Google's Chrome is about to get rather in-your-face about HTTPS

Re: Google too much in my face

Don't they gather info too, like Google and send it back to China?

In 2016 computer security researchers from Fidelis Cybersecurity and Exatel discovered the browser surreptitiously sending sensitive browsing and system data—such as ad blocker status, websites visited, searches conducted and applications installed with their version numbers—to remote servers located in Beijing, China. According to Maxthon, the data is sent as part of the company's 'User Experience Improvement Program' and that it is "voluntary and totally anonymous." However, researchers found the data still being collected and transmitted to remote servers even after users explicitly opted-out of the program. The researchers further found the data being transmitted over an unencrypted connection (HTTP), leaving users vulnerable to man-in-the-middle attacks. Fidelis' Chief Security Officer, Justin Harvey, noted the data "...contains almost everything you would want in conducting a reconnaissance operation to know exactly where to attack. Knowing the exact operating system and installed applications, and browsing habits it would be trivial to send a perfectly crafted spearphish to the victim or perhaps set up a watering hole attack on one of their most frequented websites. Wiki.

I prefer Firefox with whatever changes they make to the rest.

Re: in my ChromeV56.0.2924.76(64bit)

in my fully updated Mac (El'Capitan10.11.6) chrome://plugins/, currently Widevine seems to be OFF

(tho' there are two hyperlinked "ENABLE" buttons "chrome://plugins/#")

Widevine Content Decryption Module - Version: 1.4.8.962 (Disabled)

Enables Widevine licenses for playback of HTML audio/video content. (version: 1.4.8.962)

Name: Widevine Content Decryption Module

. . .

Location: /Applications/Google Chrome.app/Contents/Versions/56.0.2924.76/Google Chrome Framework.framework/Libraries/WidevineCdm/_platform_specific/mac_x64/widevinecdmadapter.plugin

and furthermore - the 'old' trick of replacing "~/widevinecdmadapter.plugin" with summat'else might work?

or delving into "chrome://plugins/plugins.js", but then DCMA?

Re: Double agenda?

It *is* insecure. Whether that matters to you or not is another thing, but a http link allows a MitM to:

1. Read and manipulate any content the site sends to you, removing anything they don't like and adding any they want. This may be as simple as ad substitution or could directly implement an exploit.

2. Read and manipulate any content that you submit to the site.

What is wrong with letting people know?

And your self signing signature idea doesn't have legs because I can create a self signed signature for website.org and then MitM you. A CA needs to validate you control the domain. For example, letsencrypt will request you to host a file in a certain location to prove that the domain is under your control.

Re: Double agenda?

... if I go to a website "website.org" which is using a certificate issued by 'website.org' then isn't it a tad obvious that we're dealing with the same party?

Obvious, maybe, in a misleading kind of a way.

If someone has hacked DNS so that you are directed to a server that isn't "website.org" but has a self-signed certificate claiming that it is, then you tend to accept that even though it's a lie. If they have to have a certificate signed by a well-known CA the subterfuge becomes apparent.

Re: Double agenda?

Certificates are for encryption and authentication.

Self-sign certificates just provide a level of encryption. They are not secure on a public internet and provide no authentication.

Why would you need them anyway, wildcard certificates are cheap and free certificates are available.

The trusted root does have to be trusted for sure, but you can revoke trusted roots yourself, however if they screw up then they can lose their whole business if they are deselected by top browsers.

Saying a site is 'not secure' is just stating a fact. So if it asks you to send any data in a form field or it is hosting content that you may not wish to be associated with the it is a reminder. As more sites are going TLS then you start to accept it and gloss over unsecure sites.

Just remember that an unsecure site will also be receiving a lot of data about you that could be intercepted or could have any amount of malicious code injected into it.

Re: Double agenda?

