back to article Chrome devs hatch plan to mark all HTTP traffic insecure

The Chromium Project's security team has kicked off a debate on whether browser will mark all HTTP pages as insecure. “We … propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” the team writes in this post. The post says the team's goal “... is to more clearly …

  1. Mark 85 Silver badge

    Putting this on the users are they?

    Good plan. From my experience, most users if shown a warning about "insecure content", click "show me" anyway because they want to see it. Just like many of them do with a link in an email... <sigh> But, there's hope that this may give them a clue if coupled with something they can understand like "world+dog can see your data if you click ok."

  2. Anonymous Coward
    Anonymous Coward

    Nice try

    May as well mark everything as insecure because HTTPS is shit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice try

      May as well mark everything as insecure because HTTPS is shit.

      And your superior replacement is...?

  3. poopypants

    Every bit helps

    said Google as it piddled in the ocean.

  4. Anonymous Coward
    Anonymous Coward

    I'd consider "broken HTTPS" far more insecure than HTTP

    Because a naive user doesn't understand any of this stuff. There is still a lot of HTTP out there, and stuff that really has no reason to be upgraded - why should The Register require everyone connect via HTTPS, is someone going to sniff my forum password and post as me...the horror!

    Because there's a lot of HTTP, people will become used to seeing the "this site is insecure" indication and ignore it. A broken HTTPS, i.e. something like a MITM or other attack, should set off alarm bells even in the brains of a clueless surfer, but it won't if it shares the same indication as half the sites he browses!

    Google's engineers are idiots living in their ivory tower, not understanding that not everyone is an ubergeek who implicitly understands this stuff. They think they're being clever and will encourage site owners to switch to HTTPS, but there's no point for a lot of sites to ever do so.

    1. Raumkraut

      Re: I'd consider "broken HTTPS" far more insecure than HTTP

      A broken HTTPS, i.e. something like a MITM or other attack, should set off alarm bells even in the brains of a clueless surfer, but it won't if it shares the same indication as half the sites he browses!

      The problem is that it is impossible for the user to know whether there is a MITM if they're not using HTTPS. This proposal is to stop naively acting like HTTP is somehow magically a better environment than, for example, a site which uses a self-signed cert.

      Google's engineers are idiots living in their ivory tower, not understanding that not everyone is an ubergeek who implicitly understands this stuff.

      So because some people can't be helped, we should throw everyone else under the bus? There is a wide swath of people between "ubergeek" (who don't need this warning to understand) and "dufus"; and some of those people are capable of understanding, if they're given the right cues.

      They think they're being clever and will encourage site owners to switch to HTTPS, but there's no point for a lot of sites to ever do so.

      If a site doesn't want to prevent MITM attackers injecting malware into requests to their website (among other things) then sure, there's no point.

    2. Anonymous Coward
      Anonymous Coward

      HTTPS is also about privacy

      HTTPS not only provides security for stuff like passwords, it also brings privacy. A snooper can tell that you've visited a website, but they cannot tell what pages you actually viewed on that site since all that information is transferred after the secure connection is established.

      I for one welcome the day when ALL websites use an encrypted connection. It's not going to cost website owners a penny (from mid-2015) but it protects everyone from a range of security and privacy issues.

      1. Anonymous Coward
        Anonymous Coward

        Re: HTTPS is also about privacy

        How about people start explaining why they disagree with a post instead of just down-voting. Do you all work for GCHQ or something?

        1. karlh

          Re: HTTPS is also about privacy

          Well, https doesn't encrypt URLs, for one thing. So a snooper can see (the URL of) all pages you visit using https, even if they can't see the content.

          1. Raumkraut

            Re: HTTPS is also about privacy

            Well, https doesn't encrypt URLs, for one thing. So a snooper can see (the URL of) all pages you visit using https, even if they can't see the content.

            Incorrect. HTTPS doesn't shield the destination server (domain/ip address) you connect to, but everything more specific than that is indeed encrypted - including any URLs you request on that server.

