
Chrome 68 Released: HTTP Sites Marked as “Not Secure” - l2dy
https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html
======
Sol-
Surely a good thing since marking HTTPS as "secure" was always a bit
misleading and normal users didn't understand that you were still subject to
phishing attempts and such even with an encrypted transport and authenticated
servers.

Now it reflects the real world better: HTTPS is necessary but not sufficient
for security, but with HTTP only you definitely don't have much security. I
guess that's the best you can guarantee or communicate via the browser UI.

~~~
bad_user
HTTPS is about securing the connection to the website and NOT about
identifying the website. It is sufficient for ensuring that intermediaries
(e.g. your ISP) cannot meddle with the content being served (i.e. it's a form
of signing the content for publishers), it ensures that the browsing stays
private (with new DNS developments, the domain name stays private too) and it
secures the data being sent (e.g. passwords).

Nothing is sufficient for total security, but "HTTPS everywhere" is a vast
improvement, going from zero security to almost sufficient security over
night.

~~~
swebs
>HTTPS is about securing the connection to the website and NOT about
identifying the website.

Unfortunately, it's both. Otherwise we would have had widespread encrypted
connections decades ago. I'm not sure why browsers decided that no encryption
is just fine, but encryption with a self-signed certificate triggers warnings
that it's the end of the world.

~~~
lordlimecat
Because negotiated encryption is useless if you can't be sure you're talking
to the right person. If you are using a self-signed cert with an unknown
thumbprint, how does the other side know you aren't a MITM attacker?

------
michaelt
So has Google said how they expect router configuration pages, network
printers, NAS boxes and other local-network-connected devices to deal with
this?

I mean, I know Plex has an arrangement where they provide a dynamic DNS style
record and they have a special deal with Digicert to issue loads of wildcard
certificates [1] but that needs a bunch of infrastructure and a special deal
with a CA, as well as precluding offline use and breaking if the supplier ever
drops support.

And obviously, you can also use a self-signed certificate - but that means
teaching users "Just click ignore on the invalid certificate warning" and I've
heard people say we shouldn't train users to ignore invalid certificate
warnings.

Is there some alternative solution Google is proposing?

[1] [https://blog.filippo.io/how-plex-is-doing-https-for-all-
its-...](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/)

~~~
fulafel
Your devices can get letsencrypt certs just like before. Or users get notified
about how the connection is in plaintext. Both are improvements to the
previous situation.

~~~
y0ghur7_xxx
> Your devices can get letsencrypt certs

I don't want all my internal network hosts exposed on a certificate
transparency log.

I want my http connections to work without scary warnings in my local home
network. Because if you show me scary warnings, and no meaningful way to
implement the http connection securely, I will just start to ignore them. And
if I ignore them in my lan, I will ignore them on the internet too. And that
would be a net security loss.

So either use something else entirely inside a lan, like ToFU like ssh, or
allow http connections without tls and without scary warnings. But I think
deprecating http in local home lans with no meaningful way to make them secure
is not a step in the right direction.

~~~
tialaramex
There are three options

1\. All your systems are provisioned to trust your CA, which can have any
rules you like. This counts as "Secure". Almost certainly your rules are
garbage, but I don't use your systems or trust your CA so I don't care

2\. Your local systems which you refuse to be transparent about are marked
"Not Secure" because there's no reason for a client to have any confidence in
their identity

3\. You offer transparency so that everyone (e.g. me) can see that there
aren't any shenanigans with the global public systems we all trust.

The fact that you don't like any of these options doesn't mean there are no
options, just that you didn't like them.

~~~
stephengillie
Removing the 4th option, do nothing, is the issue here. Action is being forced
that has no impact to GP.

~~~
tialaramex
Your "Fourth option" is still there, but this universe has time's arrow, so
you get the second outcome I described.

Because of time's arrow, it's mistake to assume that if you do nothing then
nothing will happen, you're literally up against the Laws of Thermodynamics.
The only people who think you might win that fight are crackpots building
perpetual motion machines.

------
niel
For anyone wondering exactly what the current plan is regarding these
secure/not-secure indicators in upcoming releases, the Chromium Project has a
detailed proposal and timeline: [https://www.chromium.org/Home/chromium-
security/marking-http...](https://www.chromium.org/Home/chromium-
security/marking-http-as-non-secure)

Basically it comes down to eventually removing "secure" indicators completely
and only indicating when a page is considered "not secure".

As an aside, Let's Encrypt has been a godsend to me during this change.

~~~
tmikaeld
"Let's Encrypt has been a godsend to me during this change."

I think that's what made Google push this, since they are on the board of
advisors for the Let's encrypt certificate authority.

~~~
nsgi
It's more likely that Google's support for HTTPS everywhere caused them to do
both. It introduced HTTPS as a ranking signal in 2014, well before Let's
Encrypt.