At the moment the current build (56) of Chrome will only mark your site as not secure if you go to a page which asks for a password (input type-password) or it detects a field asking for a credit card number and you don't have https on either the parent or any sub frames (including iframes). The article is a bit misleading.

It is slated that it may implement it at some time n the future (I heard October) for all sites on all pages if not secure.

To see and example of the browser bar warning if using chrome look here (http://http-password.badssl.com/)

Re: Double agenda?

So now a website which doesn't use HTTPS gets labeled insecure by default?

Only if it contains something that looks like a log-in or sign-up form, for now

… as a man-in-the-middle would easily be able to change where the insecure form goes to, and you'd be none the wiser you'd be sending your personal details or log-in details to Mallory

Re: Cult of useless HTTPS

Without it shitty consumer grade ISPs will ALWAYS be tempted to inject adverts into pages.

Even for totally public webpages you want to ensure the integrity of the data, and know who to blame for malvertising (aka advertising).

Re: Cult of useless HTTPS

Users are users and will reuse those passwords on other sites. I agree on the caching problem. That is a solvable problem if they hash all the resources used by the page then sign the hash with their private key but i guess noone is pushing for it.

Re: Cult of useless HTTPS

Caching is a problem, but users will reuse passwords and shitty ISPs will inject ads. You're protecting them from themselves and from their ISPs.

Additionally, and perhaps most importantly for a business - Google are adding https to PageRank, meaning there is a commercial incentive to operate https if you want to be found.

Re: Cult of useless HTTPS

"The cost of that, in terms of loss of cacheability, is akin to that of a stoppage on the trains driving millions of commuters into cars. Why is a site whose contents are public imposing that cost on the 'net?"

"I agree on the caching problem."

"Caching is a problem"

What caching problem? HTTPS pages and resources are cached like normal.

Re: Cult of useless HTTPS

The problem Chocolate Factory is trying to address is overall poor security on the web combined with the generally poor user skills. HTTPS is not perfect, no one with a clue will say that, but it does offer more security than nothing (HTTP). To some extent the idea is to slow down the miscreants. Also, another part of this is add more layers to get through - defence in depth.

Remember the average reader of El Reg is likely very knowledgeable about computers, web design, etc. while average user only knows how to use a computer and is otherwise clueless about how they work.

Re: Annoying

"as we end up having to intercept and scan more secure websites"

Or insecure websites, as you've just made them. You are a man-in-the-middle so stop complaining about being outed as one.

" to ensure we are complying with our legal obligations."

What legal obligations would they be then? Can't think of anything that says children have no human rights, whatever headmasters would like to portray.

Re: Security and obscurity

Judging by this chromium bug discussion.

It seems the previous 'Details' button, which took you directly to the Security tab in the Dev tools window, was always just a temporary thing to bring attention to where the security info is located (i.e. inside the Dev tools).

Looks like the plan was always to remove it after a while, as they seem to think regular uses don't need to view the certificates. (Not sure I agree with this myself!)

The new 'Learn more' button is for regular users, rather than developers, so just takes you to the generic web page documenting what the various icons mean etc.

Seems the chromium devs didn't like the idea of regular users landing in the dev tools: Quote '...so that regular users who are newly clicking on the lock icon (due to icon/verbose UI changes) don't click on it and end up somewhere unexpected.'

Like I said, not sure I agree with this approach, and a few people on the chromium forum even suggest having a new link/button to take you directly to the certificate details.

But for now, seems we are stuck with Ctrl+Shift+I, or the More Tools -> Developer tools menu, then click the Security tab :-/

Re: Browser Facism gone mad

The logic is that one is something which people might think is secure but which isn't necessarily so, while the other is something no-one (quite correctly) thinks is secure.

Re: old article published with today's date?

We'll ask it's from a conference that run's from the 30th of Jan to 1st of Feb, not that old. (there is a very helpful link in the article those shows the dates in f'ing big letters).

https://www.usenix.org/conference/enigma2017

A simple typo and it should be V57?