back to article Google Chrome update to label HTTP-only sites insecure within WEEKS

A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings. Game of Thrones septa ringing bell of shame From July, Chrome will name and shame insecure HTTP websites READ MORE The changes will come for surfers once Chrome 68 stable …

  1. Anonymous Coward
    Anonymous Coward

    If only it were that easy

    to convert a site to HTTPS.

    For most individuals and small businesses it is beyond their capabilities. The whole process is a mess

    How many small businesses with just products on view and no ordering will bother until their web traffic dries up.

    So Google how about providing idiot proof guides to help the technical illiterate with their auto created site working on HTTPS...?

    Don't even get me started on Certificate Renewal problems.

    1. CAPS LOCK

      Re: If only it were that easy

      The AC is correct, it's a massive mistake by Google/Alphabet. Sites not using SSL/TLS shouldn't be 'shamed' like bad cats.

    2. Roger Greenwood

      Re: If only it were that easy

      "idiot proof guides" - see httpsiseasy.com

      1. DJV Silver badge

        @Roger Greenwood

        That's for Cloudfare ONLY! Doesn't help anyone using anything else! Sigh...

        1. Remy Redert

          Re: @Roger Greenwood

          Worse still, Cloudflare is a giant security hole waiting to be abused.

    3. GnuTzu

      Re: If only it were that easy

      If a business just has an information page or blog with no visitor login, no downloadable applications, and minimal JavaScript, I can see that this will be a challenge. But, anything more sophisticated calls for suitable security, which means doing the work or outsourcing.

      1. Charles 9

        Re: If only it were that easy

        Even a plain information site can be MITM'd. Remember the Chinese Cannon?

      2. illuminatus

        Re: If only it were that easy

        I.e. anything with any real user interaction.

    4. This post has been deleted by its author

    5. John Brown (no body) Silver badge

      Re: If only it were that easy

      "Don't even get me started on Certificate Renewal problems."

      ...or sites which are HTTPS but user certs that your browser doesn't know about so users then click to accept every unknown cert they come across.

    6. farawayfromhome

      Re: If only it were that easy

      It *is* that easy and it is also free: here's my blog entry describing the process:

      https://bhoew.com/blog/en/17

      1. Ole Juul

        Re: If only it were that easy

        Easy is a matter of perspective. Some of us like to just put up a page or two on random servers for people to see something and it's not appropriate to be doing certs for everything like that. Not everybody has one server that has everything they do on it. Some people have lots of servers that are just part of their personal net environment. Why is it that there is always the assumption that a site is some big deal that's "developed" and lots of time and effort is spent on it? Frankly, working on assumption is not a wise perspective.

    7. Dave559

      Re: If only it were that easy

      If the company which hosts your website doesn't already offer automated https certs via LetsEncrypt, get a new (and better) hosting company.

      (And if you are hosting the website in-house, then the technical skills required to handle certificate installation and renewal are just some of the many that your in-house IT staff really ought to have.)

      1. Ole Juul

        Re: If only it were that easy

        @ Dave559 You seem to assume that only businesses use the internet. Lots of private people, hobbyists and even kids run servers and use the internet freely for enjoyment and general communications. Perhaps you're not a server guy (obviously) and perhaps you only use the net for corporate or business purposes, but please don't ignore the general public's right to basic internet freedoms.

        "If the company which hosts your website doesn't already offer automated https certs via LetsEncrypt, get a new (and better) hosting company."

        You're not talking about servers, you're talking about shared hosting. Not everybody buys that kind of package which is mostly (though not totally) aimed at beginners. Some of us prefer to run servers and enjoy the freedom of using the internet without paying somebody else to do the administration and telling us how to host a site. Perhaps the best way to explain it is to liken it to cooking at home. Some people like to just get the ingredients and cook for themselves whereas shared hosting is like eating at a restaurant.

        Regarding moving to another hosting provider, people with dozens of sites aren't going to find moving all that easy. That said, hosting providers have a problem here too. No doubt they'll be able to do some fancy scripting to provide LetsEncrypt to each of their customers in some transparent way, but it's going to take a while for them to get it done.

        1. David McCarthy

          Re: If only it were that easy

          We moved 70+ sites (our own and clients') from a poor provider (part of the Paragon Group) to two much smaller UK hosts (split our sites/ client sites). Both providers moved the sites for us at no extra charge. We now have free certificates (tso wanted to charge £50 per year for each site), we pay less in hosting fees, have better performance, and great service when we need help - they actually have people who know what they're talking about. Average response to ticket has gone from 8 hours to about 40 minutes.

          We did our research, talked to quite a few companies, and then made the choices - haven't regretted it.

