Chrome Will Soon Mark All HTTP Pages As "Not Secure"

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Google has announced today that with the release of Chrome 68 in July, Chrome will mark all HTTP websites as "not secure." This change is in line with what Google has been trying to do for past several years, and pushing that sites adopt the HTTPS encryption.

Sounds like a good plan to me, this coupled with the built-in ad blocker that's coming to Chrome next week makes it seem like Chrome will be the browser king for a while longer.

Chrome's new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.
 
An ad-blocker in a browser made by an advertising company.....isn't that the very definition of an oxymoron?
I like Chrome but its becoming slower and slower due to ads, and not only that but these ads are injected by its own adChoices software......its terrible. I will believe the ad-blocker works like they say when i see it first hand. I think that the ads being blocked are going to be the ones that are not "Google approved".
 
The features sound good, but what Telemetry data does it send back to Google ?? You don't get anything for nothing !!!
 
Performance improvement? Measured in a negative value.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

Just go to hell Google.
 
This is fine and dandy, but many sites (informational, just read only stuff) that don't have any types of forms / logins will be flagged when they really don't need the security or the burden of the security.

I have a wholesale hosting provider that gives me something like 25domain spots. But getting certs on those is a PITA (and expensive since I don't have direct access for something like Let's Encrypt). I'll be a tad curious how they respond to this. My guess is that they may have to drop the charge-you-for-the-cert and allow you to manage via a Cpanel plugin of sorts.
 
Performance improvement? Measured in a negative value.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

Just go to hell Google.
Better yet is when you use a self-signed certificate on your own shit and you get warnings out the ass because there's no trusted authority behind it and being taken to a landing page explaining that it's not safe.
It's utterly retarded. How does a trusted authority make it any more secure with leaked keys out in the wild? HTTPS already has man in the middle attacks that have been going rampant in standard firewall appliances so that the corporate firewalls can do deep packet inspections. Thinking that a website is secure because it's https is a joke.
 
AV and the masive amount of false positive if you don't have a singature plus google HTTPS requirements are the mordern day version of the mobs wanting protection money.
You aint protecting against anything but problems you created for me.
 
Performance improvement? Measured in a negative value.
I assume they mean some annoying js features that I normally wouldn't want? or is that the "powerful new features" hard time figuring out how loading up a cert is quicker then not loading up a cert.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!
https://letsencrypt.org
...not that it does my router much good ;)
 
The days of HTTP being acceptable are gone. It used to be all HTTP and just HTTPS on the login page or form. Anyone who wants to have a public website these days will just have to pony up a bit or use something like SquareSpace where they handle all that for you. If its a small personal thing you can have your friends or family or whatever click advanced and continue past it..

Let me guess, you still want your Adobe Flash plugin to auto play on your HTTP site as well, right?
 
Isnt' something like more than half the websites using https is running SSLv2 or earlier which is known to be easily compromised? So what's the whole point? Unless they're going to somehow force everything to TLS v1.3 this whole thing is stupid.

And I totally agree with this. Certs for my personal website that just displays plain info is an expense I don't need. And I also don't need legitimate users being scared off my some half baked thing that google releases... which is EVERYTHING these days.
Performance improvement? Measured in a negative value.
Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site .
 
Oh wait, this isn't the full blown error like an invalid HTTPS cert, this just lists it in the title bar that it is "not secure", which is true. Firefox already does this with http sites. It just shows a little lock with a cross through it. Its fine. No biggie. Not as as big of a deal as the full page warning for invalid HTTPS.
 
Wonderful, 700 clients calling me in July reporting they've been hacked, the site they usually go to is hacked, their PC is "messed up", and having no clue about what http or https is nor how to click to proceed to the site anyway. Employees who have little to no computer skills, CEO's and managers demanding I "fix Google" to make that function stop, etc.
 
Performance improvement? Measured in a negative value.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

Just go to hell Google.

It's actually currently very hostile to sites using self signed certificates and won't let you make an exception to the stupid warning page even if the site is on an RFC1918 address range. Now they'll punish the HTTP sites. What assholes.
 
Performance improvement? Measured in a negative value.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

Just go to hell Google.

