it's likely that Microsoft, Apple and Mozilla will follow suit
But only after Apple invent it first.
Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 …
HTTP is good enough for almost everything. Hell Amazon was HTTP between 1995 and 2017. (Only their login page used HTTPS, but no other page) If HTTP is good enough for Amazon, it's good enough for 99,9% of websites anyway. And banking websites use HTTPS since forever.
So this HTTPS movement is sponsored by NSA. So that only NSA can intercept traffic, while no other party can. But it means a lot of downsides, like when you are behind a proxy. So in 99% of web traffic HTTP is fine, yet a sponsored movement forces HTTPS. And all their front-shops (Google, Micro-$haft) enforce HTTPS. Fuck them.
And let's not forget LAN (local area network), HTTP is fine enough there too ...get of my lawn you insensitive bastard (GOOO/M$$)
And this centralized Let's Encrypt is shaddy - guess who is behind it, and can encrypt every of those websites with one key. Oh it's NSA. And guess why Let's Encrypt has to be dongled with a root process to update the cert every 60 days - so they can slip in a new cert when they need "special access". Not everyone is that dumb, but many are careless. And weren't all these HTTPS-websites vulnerable and very accessible to everyone, because of backdoors ("hearthbleed").
You need to understand how certificates work.
The certificate system provides a chain of certificates which end with a trusted root certificate. The list of Trusted Root Certificates is kept on the local machine and updated by the OS.
However it's not the root certificates that are used to encrypt data, it's the actual server certificate.
So what you could do if you were that concerned is set your cron job to create it's own new certificate and than send a certificate signing request off to Let's Encrypt every 60 days instead.
The real problem with TLS is that not only do companies and institutions MITM TLS connections, but a good proportion of security software does as well.
While their purpose is benign, this IMHO is a bad choice by the security vendors as it means if your security software is indeed pulling a MITM attack - you lose the chain of trust.
I think you might be going into tinfoil hat territory with mention of the NSA, but I do agree that some things are fine over HTTP. My own site for example is an early 2000s hodgepodge of usefulish info on telephone wiring and a few pinouts of popular connectors that were useful to me so I shared them with the world.
Nothing for Ivan (or Donald) to snoop on... so https is unnecessary
By changing URLs in the WP dashboard, all the site URLs should also be changed. If it doesn’t, you may want to force SSL to WordPress login area by configuring SSL in the wp-config.php file.
In the wp-config.php file, add below lines of code where it says “That’s all, stop editing!”. For more you can visit: https://www.cloudways.com/blog/add-free-ssl-certificate-to-wordpress-websites
since the certificate system of TLS has been largely compromised to a point where some countries and companies MITM every connection, Google decides that HTTP is insecure.
I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP). If you want to track a user today, you use one of the many ad-services to do so.
If Google had security in mind, they'd warn about websites using Javascript. Particularly when those scripts are loaded from external servers. They would gradually work on reducing the numbers of features webbrowsers need to implement to make web browsers smaller and therefore more secure.
We now are at a point when browsers are the most complex single pieces of software a regular person comes into contact with. We now are at a point where TLS, the protocol that is supposed to save us all, is so complex that there's just a handfull of implementations around.
This is not a healthy situation.
"to a point where some countries and companies MITM every connection,"
They can only do that if you have physical access to the machines at either end, that's kind of the point of encryption. Commercial MITM requires you to trust a certificate that you would not encounter in the wild and would not be trusted by default in your browser.
Governments may be different but, pretty much, they can demand you just send them the data, they don't have to decrypt it - but to decrypt it requires the end-point's co-operation. You can't sniff a connection to Facebook from a Chinese PC without Facebook or the browser manufacturer being complicit - and you can't "break" it by using other certs without cert-pinning going ape and warning the user.
However, that said, working in a school I have a *legal requirement* to monitor every web access. Thus I have no option but to MITM every connection with an internal cert, and denying anything that doesn't present or tries to bypass that cert.
Unfortunately, it's just not as simple as "just work out what pages the user is looking at that they shouldn't" any more.
And that's just a UK school. Imagine what some of the big companies that deal with industrial espionage, military projects, etc. have to do to comply with what they need to..
Unfortunately, no.
On a visit to the KAUST campus in Saudi Arabia a few years back, the network connections available there MITM'd every HTTPS request with valid/signed wild-card certificates they were able to obtain from "trusted" CAs.
HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.
Actually, the complete, accurate statement is "you really can't trust HTTPS".
Probably true. OTOH I personally don't much care except when money is involved. And I try to do as little as possible involving money on-line. I find that face to face, paper, and/or telephones work better and are less inconvenient than online with proper security and are less scary than online without proper security.
For me, most of the time, https mostly means I can't view a constantly changing array of sites in one browser or other (I have at least six installed) because their certificates have some subtle or not so subtle flaw this week.
My guess is that most users will have no idea what Google is about with this HTTPS thing. Depending on implementation details, they will either click through any annoying error messages or will whinge until someone shows them how to switch to a different search engine.