          2. A Known Coward

            Re: HTTPS is also about privacy

            "Well, https doesn't encrypt URLs, for one thing. So a snooper can see (the URL of) all pages you visit using https, even if they can't see the content."

            As Raumkraut said, that's incorrect. The path and query string are only sent to the server after the secure connection has been established. Perhaps you should reconsider that down-vote?

    3. Paul Crawford Silver badge
      FAIL

      Re: I'd consider "broken HTTPS" far more insecure than HTTP

      Before worrying about sites that use HTTP for non-important data (OK, you may disagree with that) the world+dog needs to fix the massive hole that is SSL certificate issuing.

      As it stands, you only need one signing agency to be compromised and-or paid-off/and-or politically pressured to get a cert for any site in the world. So of the 600+ (?) issuers, only 1 in 600+ need be knobbled to fail, that has to change. We need a system where any dodgy certificate is found out immediately by cross-checking with several brokers, and not accepted because one in that hige parallel chain failed.

      1. A Known Coward

        Re: I'd consider "broken HTTPS" far more insecure than HTTP

        "the world+dog needs to fix the massive hole that is SSL certificate issuing."

        The solution you're looking for exists and is in use already, it's called certificate pinning. It's not a perfect solution, but the situation isn't nearly as bad you as make out.

        Furthermore you seem to be arguing that we shouldn't bother locking the front door unless we also put bars on the windows and install an alarm system. There will always be those with the resources to bypass any security, but that doesn't mean we should just give up and let everyone have access to our data.

  5. NullReference Exception

    Time to buy stock in VeriSign/Symantec

    I'm sure the CA's love this idea. Cha-ching.

    1. A Known Coward

      Re: Time to buy stock in VeriSign/Symantec

      Considering the EFF is launching an entirely free, automated CA in 2015 there will be no potential for existings CAs to cash in.

      1. Brewster's Angle Grinder Silver badge

        Re: Time to buy stock in VeriSign/Symantec

        "Considering the EFF is launching an entirely free, automated CA in 2015"

        I think that has to be up and running before the Chrome devs turn this on.

  6. What was the question

    Daft.

    How these clueless less turkeys can even consider such a stupid idea is beyond me. Never mind the overall reduction in user security-awareness because of Google cluttering up screens with too much useless information and confusing everyone bar the geeks who don't need this "help" anyway. The vast majority of web content has zero security relevance. Who [i]cares[/i] if that cat picture is sent securely? What happened to the goal of having an open, accessible Internet with open, simple means of reading and writing content? What is the hidden agenda here? There must be one, 'coz there surely isn't any trace of sense in the proposal as it stands.

    1. Raumkraut

      The vast majority of web content has zero security relevance. Who [i]cares[/i] if that cat picture is sent securely?

      Do you like your web traffic to have ISP-injected advertising added to it?

      Do you enjoy having your ISP add uniquely-identifying tokens to every page request?

      Do you enjoy not knowing whether that file you just downloaded from $reputable_site has been tampered with?

      Do you like receiving web pages which could be trivially rewritten to directly contain malware?

      I don't. That's why I prefer the authentication and privacy offered by TLS.

    2. Anonymous Bullard

      Who [i]cares[/i] if that cat picture is sent securely?

      So why would the warning matter?

      What happened to the goal of having an open, accessible Internet with open, simple means of reading and writing content?

      That isn't being stopped, but why can't we do that privately and securely?

  7. Jamie Jones Silver badge

    "IThe team also point out that HTTPS traffic usually produces a change to the user interfa,ce notification, yet insecure HTTP traffic does not"

    Um, seeing as there are only 2 states, how so?

    Or in otherwords, it does: "grey/white bar" instead of green bar etc.

    1. Raumkraut

      There are not only 2 states.