Don't self sign when you can just as easily create your own certificate chain using something like OpenSSL for the same cost of nothing. Import the root CA cert cert into the trusted certs folder of your devices and you'll never have to worry about software complaining of untrusted connections again.
 
That's a reasonable approach, but in this case it isn't my own web server, it's the management interface for the Ubiquity Unify Controller, and some of my managed switches. Let's encrypt provides free certificates for apache or IIS which would be even better, no client certs but I have enough things to do than figure out how to shoehorn in a certificate these devices weren't designed to accept, just so that chrome doesn't throw a fit.
 
That's a reasonable approach, but in this case it isn't my own web server, it's the management interface for the Ubiquity Unify Controller, and some of my managed switches. Let's encrypt provides free certificates for apache or IIS which would be even better, no client certs but I have enough things to do than figure out how to shoehorn in a certificate these devices weren't designed to accept, just so that chrome doesn't throw a fit.

https://help.ubnt.com/hc/en-us/articles/212500127-UniFi-SSL-Certificate-Error#2

Anything above consumer grade is pretty much set up to handle basics like ssl certs else they'd have issues selling to businesses where passing vulnerability scans is a must.
 
Don't self sign when you can just as easily create your own certificate chain using something like OpenSSL for the same cost of nothing. Import the root CA cert cert into the trusted certs folder of your devices and you'll never have to worry about software complaining of untrusted connections again.

You are not getting it. This is about another business dictating to me how I should run my personal or business WEB space. On any form it is reasonabale to require an encrypted connection, which I already do. On a pure HTML page, with no javascript even, it is unreasonable to require an encrypted connection.

Google can go to hell.

You think Ford would be happy if Toyota was dictating to them how they build cars? No, they would tell Toyota to "go to hell!".
 
Switched my two websites over to HTTPS a year ago. My web host offered it for free and the change was quick. The only issue was that one of my sites dropped down a few pages in Google search, but bounced back to the first page within a few months. DuckDuckGo showed no change in page rank.
 
You are not getting it. This is about another business dictating to me how I should run my personal or business WEB space. On any form it is reasonabale to require an encrypted connection, which I already do. On a pure HTML page, with no javascript even, it is unreasonable to require an encrypted connection.

Google can go to hell.

You think Ford would be happy if Toyota was dictating to them how they build cars? No, they would tell Toyota to "go to hell!".

You are making excuses to be a hipster and hate on Google because it's trendy when in truth, forcing secure communication is something that should have been done over 20 years ago when the internet first started. Google isn't pushing their own patented protocols here, they are compelling people to stop being so lackadaisical with online privacy and security. Even more, the internet doesn't require either Google or Chrome to use, heck you can even post all your passwords on Facebook if your wish to naively believe the world is all rainbows and happy thoughts. But in this case, to throw your analogy back at you, Ford announced that they are requiring locks on all their cars and you are annoyed at the idea of carrying another key in your pocket.

Improvements to privacy and security should always be welcomed.
 
Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

As mentioned before - let's encrypt SSL certs are free. Soon also wildcard certificates from them. If you can't wait that, AlphaSSL wildcard cert can be had for sub-$40.

Nobody requires you to use EV SSL certificates.
Nobody stops you from using HTTP website. They will be just marked unsecure. Because they are. Anyone can see what is transmitted. Thus they are unsecure.

IMAP without SSL is insecure. SMTP without SSL is insecure.... Why would HTTP an exception ?
 
Last edited:
An ad-blocker in a browser made by an advertising company.....isn't that the very definition of an oxymoron?
.

Yeah, it is more like Monopoly power.
Today's tech companies like Google have politicians in their pocket. AT&T had an unfair monopoly so the federal government forced the company to break up into regional "baby bells".
Where are the baby bells now? AT&T bought them back and government regulators didn't seem to notice.
 
https://help.ubnt.com/hc/en-us/articles/212500127-UniFi-SSL-Certificate-Error#2

Anything above consumer grade is pretty much set up to handle basics like ssl certs else they'd have issues selling to businesses where passing vulnerability scans is a must.