No, I don't know what to do about all this until folks are ready to accept that online security is a very tough problem, the toolkit we are approaching it with is entirely inadequate, and we may have to stop doing some things (e.g. Javascript) that are surely incompatible with secure computing.
> HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.
And do you trust Let's Encrypt CA? I do NOT.
Not only is Let's Encrypt centralized and already near monopoly for small and medium websites. They can decrypt all traffic with its central key. And most even run a Let's Encrypt cron job as ROOT on their servers. And the short 60 days cert-life means they can swap you in a new cert - with they I mean NSA and their partners.
So, HTTP is just as secure for most stuff, and a lot simpler and safer for the server side (think heartbleed backdoor).
"And do you trust Let's Encrypt CA? I do NOT"
Let's Encrypt validates websites to exactly the same level as any other standard Certificate Authority (except for EV certs that cost a fortune). The only difference is that they don't have a credit card step in their automated process.
And lets not forget when you use Chrome, GOOGLE gets to decide which CAs you trust and don't trust. Want to know one of the "trusted" CAs? Google! That's right, Google can MITM any Chrome browser traffic they want. And why would Google want to know what you're browsing? Gee, maybe because that's how they make billions of dollars a year?
I'm not saying they MITM anyone, but I'm only saying that because I wouldn't want to get sued.
"That's right, Google can MITM any Chrome browser traffic they want."
Why would they want to MITM it with certificate trusts, they can and do it in a far easier way, its their browser, they will just send the data they want directly.
Surprised there wasn't a mention of Microsoft, they have theirs too, we know they don't need to use it, they just send all that data directly.
That certificate isn't for MITM attacks, its for their issued certs on their services.
There is a lot of paranoia here.
> I mean we are long past the time when a passive attacker was a realistic scenario
It seems to me that no-one has shared this fact with a bunch of airlines, ISPs, pretty much every hotel you have ever stayed at.
I'm afraid that this is pretty close to par for the course. And you can't actually see those who just track rather than actively manipulate the traffic, but I would be amazed if it wasn't an order of magnitude greater.
Yes, TLS is imperfect because you need to trust a bunch of CAs some of which have been vaporised after spectacularly failing at their only job™, but in terms of risk management, it is night and day improvement. It's like arguing that there's no point locking your door because authorities could just open it with a carefully placed exclusive.
Companies cannot MitM a HTTPS website unless they own the computer. If they own the computer, they can just install they're own root CA, but no hotel or airline or internet cafe or ISP can do that to my device.
My hosting will give me a certificate, but I lose PHP functionality if I do... so I won't. (I believe this is basically down to how it's being hosted in the cloud)
Some redirects are already broken. I went to strobist.com only to be completely blocked when it redirected to strobist.blogspot.com ... and chrome wouldn't let me put in an exception. However, Firefox let me tell it that I knew what was going on.
Net result is that a few of us have already gone back to Firefox for daily browsing, because Chrome is just too much up its own arse.
On one hand, yeah security is good.
On the other hand, I wouldn't be surprised if the people at Google were completely living in a bubble and did not understand multiple valid reasons for which websites have not switched to HTTPS. I can't even even figure out a dark ulterior motive for Google to do this, but it might simply be out of touch with reality.
I'm all for security where it is needed. I resent being bullied by Google.
Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.
Indeed. My 4-page personal Wordpress site has absolutely no content that needs to be https-protected. The hosting company has provided free certs (via CPanel), but it has still required annoying make-work on my part.
Aside from that bit where you send credentials (domain.com/wp-login.php)...
Also malicious ISPs stuffing in ads, tracking cookies, coinhive.js, etc. You're not protecting your content. You're protecting your visitors...
As for "make-work", one click-and-forget button? Hardly a problem. My hosts also enabled the Lets-Encrypt plugin in cPanel. One click to enable cert generation and then another setting to tell the server to use the certs being produced by the plugin. The work of a minute, one-off and entirely automated. I haven't touched it since.
One perfectly good reason is that you are publishing HTML dont have any tracking cookies and have nothing at all to hide and dont have enough viewers to be a target.
----------------------------------------------------------------------------------------------------
This is short sighted. You are setting up any visitor to your site for a trivial MITM attack. Not cool.
Anyone who is in that network path can inject, modify or suppress any of the page resources. This includes injecting coinhive.js or worse. This includes "free WiFi hotspots", and probably any hotel or airline you've ever flown. Even a major US ISP was fiddling with some headers at one point. These modifications cannot be made to a HTTPS stream unless you can convince a CA to sign your public key.
I'm not saying HTTPS is a panacea for all security ills, but I fail to see what is controversial about calling HTTP "Not Secure". It is after all, a long game of "Chinese Whispers" with no capacity to assert that what you see is what the server served or what the server sees is what you sent.
