
Chrome will mark all HTTP sites as ‘not secure’ starting in July - Sami_Lehtinen
https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl
======
wildpeaks
If you wonder how to get HTTPS for your local virtual hosts:

1\. create a local CA

2\. create a certificate using that local CA

3\. Then you can add the CA in your trusted authorities (Firefox does need an
extra step: either enable the "security.enterprise_roots.enabled" flag, either
import the CA certificate manually in it).

Details at:
[https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb...](https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb26656c4f8)

~~~
Buetol
Let’s push for self-signed certicates everywhere ! Let’s do Trust On First Use
like SSH and now we’re done with all this certificates authorities bloated
bureaucraties

~~~
rileymat2
But how am I supposed to know if I can trust it if it is the first time I am
using it?

~~~
Buetol
I trust more my first time connection to a website than so random authority a
random country signing it, it’s that simple. But the money grab is so big that
they keep existing !

EDIT: And you’re saying the SSH model is broken then. Also you can verify the
certificate signature via another channel, like a git repo of all the
signatures of most important websites (I know, it look like a CA)

~~~
Karunamon
A few problems:

1\. SSH's whining about first connection fingerprint trusting is needlessly
petty and nobody actually checks the fingerprints, and in many cases they have
no need to do so anyways.

2\. Almost all cert errors a user will encounter in the real world are the
fault of misconfiguration (wrong domain) or pathological/greed-driven behavior
(expiration) rather than something that actually impacts the confidentiality
of the connection (which is what we care about).

3\. The fact that all cert errors are treated as the same severity (red
screen! exclamation points!!1 YOU ARE IN DANGER!!!1one) conditions people to
click by them without thought.

~~~
charleslmunger
> A few problems:

> 1\. SSH's whining about first connection fingerprint trusting is needlessly
> petty and nobody actually checks the fingerprints, and in many cases they
> have no need to do so anyways.

I disagree, but this is really a question of configured defaults and security
UX. The first connection you make to a server is not secure, and impacts the
security of all subsequent requests to that server.

> 2\. Almost all cert errors a user will encounter in the real world are the
> fault of misconfiguration (wrong domain) or pathological/greed-driven
> behavior (expiration) rather than something that actually impacts the
> confidentiality of the connection (which is what we care about).

This is the great success of TLS - attacks are so rare that most users won't
encounter them. Misconfiguration is indistinguishable from an attack, so the
only reasonable thing to do is to warn the user as if it is an attack.
Expiration is not a money grab, especially since the CA with the shortest
expiration is also completely free. Expiration is a great thing. It limits the
window of vulnerability for compromised certificates, and means that
revocation lists like those shipped by chrome do not have to grow endlessly
large, since expired certificates can be pruned.

> 3\. The fact that all cert errors are treated as the same severity (red
> screen! exclamation points!!1 YOU ARE IN DANGER!!!1one) conditions people to
> click by them without thought.

With HSTS, that's not an option - and chrome can be configured by sites and
enterprises to disallow bypassing certificate warnings. For example, try
bypassing this one:

[https://pinning-test.badssl.com/](https://pinning-test.badssl.com/)

~~~
Operyl
Interesting. I thought Safari in iOS would block it, but I guess that is just
chrome still.

------
stefan_
So, what is the Chromes team solution for local network devices like routers?
Proxy it over the manufacturers server for a complete loss of any privacy and
security, but hey, there is a green check mark then?

~~~
zokier
I don't know why there is still no standardization for advertising/providing
CA services for local networks. How difficult would it be to just put local
ACME endpoint to DHCP options?

~~~
prepend
But then what’s the point? How is it more secure to have anyone get a server
cert automatically without credentialing. Not to mention training users to
trust all the BS local CAs popping up now that can then MITM traffic.

As a user, I don’t want local networks setting me up to make me recognize
their CA services.