Yep, but I already have most of my home stuff unencrypted since i'm not really concerned about my friends and family poking around, nor do I bother with UID/GID sync between different boxes, or ldap for the home. Google seems to think everything needs to be handled like it's a business like a technological grammar nazi. I'll have to figure out how to enable SSL for various hobby servers I use just to keep chrome from requiring 2 click throughs on every site (that's what Google is doing now, I think they'l have the same for HTTP). Then deal with updating them every couple years. There's all the switches, all the media server stuff, and I can't just iframe them into a nice little dashboard until it's all working. Or load client certs everywhere which isn't fun. Stuff like this is what makes hobbies not fun. There should have been an exception for internal networks.
 
I'll have to figure out how to enable SSL for various hobby servers I use just to keep chrome from requiring 2 click throughs on every site (that's what Google is doing now, I think they'l have the same for HTTP).

No, Google is not doing that for HTTP. All it will do is instead of showing a padlock or green "secure", it will show green "Not secure". Not the 2-click through certificate error page.

Look at the linked article, or if that is too hard, then at least on the image in this news item.
 
Performance improvement? Measured in a negative value.

Google can go to hell. I am not paying $200-$300 a year for a certificate for my personal WEB site just to cow-tow to Google. Those ass wipes have already done enough damage with the requirement all sites be "responsive" or they de-list you. Getting so fraking tired of this one company telling us how we have to do things. It is bullshit!

Just go to hell Google.

Right. Our district has a lot of internal websites and services that transmit no data, and aren't accessible outside the internal LAN. Now i'm going to get a metric fuckton of "my computer says my security is at risk!" tickets.
 
Right. Our district has a lot of internal websites and services that transmit no data, and aren't accessible outside the internal LAN. Now i'm going to get a metric fuckton of "my computer says my security is at risk!" tickets.
Use a different browser?
 
Pretty sure he's trolling, issuing out certs in a domain is about as basic as it gets.

Not in K-12, where staff insist on using their own personal computers that you never get to see. The majority of these services are provided by the state/feds, and we're lucky they still launch in a modern web browser at all.

Use a different browser?
We don't get to choose which browser our employees use.
 
You are making excuses to be a hipster and hate on Google because it's trendy when in truth, forcing secure communication is something that should have been done over 20 years ago when the internet first started. Google isn't pushing their own patented protocols here, they are compelling people to stop being so lackadaisical with online privacy and security. Even more, the internet doesn't require either Google or Chrome to use, heck you can even post all your passwords on Facebook if your wish to naively believe the world is all rainbows and happy thoughts. But in this case, to throw your analogy back at you, Ford announced that they are requiring locks on all their cars and you are annoyed at the idea of carrying another key in your pocket.

Improvements to privacy and security should always be welcomed.

I just cannot stop laughing at this one. I had to show this to the office bees. They got a hoot out of it as well. Calling me a "hipster". LOL! Thanks for that laugh.

Now, back to the matter at hand. You act like every network transaction contains personal data. Surprise! They don't! No reason to encrypt non-form data as it is only data the WEB site designer intended to display anyway.

If you want all data encrypted, then why not do it where it should be done. Instead of the highest level available, dig a little deeper and have it done where all data is actually being routed. That way no one has to do a damn thing, except the router companies.

I actually hate people who support monopolies and invite their will to be imposed on them. Google is only successful because of that.
 
I actually hate people who support monopolies and invite their will to be imposed on them. Google is only successful because of that.

Cool Story. But tell me, what does Google actually have a monopoly over that you have no other choice in competition? Your "Google's out to get you" rantings are hilarious, but you can 100% avoid using any of their products and services.

As far as basic security, you couldn't be more wrong about preventing man-in-the-middle attacks and redirection attacks that stem from not being able to verify the identity of the target machine through the proper use of cert chains. In this case, as others have pointed out, Chrome will be shifting over to declaring unsecured websites as actually being "unsecured" because that is what they are by definition; there's no grand conspiracy here, it's a simple matter of calling a spade a spade.
 
Ok, I'll play. Google is treated as monopoly. What other company can say, "make your WEB pages responsive or we will de-list/de-rank them" and have the entire indistry scrambling to do that bidding? I am not paranoid about Google. And I have never said Google is out to get anyone. Who is their competitor in search engines? There are competitors, but none of them have that kind of power.

