for security where it is needed. I resent being bullied by Google.

      1. fidodogbreath

        Re: Yay... maybe?

        I'm all for security where it is needed. I resent being bullied by Google.

        Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.

        1. rg287

          Re: Yay... maybe?

          Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.

          Aside from that bit where you send credentials (domain.com/wp-login.php)...

          Also malicious ISPs stuffing in ads, tracking cookies, coinhive.js, etc. You're not protecting your content. You're protecting your visitors...

          As for "make-work", one click-and-forget button? Hardly a problem. My hosts also enabled the Lets-Encrypt plugin in cPanel. One click to enable cert generation and then another setting to tell the server to use the certs being produced by the plugin. The work of a minute, one-off and entirely automated. I haven't touched it since.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yay... maybe?

        One perfectly good reason is that you are publishing HTML dont have any tracking cookies and have nothing at all to hide and dont have enough viewers to be a target.

        ----------------------------------------------------------------------------------------------------

        This is short sighted. You are setting up any visitor to your site for a trivial MITM attack. Not cool.

        1. Eeep !

          Re: Yay... maybe?

          Please explain how this is setting up a MITM attack.

          1. Adam 1

            Re: Yay... maybe?

            Anyone who is in that network path can inject, modify or suppress any of the page resources. This includes injecting coinhive.js or worse. This includes "free WiFi hotspots", and probably any hotel or airline you've ever flown. Even a major US ISP was fiddling with some headers at one point. These modifications cannot be made to a HTTPS stream unless you can convince a CA to sign your public key.

            I'm not saying HTTPS is a panacea for all security ills, but I fail to see what is controversial about calling HTTP "Not Secure". It is after all, a long game of "Chinese Whispers" with no capacity to assert that what you see is what the server served or what the server sees is what you sent.

  5. Anonymous Coward
    Anonymous Coward

    stuck on HTTP

    "The Chrome update is designed to spur sites still stuck on HTTP to move over to HTTPS"

    I don't understand 'stuck on'. Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.

    FAIL.

    1. Lee D Silver badge

      Re: stuck on HTTP

      Any website without TLS can have its content modified on the fly by any entity in the path of the request/response.

      Thus any website could have malicious javascript (coin miners, etc.) inserted into it, which the website or visitor wouldn't be able to detect, and the ISP could change adverts to their own, add tracking code (actual real-life cases, impacting your security and privacy, as well as the funding stream of the websites you visit, etc. etc. etc.), and all kinds of other issues - even something in your router (as per recent firmware problems with some routers allowing compromise by "redirecting" your web traffic.

      HTTPS is a good thing. Just not sure about "by default". Technically, it's insecure. Yep. Absolutely 100% correct, so there's no problem highlighting that. The problem will come when it becomes difficult to say "Yes, I bloody know that's an insecure website for the billionth time, shut up already".

      1. david 12 Silver badge

        Re: Re: stuck on HTTP

        >Thus ... the ISP could change adverts to their own ... <

        The worlds larges ad serving company thinks that websites that allow their ads to be replaced are insicure.

        Insecure in what way? Allows ads to be replaced.

    2. Wensleydale Cheese

      Re: stuck on HTTP

      "Has someone assumed that all websites are eCommerce sites?"

      There's a case for any site which demands a login to comment on articles, or worse, read them. Think of plain text passwords, and the way folks reuse the same password across sites.

      But why should anyone running a site which doesn't offer logins offer https?

      "I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce."

      They've been guilty of that for a long time.

    3. David Knapman

      Re: stuck on HTTP

      Troy Hunt has written a *specific* piece on https://www.troyhunt.com/heres-why-your-static-website-needs-https/.

      Now, you may choose to disagree with some of his examples, but in most cases nobody can point to people using HTTPS over HTTP and state that it's *less* secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: stuck on HTTP

        Troy Hunt also did an excellent Pluralsight course on what developers need to know about HTTPS. If you've got an account, it's definitely an eye opener

      2. teknopaul

        Re: stuck on HTTP

        "nobody can point to people using HTTPS over HTTP and state that it's *less* secure."

        Nobody suggesting bricking up the windows of your house is less secure.

        Security where its needed.

        A house with glass windows is not in-secure. Its just a house and not a prison.

        1. Glen 1
          Facepalm

          Re: stuck on HTTP

          >A house with glass windows is not in-secure. Its just a house and not a prison.

          A burglar with a brick/hammer would disagree.

          People on this thread have short memories.

          Remember Phorm?