At first I liked SSL everywhere, but now I’m seeing a lot of hacks that are
going to make SSL less useful.

~~~
Karunamon
_Not to mention training users to trust all the BS local CAs popping up now
that can then MITM traffic._

You say that as if users don't already mindlessly dismiss most warnings
already. I'm not convinced this would be that big of a difference from the
current system.

------
josefresco
This is a small signal change, most users won't notice. See the example image:
[https://3.bp.blogspot.com/-pcT-
gkZb6OA/WnyBrJKufcI/AAAAAAAAA...](https://3.bp.blogspot.com/-pcT-
gkZb6OA/WnyBrJKufcI/AAAAAAAAAkM/Xojd1GDFbsgwc6ZhZnNjdOFKXeZ_JlMtACLcBGAs/s640/Treatment%2Bof%2BHTTP%2BPages%25401x.png)

------
jcoffland
I wish Chrome would make an exception for pages on localhost and devices on
the local network. There are currently no good solutions for acquiring
certificates in these cases.

~~~
tialaramex
Localhost already is an exception. For best browser compatibility use either
127.0.0.1 or ::1 as appropriate rather than the name localhost.

The browser has no realistic way to conclude that your "local" network is
secure. It probably isn't. So there's no sane policy that says that's OK

------
bcheung
HTTPS is definitely good but this is a bit strong handed.

Many small devs don't want to deal with the complexity of HTTPS and the extra
fees. It's a lot better with Let's Encrypt but I've talked to non technical
people who have shelled out $300/year to their host providers just to have
HTTPS and inevitably lots of things break due to hard coded links in their
outdated software.

If authentication happens through a 3rd party provider and the there isn't any
need for a site to be secure, why force the matter?

Broken sites lead to a massive drop in sales. All because Google thinks it
knows best.

If they truly wanted to solve the problem, why don't they offer a proxy, that
converts HTTP traffic to HTTPS traffic that gets used in Chrome.

Instead they force people who don't have the technical knowledge that they can
get HTTPS for free to pay huge fees and inevitably have their sites broken in
the process.

------
trevorhinesley
I thought this had been the case for a while now? I swear I've seen this
headline 10 times in the last two years.

~~~
tialaramex
Chrome in particular has been gradually tightening things up. So there have
been similar stories, as well as of course both the announcement and then it
actually happening both get a HN story.

For example, a while back Chrome changed their porn viewing mode ("Incognito")
to label HTTP Not Secure, and changed normal mode to mark pages Not Secure if
the user seems to be filling out a form.

------
johnp_
If you want to test this in Firefox you can set these prefs:

security.insecure_connection_icon.enabled

security.insecure_connection_text.enabled

------
bcheung
And yet they recently changed it so that if you name a text field username or
password it will get filled in with the current user's info, even when it is
an admin page where you create new users. There is no way to instruct Chrome
to NOT autofill your credentials onto another user. They removed support for
the HTML attributes ages ago and even removed the workaround (hidden fields
with display: none that don't get used) developers used to prevent this
behavior.

~~~
ceejayoz
Yup. I had to disable autofill entirely to stop obliterating users' data in an
app I work with.

------
segmondy
We should mark all sites serving Google ads as "spying on you"

~~~
Jitnaught
Is there an alternative ad network that doesn't spy on users?

~~~
sjapkee
There is no need in ad network at all.

------
throw2016
Technical people should not be pushing centralization and vested interests,
that's not a technical solution.

In the a world of state surveillance and invasive data practices by SV based
companies it's a difficult to understand this obsession with http
scaremongering by some to perpetuate more centralization.

~~~
romwell
>it's a difficult to understand this obsession with http scaremongering

Your surely meant it's _not_ difficult, right? The first part of your sentence
is exactly the answer.

~~~
throw2016
Why would that be? Hn is full of people who do not like even essential
bureaucracy, let alone an unneeded one. Yet when it comes to superfluous
certificate authorities suddenly its ok? That does not make sense.

Everyone is concerned about centralization in other contexts but do not see
the downsides of certificate centralization and control? How is it that there
is no technical solution that does not involve 'authorities'?