I have said, Google apprpriates data and sells it to make the lion share of their revenue and that is my primary beef with them. Nothing paranoid about that. It is their business model.

Where do you get "Google is out to get you" out of that? Curious because so far you have accused me of being a hipster, and now of being paranoid (ok, you did not state it directly, but it seems implied,...is that paranoid?).

All I get from you is your continued intent to judge me without knowing anything about me.

Never said there was a "grand conspiracy". Let me try to be more clear. I believe the power we (collectively speaking) have given Google is excessive. When one company can say "jump" and everyone jumps, then I am not sure what else to call it. Call that my limitation. To me, Google has too much power.

Historically speaking, browsers wanting to show the security state of a page displayed a broken lock for standard HTTP pages and a full lock fo secure pages. Now Google comes out and makes this big announcement. Sure, unsecure pages are just that, but why make a big deal about it?

Do I trust Google? No way in hell. Not paranoid at all. I do not trust them, as I would not trust any thief. Yes, I categorize them as thieves. Again, not paranoid. They have proven to be just that, over and over again. Maybe they pay you for the data they take from you, but they have not paid me for it.

EDIT: By the way, I can be very terse at times due to time constraints. Not an excuse, just and FYI thing. For example, I know Google is not a "monopoly" in the absolute definition of a monopoly. It was a word choice of convenience. Instead of going off the deep end judging, consider asking questions. Never hurts and we all might leanr something from the experience. Or we can just lob tomatoes at each other.
 
Last edited:
Ok, I'll play. Google is treated as monopoly. What other company can say, "make your WEB pages responsive or we will de-list/de-rank them" and have the entire indistry scrambling to do that bidding? I am not paranoid about Google. And I have never said Google is out to get anyone. Who is their competitor in search engines? There are competitors, but none of them have that kind of power.

I have said, Google apprpriates data and sells it to make the lion share of their revenue and that is my primary beef with them. Nothing paranoid about that. It is their business model.

Where do you get "Google is out to get you" out of that? Curious because so far you have accused me of being a hipster, and now of being paranoid (ok, you did not state it directly, but it seems implied,...is that paranoid?).

All I get from you is your continued intent to judge me without knowing anything about me.

Never said there was a "grand conspiracy". Let me try to be more clear. I believe the power we (collectively speaking) have given Google is excessive. When one company can say "jump" and everyone jumps, then I am not sure what else to call it. Call that my limitation. To me, Google has too much power.

Historically speaking, browsers wanting to show the security state of a page displayed a broken lock for standard HTTP pages and a full lock fo secure pages. Now Google comes out and makes this big announcement. Sure, unsecure pages are just that, but why make a big deal about it?

Do I trust Google? No way in hell. Not paranoid at all. I do not trust them, as I would not trust any thief. Yes, I categorize them as thieves. Again, not paranoid. They have proven to be just that, over and over again. Maybe they pay you for the data they take from you, but they have not paid me for it.

EDIT: By the way, I can be very terse at times due to time constraints. Not an excuse, just and FYI thing. For example, I know Google is not a "monopoly" in the absolute definition of a monopoly. It was a word choice of convenience. Instead of going off the deep end judging, consider asking questions. Never hurts and we all might leanr something from the experience. Or we can just lob tomatoes at each other.
+1 HTTP's and secure emotional affirmation layers.

While https connections are vital when private data is exchanged - as if Google cares about user privacy - for static public info that any scraper can access it doesn't really matter - but will cost small independent sites more money - for nothing.

Is Google is trying to play 'Protector of the Internet' for PR points? All the while, Chrome, like other end-user Google platforms, is created with insatiable data-mining appetites.

The world's largest advertising and content aggregation (theft) company outgrew it's 'tech champion' status long ago. That Google can wield monopoly-like powers on the web with impunity or even mild outrage from web developers and those who enjoy a free and open internet is a sad statement about us. Complacency and ambivalence about Google's heavy-handed tactics do not help build a better, safer internet. Look out WordPress developers, Google is coming for you and your remaining un-AMP'd content next.
 
Back
Top