      Chrome has: 1) A green bar for EV-certs, 2) A green lock for a valid cert, 3) A red strike through the "https" when the security is flawed, 4) No indicator for completely insecure sites

      Firefox has: 1) A green bar for EV-certs, 2) A green lock and owner info for a valid cert, 3) A big stonking warning page when the security is flawed, 4) No indicator for completely insecure sites

      Without any indicator in the case of 4, the effect is to imply that a complete absence of security is better than partial security (eg. no authentication, but protection from passive interference).

      AFAICT, this proposal for Chrome is to treat 4 in a similar manner to 3. This appears sensible to me.

  8. Vince

    Given that this will just cause people to rush out and demand SSL Certificates, the net result will be plenty of pressure on the IPv4 space, because you know that's not an issue.

    And once things are in SSL, it will give people a false impression of security.

    What a totally retarded idea.

    1. A Known Coward

      You no longer need a unique IP to get an SSL certificate. That's what SNI is for.

  9. jb99

    Lost the plot

    If they do this we'll be needing a new browser that hasn't lost the plot.

    Are there any in development?

  10. Anonymous Coward
    Anonymous Coward

    Plenty of airm-chair experts here, as usual.

    Let's say I intercepted your traffic to examplebank.com (via MITM or DNS). I don't have the private keys for examplebank.com, so your browser will hopefully warn you that the server you're connecting to isn't the real examplebank.com when connecting via httpS. So I make you connect via http instead - now where are the warnings?

  11. Anonymous Coward
    Anonymous Coward

    It seems there are lot of cry babies with HTTP-only sites who have a problem with browsers telling the truth to their visitors, by saying that their connection could either be snooped upon or may not even be visiting the site they think they are. The warning message doesn't break HTTP, it just educates.

    Why would you want to conceal the fact that your connection could somehow be compromised from your visitors? Let them decide if they care about their security and privacy.

    If you care that much about it, and you really give a shit about the "scary" warning, then buy an SSL cert now because you should have one already. They're next to nothing, compared to your server, domain name, and traffic costs.

    1. strum

      >The warning message doesn't break HTTP, it just educates

      Only if it provides useful information - like when the site is asking for customer data.

      For a great deal of the web - it's just text, pictures, information. No 'data', no cookies, no nothing.

      Something like this is going to scare the pants off surfers, for no good reason.

    2. Anonymous Coward
      FAIL

      So the hundreds of millions of small clubs, shops, cafes, local information sites etc, that do little more than have a basic html site, should get expensive "experts" in to reconfigure the site, get the certs etc, all because there is bloody great warning saying Ooo look this site is dangerous and nasty, when all they are trying find out is what time the fucking place is open?

      How is going to pick up the bill for this?

      1. A Known Coward

        No cost involved

        FFS - No. No experts are required, no cost at all. Go look at the Let's Encrypt (https://letsencrypt.org/) project. Those small sites are almost universally on shared hosting packages which will offer one-click setup via CPanel (or equivalent), most will probably set it up by default.

        Please stop the uninformed hysteria. I feel like I've walked into the twilight zone with all the opposition being expressed to the idea of bringing the very security and privacy to internet connections which should have been there from the start.

    3. Tatsky

      You are talking about cry babies, with no idea as to who those people are?

      If these people run Banking websites, or ecommerce, or anything which does involve the transmitting of personal data between client PC and server, then SSL should be applied and customers using a site like this which is not secure should be warned.

      However, what about the situation where the site is a promotional site for a business. It doesn't do ecommerce, and has no data transfer (apart from someone snooping on which pages you visit, which when it comes to a brochure website.... there's probably not that big an issue). In these cases a warning is a bit over the top. The users this is designed to help are the same users that when they see this message are likely to drop their bowels and quickly navigate away from the site. This then results in the website owner seeing a significant drop in traffic.