"The Chrome update is designed to spur sites still stuck on HTTP to move over to HTTPS"
I don't understand 'stuck on'. Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.
FAIL.
Any website without TLS can have its content modified on the fly by any entity in the path of the request/response.
Thus any website could have malicious javascript (coin miners, etc.) inserted into it, which the website or visitor wouldn't be able to detect, and the ISP could change adverts to their own, add tracking code (actual real-life cases, impacting your security and privacy, as well as the funding stream of the websites you visit, etc. etc. etc.), and all kinds of other issues - even something in your router (as per recent firmware problems with some routers allowing compromise by "redirecting" your web traffic.
HTTPS is a good thing. Just not sure about "by default". Technically, it's insecure. Yep. Absolutely 100% correct, so there's no problem highlighting that. The problem will come when it becomes difficult to say "Yes, I bloody know that's an insecure website for the billionth time, shut up already".
"Has someone assumed that all websites are eCommerce sites?"
There's a case for any site which demands a login to comment on articles, or worse, read them. Think of plain text passwords, and the way folks reuse the same password across sites.
But why should anyone running a site which doesn't offer logins offer https?
"I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce."
They've been guilty of that for a long time.
Troy Hunt has written a *specific* piece on https://www.troyhunt.com/heres-why-your-static-website-needs-https/.
Now, you may choose to disagree with some of his examples, but in most cases nobody can point to people using HTTPS over HTTP and state that it's *less* secure.
Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites?
Exactly. Perhaps you're just publishing some information for everyone to read. What happens if the page is "insecure" and someone sniffs the connection? They get to read the same information that you already published, with the intent that everyone can read it.
You don't need to encrypt a billboard.
If, every time you update your billboard, you find that someone keeps posting outrageously dangerous advice onto the middle of it, but does leave your name prominently associated with it, would you be so relaxed about leaving your billboard unsecured? The biggest risk with HTTP is content being intercepted and *replaced* en-route (malicious scripts, etc)
Whilst there are some circumstances where HTTPS can be MITMed, it's a strictly smaller subset of the cases where HTTP can be MITMed. So if forcing everyone to abandon HTTP reduces the opportunities for MITMs (and working to further reduce MITM attacks on HTTPS are still ongoing), why are you against it?
HTTP will still work. You'll just get a little bit of grey text saying "Not secure" on your browser bar.
And I will welcome that text for pages such as news sites that have no logins and do not collect my information. Anyone thinking that HTTPS cannot do MITM is just ignorant.
Why does every single website need HTTPS? Has someone assumed that all websites are eCommerce sites? I suppose you would if you were the largest advertising company on the planet, in which case you probably do only think in terms of eCommerce.
FAIL.
=======================================================================
The 'FAIL' is your blinkered misunderstanding of security.
Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.
Anyone with any sense will avoid such sites like the plague that they might be spreading.
> Every HTTP site creates an attack surface exposing every visitor to MITM, injection, and other attacks.
Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same.
The "ironically" part therefore comes from the fact that what you say about HTTP is also true about HTTPS. As soon as you put a publicly accessible site out there you have created an attack surface exposing every visitor etc etc etc. Whether that site employs HTTP or HTTPS doesn't alter the accuracy of that statement, only the difficulty involved in exploiting the attack surface you are generously providing.
"Ironically of course, every HTTPS site is also by definition an HTTP site. The difference in the presence of SSL doesn't change the fact that the basic protocol is the same."
Actually it does. As SSL/TLS wraps the http protocol (makes a tunnel), making TLS (SSL should never be used) the base protocol for the transport layer, which is the part we are talking about. So the things that need to be looked at for vulnerabilities are in TLS not HTTP when authentication, encryption and data integrity are to be considered.
At the end of the proverbial day I guess it will come down to whether people consider Google being more wrong to 'block sites' than sites are to not upgrade to https.
I suspect most people won't have an absolutist view and will just consider the greater wrong to be that Chrome doesn't have an option to turn the feature off.
And it's no good telling people Letsencrypt certificates are free while also telling them that if they aren't paying for something then they are the product.
I am somewhat surprised there's not been more of a Net Neutrality argument raised against Google's decision.
A bit hypocritical considering their email client defaults to remain logged in and actually forcing it to log out when you close your brower is non-trivial.
Who cares if you browse the news unencryption - if anyone gets your machine with email logged in they can have more fun resetting all your passwords.
... is that google Translate is throwing the occasional wobbler and predicting the end of the World.
Select 'Maori' as the input language, and keep type the word 'dog' over and over. The translation will change to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world" at 16 repetitions. At 18 repetitions it changes to "Doomsday Clock is three minutes at twelve We are experiencing characters and a dramatic developments in the world, which indicate that we are increasingly approaching the end times and Jesus' return"
Same happens using Indonesian and Hawaiian.
Try typing the word 'prophecy' in multiple times. Pay attention as you type, it comes up with four different creepy translations as the characters go in, not always when a complete word is typed.
Have fun!