This is how control works, first its innocuous and harmless - just get a cert,
its even free from letsencrypt. Then after that is accepted its x,y,z. Then
its x,y,z and your first newborn. And now you have a way to effectively
prevent people from publishing and can silence dissent and anything you don't
like under the cover of 'process'.

~~~
romwell
Wait, you _don 't_ see the obvious benefits of a local coffee shop page
displaying its address and hours being served over an _encrypted_ and
_secured_ connection?

Sarcasm aside, I think that the big organizations pushing for HTTPS everywhere
also tend to employ a lot of people who visit HN; company culture does have an
effect.

------
detaro
previous discussion of source:
[https://news.ycombinator.com/item?id=16334241](https://news.ycombinator.com/item?id=16334241)
(806 points, 814 comments)

------
ksri
Is this also true for localhost, or does localhost get special treatment? What
is a good way to get https certificates for localhost other than self signed
certificates?

~~~
BrowncoatShadow
[https://github.com/FiloSottile/mkcert](https://github.com/FiloSottile/mkcert)

Still self-signed, but generates a CA that gets added to your browser. It is
all pretty seamless.

~~~
steve19
Is there any downside to using this to secure local servers with non TLD
domains such as server.local?

------
diegoperini
Not sure if asked but, how can I enable HTTPS for my statically hosted
Github.io site CNAMEd under my own domain?

------
zelon88
I think it's funny that Google wants to start marking HTTPS as insecure and
yet Google Search Console's "Fetch as Google" won't even follow a 301 response
that redirects HTTP queries to HTTPS.

------
doctorwho
Chrome is a jerk

------
linuxftw
All traffic encrypted means no one can see your outbound transmission data,
including you!

No way to verify what you're sending on the wire if the application is
proprietary (and statically compiled) without dumping memory, which would be
quite odious.

~~~
UncleMeat
...

You own the client. You can watch the traffic in the browser before it is
encrypted.

------
jbb67
Bye bye chrome. You were useful until you started pushing your agenda on
everyone

~~~
sarif
You're kidding right? Its 2018, there is no reason to not use https these
days. With lets encrypt its not like its costing you anything.

~~~
icedchai
Time is money. It takes time to set it up.

~~~
sarif
damn, I should do what you do for a living if five whole minutes costs that
much.

~~~
icedchai
It's _easy_ for people like us to set it up. I've set up Letsencrypt many,
many times.

Now, imagine you are Joe Blow hosting his blog on some small web host that
barely supports Wordpress. Logging into CPanel is confusing to you. How do you
deploy SSL?

~~~
sarif
that is a fair point.

~~~
icedchai
It looks like CPanel does support a letsencrypt plugin, which is really cool:
[https://blog.cpanel.com/announcing-cpanel-whms-official-
lets...](https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-
with-autossl-plugin/)

However, I have to wonder how many hosts actually enable it...

------
bowlich
Because my statically generated blog really needs https.

This is really going to create an additional layer of inconvenience for people
who just want to drop some html documents in an ftp folder and be done with
it.

~~~
hughes
Nobody's saying it does - including Chrome. The browser will simply (and
correctly) show "Not Secure" in the address bar when next to the url viewing
your blog. If a user doesn't have an expectation of security, they won't be
bothered or perhaps even notice.

~~~
ysavir
Which is great for users that understand what these security concerns are all
about, like typical HN folk. But these people are probably aware of cyber
security already, so not much gain here.

And people that _don't_ understand cyber security will have no context for
what "not secure" means, and may needlessly avoid a variety of HTTP static-
HTML sites, where these security issues aren't that great a concern.

~~~
sarif
Um, good? If people avoid your site because its not secure, maybe you should
fix it?

~~~
NeoBasilisk
What does it mean to fix a site that does not accept/process POST requests?

~~~
UncleMeat
Start serving over https? Since when has encryption only mattered for POST?

~~~
NeoBasilisk
Can you explain the benefit in other situations?

Preventing MitM attacks is the only thing I can think of.