      The other argument against SSL is that Google et al are constantly telling website owners to make their site faster, more responsive etc etc but in my view SSL slows down sites because a) you have the overhead of encryption (which in a dynamic site is not such a big issue because the site is/may be dynamically built based on the user session and should use SSL, but in a static site the content is exactly the same and the overhead is unnecessary) b) the amount of data transferred may be significantly larger if the web page is built up of a lot of components i.e. CSS, javascript, images etc. Each request for a component carries an SSL overhead, and this increases bandwidth and so costs. c) one recommendation form Google was hosting your images/static content on a different domain/sub-domain so that you can get around the max connections per domain limit and also allowing static content to be cached... improving performance. Now you would need a wildcard SSL or move all your static content onto the main domain. This will slow down the site significantly. and d) I think (but it's been some time since I last looked at this) but HTTPS traffic is not cached/cahced in the same way, so if you have lots of images on a page the content won't be cached resulting in a lot more requests on your server, and a lot more content being served.

      So the choice here is either get a certificate and slow down your site and increase hosting/bandwidth costs or don't go secure and expect a number of your customers to get scared off because of the warning message telling them that the site will result in them being scammed out of all their money by a Nigerian Prince.

      BTW I agree wholeheartedly that any sites where personal or financial data is transmitted should operate securely.

  12. David Lawton

    Please no, if you work in Education or a business where you are required to filter the internet connection this will just break even more things. Google changed to SSL for their search last year (i think it was last year), what a pain, we now have to do man in the middle, and push a certificate to all our clients for our UTM Device just so we can enforce safe search to stop the kids searching google images for things they should not or even the innocent phases that come up with weird results. Not everything likes us being in the middle so we can filter SSL traffic and just breaks.

    1. Anonymous Coward
      Anonymous Coward

      @AC "It seems there are lot of cry babies with HTTP-only sites who have a problem with browsers telling the truth to their visitors..."

      Ok, say I run SSL on my 100% public site with no private data anywhere. Will Chrome warn users if my site's been hacked? Not until it's too late for many. Will it tell them if I'm passing their data to insecure 3rd party APIs, or selling any information I collect on them, or giving everything to NSA/GCHQ? Nope.

      @David Lawton - The fact that you can get away with MITM filtering of most SSL traffic, even with access to the end user machines (malware does too), does not inspire confidence in SSL.

      1. Anonymous Coward
        Anonymous Coward

        @tnovelli: Perhaps you've missed the point. TLS is not just about stealing secret data, and it's definitely has nothing to do with what happens to data on the server or what the host data policy is.

        In addition to concealing data, it also helps to ensure that the site you are connecting to really is that site, and the data to/from it hasn't been tampered with (ie, you can trust the information).

        Nobody is stopping you from serving/accessing via HTTP, the proposal is to educate users of the risks.

        In this day and age, why are people so against this?

        1. Martin-73

          Because a web browser's job is to display the fscking content, not try to falsely educate the consumer.

          Lots of silly examples have been mooted, let's try a sensible one:

          A) Broken HTTPS on a bank's site.

          B) HTTP only site for a local store giving opening times.

          WHY should J.Random.TechnicallyIlliterate User be terrified by a warning on (B)?

          Google devs have their heads up their arses, as always. Chrome is crap, they know it, and are desperately trying to stay in the public eye.

    2. A Known Coward

      "Think of the children" == Godwin's Law

      Think of the children, screw the rest of us.

      If you think those school children aren't smarter than you, and haven't already found ways around your filters then you're wrong.

  13. Cookieninja

    I don't see the problem with this idea ...

    Good move, Google, go for it.

    To those who think this is stupid, let's be clear on one thing. It's the current implementation of HTTPS that is broken, not the idea. The idea of using secure, encrypted, communications to obtain privacy and security remains a sound idea.

    So, likewise, the idea of us upgrading all of our Internet communications to a secure system is a sound one.

    OK, now we have got that out of way, lets think about implementing the idea of a secure communications channel for all Internet traffic as a process with many steps, not something we achieve overnight

    All those HTTP websites that everyone is going on about, those will go away within a reasonable amount of time. No company worth doing business with will want their customers getting those kinds of warnings. I think the hosting companies will deal with most of the non-commercial websites, if not willingly then they will eventually be forced to do it for all users by a noticeable minority who complain or ask their hosting company to do this.