------
sammorrowdrums
Anyone else got stories like this?

JustHost, one of the hosts I have a few clients websites on for years,
suddenly started to offer free Let's Encrypt SSL certs to protect users from
this change (previously you had to pay for fixed IP, and the certificate
itself) - what a great thing to happen.

All I had to do was change a few .htaccess files, a few DB entries and track
down a few template files that had HTTP external JS references.

It was enough work that I had to invoice for the conversion (with the option
of not bothering) - but annual fees are still the same, clients websites have
SSL and _every_ client wanted the upgrade, rather than be marked "insecure".

I really think this is a breakthrough change!

~~~
Arkanosis
OVH did the same thing silently in mid-2016 for shared hosting. GitHub Pages
did that silently too earlier this year for custom domains, and made an
announce in May.

That's awesome :)

~~~
ams6110
My GitHub pages site is serving a certificate that expired in June though, any
idea how to get that updated?

~~~
laurent123456
I had the same problem and it got fixed quickly after I contacted them. It's a
bug in their auto-renewal script.

------
pilif
As somebody on the dev build train normally I've seen this change for quite a
while now and my brain quickly stopped processing the warning on HTTP only
sites.

I hope that flipping the switch now will cause enough of the remaining non-
https sites to start looking into switching before Chrome feels the need to
start adding "more prominent" warnings (for example using a modal dialog).

I agree that, yes, in general, we should all be using HTTPS on the internet,
but non-secured HTTP still makes sense for example during development or for
home routers and printers where traffic encryption is less important compared
to the initial UX (my parents could probably set up a home router on their own
if it's using non-encrypted HTTP but they would be totally unable to proceed
if it's using a self-signed cert).

~~~
nodesocket
I think one solution would be to make the secure badge more prominent, thus
when insecure your eye would be attracted to it. One solution would to be make
the entire background color of the secure badge green and invert "Secure" text
white.

~~~
lozenge
That's basically the approach taken so far and it hasn't worked. Users don't
notice these decorations.

Chrome wants to move away from the "Secure" wording because people don't
understand what it means, for example, they think it means they can trust the
site not to misuse their credit card details.

~~~
danieldk
Well, it doesn't help that the text (when clicking on 'Secure') says:

 _Your information (for example, passwords and credit card numbers) is private
when it is sent to this site._

To the layman this means: Chrome says it is safe to enter credentials on this
site (and not that it just means that it is hard to eavesdrop on the
connection), especially that because this does not say anything about the
trustworthiness of the site.

~~~
nsgi
How would you phrase it instead, that would communicate the nuances of the
issue and allow the lay user to assess the risk?

------
alanfranzoni
For all those that scream about local devices and HTTPS: if you really want
HTTPS (and your printer/router supports HTTPS) you can get a certificate very
easily from let's encrypt:

\- create an "internal" domain for your lan, e.g. home.example.com

\- make AWS Route53 handle that zone

\- create some AWS IAM credentials for Route53

\- create some hosts (e.g. router.home.example.com)

\- use certbot with the route53 dns option to get a certificate and private
key. Certbot will automagically add some TXT records to verify hostname
ownership and provide you with that.

NO NEED to expose anything on your public IPs, but mind you: your hostname
will appear in public CT logs. No
"greatnascontainingmypartnersnudephotos.home.example.com" hostnames!

~~~
swiley
This requires the device to be connected to the internet often which isn’t
always the case. If the device is the gateway you now have a circular
dependency (one that will only cause problems rarely but it’s still there.)

As long as http still works it’s fine, I think a security warning about it is
probably a good thing, but there definitely are places where “just use let’s
encrypt” isn’t an acceptable solution.

------
mstaoru
In China, many mainstream websites are still HTTP-only. 99% of government
websites are HTTP, including the ones you input very sensitive information
into. No wonder black data market for any kind of records including medical,
surveillance, tax etc. here is so well developed and cheap. Somehow, SSL
certificates for CDNs cost around US$2000/year. Proprietary DNS extensions on
Baidu, Alibaba, and Tencent clouds like 30x redirects do not work with HTTPS
at all.

~~~
exikyut
1\. Besides making HTTPS non-mandatory, what else can businesses do to try and
attain/maintain a viable presence if they think they have something to offer
that may not be antagonistic to the Chinese government? Run on local servers?
(By "viable presence", I mean the ability to reach a small level of success
and not only be known by those who have figured out how to successfully
consistently break through the GFW, or been deemed eligible for a waiver)

2\. I'm beginning to see the HTTPS thing as some kind of strategic war move on
the part of the US, possibly 5 eyes, possibly other countries. I don't see it
making things simpler, only more complicated (one example I can give is
[https://news.ycombinator.com/item?id=17540111](https://news.ycombinator.com/item?id=17540111)
\- it's a lot harder for me to analyze Web traffic within my own LAN now, I
have to set up a machine capable of breaking HTTPS, then secure it well enough
I'm still confident to do my banking/etc).