          Almost impossible over HTTPS.

    4. IGnatius T Foobar ✅

      Re: stuck on HTTP

      Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites?

      Exactly. Perhaps you're just publishing some information for everyone to read. What happens if the page is "insecure" and someone sniffs the connection? They get to read the same information that you already published, with the intent that everyone can read it.

      You don't need to encrypt a billboard.

      1. David Knapman

        Re: stuck on HTTP

        If, every time you update your billboard, you find that someone keeps posting outrageously dangerous advice onto the middle of it, but does leave your name prominently associated with it, would you be so relaxed about leaving your billboard unsecured? The biggest risk with HTTP is content being intercepted and *replaced* en-route (malicious scripts, etc)

        Whilst there are some circumstances where HTTPS can be MITMed, it's a strictly smaller subset of the cases where HTTP can be MITMed. So if forcing everyone to abandon HTTP reduces the opportunities for MITMs (and working to further reduce MITM attacks on HTTPS are still ongoing), why are you against it?

    5. Anonymous Coward
      Anonymous Coward

      Re: stuck on HTTP

      > Why does every single website need HTTPS?

      They don't.

      HTTP will still work. You'll just get a little bit of grey text saying "Not secure" on your browser bar.

      Move along please.

      1. gnarlymarley

        Re: stuck on HTTP

        HTTP will still work. You'll just get a little bit of grey text saying "Not secure" on your browser bar.

        And I will welcome that text for pages such as news sites that have no logins and do not collect my information. Anyone thinking that HTTPS cannot do MITM is just ignorant.

    6. Anonymous Coward
      Anonymous Coward

      Re: stuck on HTTP

      Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.

      FAIL.

      =======================================================================

      The 'FAIL' is your blinkered misunderstanding of security.

      Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.

      Anyone with any sense will avoid such sites like the plague that they might be spreading.

      1. Deltics

        Re: stuck on HTTP

        > Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.

        Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same.

        The "ironically" part therefore comes from the fact that what you say about HTTP is also true about HTTPS. As soon as you put a publicly accessible site out there you have created an attack surface exposing every visitor etc etc etc. Whether that site employs HTTP or HTTPS doesn't alter the accuracy of that statement, only the difficulty involved in exploiting the attack surface you are generously providing.

        1. Anonymous Coward
          Anonymous Coward

          Re: stuck on HTTP

          "Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same."

          Actually it does. As SSL/TLS wraps the http protocol (makes a tunnel), making TLS (SSL should never be used) the base protocol for the transport layer, which is the part we are talking about. So the things that need to be looked at for vulnerabilities are in TLS not HTTP when authentication, encryption and data integrity are to be considered.

  6. Jason Bloomberg Silver badge
    FAIL

    Two wrongs don't make a right

    At the end of the proverbial day I guess it will come down to whether people consider Google being more wrong to 'block sites' than sites are to not upgrade to https.

    I suspect most people won't have an absolutist view and will just consider the greater wrong to be that Chrome doesn't have an option to turn the feature off.

    And it's no good telling people Letsencrypt certificates are free while also telling them that if they aren't paying for something then they are the product.

    I am somewhat surprised there's not been more of a Net Neutrality argument raised against Google's decision.

    1. knelmes

      Re: Two wrongs don't make a right

      "And it's no good telling people Letsencrypt certificates are free while also telling them that if they aren't paying for something then they are the product."

      I don't think that's the case with the EFF backed letsencrypt. Is it?

  7. Flakk
    Trollface

    Chrome?

    What's that?

    1. Anonymous Coward
      Joke

      Stuff that e.g. Firefox renders which is browser UI and not stuff from over the network.

  8. Pointer2null

    A bit hypocritical

    A bit hypocritical considering their email client defaults to remain logged in and actually forcing it to log out when you close your brower is non-trivial.

    Who cares if you browse the news unencryption - if anyone gets your machine with email logged in they can have more fun resetting all your passwords.

  9. GruntyMcPugh Silver badge

    The funnier Google related story today,....

    ... is that google Translate is throwing the occasional wobbler and predicting the end of the World.

    Select 'Maori' as the input language, and keep type the word 'dog' over and over. The translation will change to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world" at 16 repetitions. At 18 repetitions it changes to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world, which indicate that we are increasingly approaching the end times and Jesus' return"

    Same happens using Indonesian and Hawaiian.

    Try typing the word 'prophecy' in multiple times. Pay attention as you type, it comes up with four different creepy translations as the characters go in, not always when a complete word is typed.

    Have fun!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like