    If this, somehow, managed to put pressure on ipv4 space, that's GREAT! Why on earth is that something to complain about? The sooner we move over to using ipv6 exclusively, the better, right ?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't see the problem with this idea ...

      No, the whole concept of HTTPS is broken. It just encrypts data in transit to untrustable servers.

      Real security requires (at least) a completely different architecture, where servers only store and transmit encrypted data, never having access to decryption keys. Data would only be encrypted on end-user machines, only within the program(s) that use it. Those programs, and the OS, would need far more robust security than anything in existence today. The whole system would be useless for client-server apps (like websites) and probably less than 100% secure anyhow.

  14. Rogue Jedi

    In theory this could be a good idea, but when you factor in user psycholigy this could easily make things worse.

    Right now it is unusual to get a warning, so a lot of people will pay attention when they see it, if 10% of websites display a warning average users will not even look at the message, they will just click ok or take the risk, or go for it or whatever the confirmation message looks like, even if the front page mntioned that if you click ok you will die instantly, they just will not notice.

    For warnings to stand any real chance of being headed they need to be something you rairly see.

    That is why I do not think this will prove to be a good idea in practice, if you disagree that is fine.

  15. BB
    FAIL

    Bit premature

    With IE on XP not supporting SNI, we would still need an IP per website to migrate them all to HTTPS. Not really feasible with today's IPV4 scarcity.

    Really peeved with Microsoft for not adding SNI to a service pack. Almost every large corp still uses IE8 on XP so they have single-handedly hobbled a secure web.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bit premature

      Quote: "Almost every large corp still uses IE8 on XP"

      Where are your figures for this?

      Granted some corps have been slow at rolling things out, but all of them, without exception, should by now have either completed migration away from XP, or be in the final stages of migration, at least for end-user machines.

      Any Corporate users still on XP should have access to the Internet rescinded or at the very least, install a 3rd party browser, and then cripple IE to block it's Internet access (i.e. allow IE access to Intranet only).

  16. JoeTheAnnoying
    FAIL

    Never overestimate the user...

    While I applaud Google for trying to do *something*, I find it depressing that they STILL don't comprehend the sheer apathy/willful ignorance of the average end user.

    I had some friends whose computers were constantly being ravaged to the point of uselessness by viruses. I did the best I could to lock them down: G-Data antivirus, Firefox with NoScript and Flashblock, no IE, no Outlook, and instructions that I'd whitelisted every site they used, and they should NEVER click on e-mail links or open attachments.

    Of course, they INSISTED that they HAD to be able to open EVERY attachment they received, because "It might be important", allow EVERY script NoScript tried to block, and run EVERY Flash animation that appeared on every page. No matter what the warning, they just clicked, "Allow" because they didn't want their internet to be "limited".

    And then they got mad at me because their computer STILL got infected, in spite of all the protections.

    If you allow users to bypass security, they will. Every. Single. Time. No matter how stupid the come-on.

    Users are idiots.

    You have to build a system that can stop THEM. Otherwise, there is no such thing as security. No matter what Google tries to do.

    You want REAL security? Disallow the "Allow" button.

  17. Anonymous Coward
    Anonymous Coward

    Useless feature to make them CA !!!

    They just want to be a CA of the world. There are ways to encrypt connection even when using http. Take for example SSH Proxy Tunnel. There is no way a router can intercept your information but the network where you are connecting to.

    Google does not care about users. They were good once, and that was during the 90s. Now they just want to own everything like Microsoft. Screw them.

    1. Martin-73

      Re: Useless feature to make them CA !!!

      Wish I could upvote you more than once!

  18. FlatEarther
    WTF?

    Problem looking for a solution

    A complete OTT nanny state approach. You must always consider the impact of a vulnerability (if this is what they insist on calling it). If the impact of the data exposure is 0, there is no risk.

    Since the authors and viewers of most HTTP see no impact from someone else seeing public content, this is simply a solution looking for a problem. Most content is designed to be public.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021