~~~
windowsworkstoo
Re: China, just get an ICP. Aliyun will help you. You will need a Chinese
business entity and some form of in country hosting but it’s not onerous

------
jscissr
Not related to the 'not secure' marking, but on the page it says they fixed a
medium severity security bug reported in _2014_.

> [$500][394518] Medium CVE-2018-6169: Permissions bypass in extension
> installation . Reported by Sam P on 2014-07-16

And given the relatively low issue number (e.g.
[http://crbug.com/394520](http://crbug.com/394520) is from 2014), it's not a
typo.

~~~
exikyut
That issue number is "Intermittently, first key stroke is missed". The two
issues it links to also deal with keyboard input. I don't see anything
security-related in there.

O.o

~~~
jscissr
The actual issue is [http://crbug.com/394518](http://crbug.com/394518), which
is not public.

------
manbeena
Now it's time to make local development environment also HTTPS. Make yourself
a Certificate Authority CA and issues local certificates. This makes for no
warnings in browsers and ensures a better development experience. A post from
my colleague on how to do it. [https://reactpaths.com/how-to-get-https-
working-in-localhost...](https://reactpaths.com/how-to-get-https-working-in-
localhost-development-environment-f17de34af046)

------
omeid2
To play the devil's advocate and being very cynic (which is always fair game
IMHO):

This change has the effect of pushing even mundane websites to use SSL, and so
locking out corporate-level and other players from analysing web usage, or at
least making them less effective, which enhances and increases the Google's
"web scale" analysis dominant position even more.

~~~
RandomInteger4
Nani? What does https have to do with analyzing web usage? Whatever that means
exactly.

~~~
omeid2
ISPs (almost all of them) and lots of corporate (school, business, university)
firewalls run analysers on websites and aggregate that data.

This data can provide a fair bit of powerful insight and intelligence into
things like change of trends and growth of businesses.

------
lylecubed
I'm surprised nobody's talking about the political implications here. This
could do more damage to the open internet than revoking net neutrality.

Here's a link to hn.algolia.com for the search 'ssl revoked.'

[https://hn.algolia.com/?utm_source=opensearch&utm_medium=sea...](https://hn.algolia.com/?utm_source=opensearch&utm_medium=search&utm_campaign=opensearch&query=ssl%20revoked&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

------
swebs
Anyone have a screenshot of what the new warning looks like?

~~~
moviuro
[https://security.googleblog.com/2018/02/a-secure-web-is-
here...](https://security.googleblog.com/2018/02/a-secure-web-is-here-to-
stay.html)

------
megaman22
Bit silly for a blanket policy. Who cares if a read-only site is delivered
over HTTP, HTTPS, or carrier pidgeon?

~~~
freeone3000
If you care at all what the site says, it should be important to you that you
can verify who said it.

------
jbb67
Goodbye chrome then. Basically corporate scumbags pushing their own agenda
with just enough plausibility that the gullible will help push their agenda
for them.

What happened to "do no evil". Seems to be all google do now.

~~~
matthewmacleod
What on earth are you talking about?

I've heard this nonsense over and over again, and not a single person has been
able to provide a plausible explanation why this is a bad thing to do.

~~~
moviuro
See [https://scotthelme.co.uk/https-anti-
vaxxers/](https://scotthelme.co.uk/https-anti-vaxxers/)

------
Dolores12
All legacy content heritage that is hosted using http protocol just became not
secure in Chrome. What solution does google suggest? Who will pay to upgrade
old infrastructure? Pandora box.

~~~
ealhad
All legacy content that is hosted using http protocol is, in fact, not secure.
It's definitely not a bad thing to warn people.

~~~
Dolores12
For general public 'not secure' imply something like 'not safe'.

~~~
beezle
That is exactly why Google's choice of wording is so poor. Far better would be
'encrypted/not encrypted' as that is all https really is. Safe can have far to
many meanings and I won't be at all surprised when Google faces a class action
when 'unsafe' things happen on a website they deem 'safe.'

Personally don't understand the heavy push to force https on everything and
anything. The maintenance/time required to set up and maintain is not
insignificant and is really quite pointless in many situations. Do you really
need an encrypted connection to LOLCats?

~~~
ealhad
You need an encrypted connection, period.

If you only use an encrypted connection when you need it, then one can know
that, well, you need it.

You have nothing to hide... until you do.

------
mosselman
How about blogs that only work with JavaScript and external sources allowed?
Those sites should be marked as "Not worth your time"

~~~
ahje
The link works well in links, suggesting your problem description is invalid.
Are you allowing execution of some of the JS on the site perhaps?

