

Google Chrome Now Blocks Insecure Scripts on HTTPS - riledhel
http://google-chrome-browser.com/google-chrome-now-blocks-insecure-scripts-https

======
stellar678
I like Chrome's ongoing attempt to push forward security where it's obviously
deficient, but I'm worried that that we'll start getting warning-weary with
all these drop-down bars telling us that something _might_ be awry. Any site
that has Java already gets one of these on Chrome, now this will pop up, seems
like it will just train users that the only way to get their web content to
display properly will be to click "yes! run it! dammit, just let me see my
stuff because i couldn't care less what you're telling me!" I'm not quite sure
what a better UI solution would be however...

~~~
mtogo
It's not a UI problem, it's a user problem. Users will always click "Yes,
allow" to everything without even reading it, be the message in dialog box or
notification bar or a demon holding a flashing neon sign.

It's a big problem, but it's more about users compulsively clicking Yes and
not so much about Chrome's UI.

~~~
mquander
Wait a minute, what the hell do you think got them in the habit of
compulsively clicking "yes"? It's interfaces like this, which offer a question
for which the correct answer 95% of the time is to click "yes".

I'm not saying that I have a better idea about how to do it, but this is UI
designers reaping what they have sown.

~~~
thwarted
The correct answer isn't to click "yes", the correct answer is to click "no".
The problem is that the correct answer doesn't give someone access to the
content, and many, many sites are not in a position to do things correctly or
don't understand what the correct thing to do is (I don't know why this is the
case), so if the user wants to make any progress at all, even if they end up
doing so insecurely, they have to answer in whatever way allows them to make
progress.

~~~
mquander
Well, I'm not sure I agree. The correct answer is determined by how much they
care about the risk that someone might be feeding them a malicious script. I
think most users care more about the convenience of accessing their favorite
site with full functionality than this security problem, as demonstrated by
most people's totally lax regard for security in other ways.

(Of course, I'm sure that most users have no idea what clicking 'yes' entails
-- I'm just proposing that if they did, they would probably click 'yes'
anyway.)

~~~
mtogo
No, you're wrong. If a site has users that don't care about security at all
and are happy to have their accounts compromised, the site shouldn't even be
using SSL in the first place.

~~~
mquander
Isn't it perfectly plausible that 80% of a site's users don't give a hoot
about security, but 20% do? I don't see any reason not to give the minority
SSL (hopefully compromised minimally by non-SSL resources) regardless of
whether the majority cares.

~~~
mtogo
| SSL (hopefully compromised minimally by non-SSL resources)

There's a reason browsers don't display a secure logo on HTTPS connections
with non-HTTPS resources: it's not secure. It's not "minimally compromised",
it's compromised. If my server has one service with one vulnerability, it's
not "minimally vulnerable", it's vulnerable.

| I don't see any reason not to give the minority SSL

I was being sarcastic.

| Isn't it perfectly plausible that 80% of a site's users don't give a hoot
about security, but 20% do?

It's not even about the users. _The site should not ever be mixing HTTP with
HTTPS on the same page._

~~~
mquander
Yeah, I agree with that. It's a stupid problem, but the problem exists, and
until we are allowed to forcefully seize the servers of people who implement
shitty software and fix the problems, it won't go away, so it's worth trying
to do the best thing possible for users.

------
buro9
One of the side effects of this that I've seen is on sites that are on
<https://> but offer embedded YouTube and other such scripts that are coming
from <http://>

Basically... I'm seeing this message crop up wherever I see embedded media.

Message is: Even if your site doesn't need <https://> , if you're going to
offer widgets and embedding you better offer a <https://> option for those.

~~~
abraham
YouTube does provide SSL for embeds. Many sites just don't use it.

------
iam
I would go one step further and block form input when you are on an HTTP site,
to forms that go to HTTPS. This would end the charade of "secure" log-ins on
an HTTP page by forcing the login page to be an HTTPS page.

~~~
etherealG
can you explain how this is a charade? I would think that posting my username
& password from a http site to a https site still does ssl negotiation before
sending that username and password along a network pipe. Doesn't sound like a
charade to me.

~~~
mnutt
The only problem is that someone can MITM your connection to the http page and
send you back javascript that steals your password.

~~~
capnrefsmmat
Or just change the form so it POSTs to their secret evil server, rather than
to the secure site.

------
Groxx
Harsh, when this hits the stable build, but a good thing overall. Web security
really is a frightening place, this will help encourage at least a chunk of it
to improve.

~~~
roam
IE has been doing the same thing for years.

~~~
skimbrel
It has, but I bet this has trained a lot of Windows users to just click OK
because it's another thing that gets in the way of loading a page…

At least Chrome's interface for this makes it less obtrusive than a pop-up
dialog.

~~~
Encosia
In IE9, the mixed content warning is not modal. It blocks insecure content by
default, with a notification bar that allows the user to allow mixed content.

~~~
pyre
IE9 hasn't been out for 'years' though.

------
dmaz
<http://news.ycombinator.com/item?id=2662694>

------
jasonkester
The important thing with features like this is that you can't allow the user a
way to disable it.

If it can be disabled, the first people who disable it will be developers, who
will proceed to continue building websites that pop this up for everybody
else, oblivious that it's pissing off every one of their users.

We already went through this cycle once with javascript error popups.
Developers turned them off, then pasted in crappy 3rd party dhtml menu code,
which in turn threw up warnings for every regular user to come down the pike.

These warnings need to be prominent and painful. And they need to stay that
way for everybody, otherwise they'll just be an annoyance for non-savvy users,
rather than an incentive to fix the 400 million sites that are currently
getting this wrong.

------
jeggers5
This can only be considered as a good thing. Chrome is innovating, and pushing
all the other main browsers to do the same and become more secure. If anything
I think that Chrome is helping Google's Apps (Gmail, Calendar etc) to run
smoother across the board on all browsers.

------
eneveu
That's were relative URLs without a scheme come in handy, e.g.
"//www.example.com/example_file.js"

If the current page is served over https, it will load scripts using https. If
it's served over http, it will use http.

[http://stackoverflow.com/questions/550038/is-it-valid-to-
rep...](http://stackoverflow.com/questions/550038/is-it-valid-to-replace-http-
with-in-a-script-src-http)

------
jackolas
We just need to start doing //:domain.foo/script.js (protocol relative URL)

------
zmmmmm
I've been puzzled for years about why Chrome ever allowed this. IE always
blocked such scripts. It makes no sense to block a whole page that has an
invalid cert with a warning but display no warning at all to a user (other
than losing the green on the URL) when a valid HTTPS site loads an insecure
script in the background.

------
igorgue
This has been annoying to me, since Google Reader doesn't have a valid cert
(sometimes) so I always get that message.

~~~
pilif
Nope. Google Reader is fine. But the RSS entries that it's displaying
sometimes other resources from the original blogs. For videos or click
tracking, this sometimes is JS.

Before the change, it just put the browser into mixed-content-mode, but now it
does that and in addition it disables loaded JS.

I think it should block it without the error message though.

~~~
abraham
The problem with not having an error message is then content disappears and
users will have no idea. Not a good experience.

------
digamber_kamat
this is truly nonsensical. How am I supposed to server my YUI files ?