        2. Dave559

          Re: If only it were that easy

          @Ole Juul: Your assumptions are wrong, I’m afraid. Even value shared hosting accounts run on a server, of course, and the hosting company that I use for my own personal website (on an inexpensive but good value and not CMOT-cheap shared hosting account) has had control panel “Tick to enable LetsEncrypt” for almost a year now. It really genuinely couldn’t be easier.

          At work, I’m actually currently updating our servers with LetsEncrypt certs (once you have RTFM and configured your preferred ACME agent, they’re really not hard to initialise and then automatically renew via cron (and if I wanted to have a play server at home, I could just as easily do pretty much the same there too).

          If you’re running a public facing CMS on a home server, and your login credentials aren’t encrypted, then, as I’m sure you know, your CMS login is unfortunately all too ripe for being sniffed off the network. Are you sure that every WiFi hotspot or other access point you connect to is entirely trustable? That’s just one reason why secure communications are a good thing.

  2. Alister

    The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS.

    For millions of sites, which don't require any user input, and merely serve pages of information, there is no reason to use HTTPS, and to label them "insecure" is just scaremongering.

    1. Anonymous Coward
      Anonymous Coward

      I think you miss the point ...

      hence downvote.

      In this case, it seems to me that Google are trying - with what tools they have at their disposal - to foster an internet environment where security - at least to the level that HTTPS can provide - is something the

      average user doesn't need to concern themselves with. Too much.

      Googles focus is the end-customer ^H^H^H^H^H^H^H^ user. Not the middleman website operator.

      We need to bear in mind that there have been - and probably still are - websites which trip browser security warnings, and to which the operators (banks, financial institutions, governments) response is "ignore any security warnings".

      1. Alister

        Re: I think you miss the point ...

        to foster an internet environment where security - at least to the level that HTTPS can provide - is something the average user doesn't need to concern themselves with

        I appreciate that.

        But what they will achieve, instead, is that the end user will see scary warnings when browsing perfectly innocent, and safe, websites.

        1. Anonymous Coward
          Anonymous Coward

          Re: I think you miss the point ...

          "But what they will achieve, instead, is that the end user will see scary warnings when browsing perfectly innocent, and safe, websites."

          Too many warnings on otherwise safe sites will lead the public to ignore the warnings anywhere. aka crying wolf.

          1. Anonymous Coward
            Anonymous Coward

            Re: I think you miss the point ...

            This. We've just written a guide explaining why this is not an issue so that our tech support people can address concerns raised by users.

            Why? Because it was easier than building a system to manage certificates and server configuration for the hundreds of domains we manage, on which where there's no real advantage to using https (the few where there is an advantage have been using https for years, manually configured).

            So we are going to be actively training users to ignore these warnings, which devalues the message - a segment of these users are not literate enough to differentiate and are likely to ignore all "This is not secure" warnings from now on. Which is really not an ideal outcome.

            (This wasn't my decision, it was a management decision - the attitude was "what's the cheapest way to deal with this?". And I don't think that attitude is going to be all that uncommon)

            I don't think this alarmist and incorrect labelling is doing anyone a service.

        2. Charles 9

          Re: I think you miss the point ...

          NO unencrypted website can really be considered safe anymore due to increasing MITM attacks like the Chinese Cannon and Verdon Supercookie. Malate can be injected even into a vanilla HTML page, on the fly, by an agent sniffing for ANY unencrypted Web traffic to hijack.

    2. Tomato42

      well, if you like ISPs injecting ads into your otherwise ad-free websites (https://www.infoworld.com/article/2925839/net-neutrality/code-injection-new-low-isps.html) then, sure, go and continue using http only

      I prefer to read what the author intended to be on the website, and http doesn't ensure that.

      1. itzman

        It isnt the encryption that is the problem

        as much as the authentication.

        Well actually it is ALSO the encryption since that absolutely trashes multiple sites hosted on the same IP address.

        So unless you run a massively wild-card certificate that covers ALL virtual hosts and do some nifty coding, you are also now being forced to find a server with a hosting company that is IPV6 capable and hope to heck that your visitors also are IPV6.

        Cos no way are you ginna get 150 IPV4 addresses to run a host of little personal and SME web sites

        1. big_D

          Re: It isnt the encryption that is the problem

          @itzman the virtual hosts all use the same IP-address and the cert is for the domain name. This has been possible for over a decade - heck, I was doing this in my test environment running under WAMP and LAMP back at the beginning of the decade.

        2. Vince

          Re: It isnt the encryption that is the problem

          You can run 150 web sites off one IPv4 address with TLS. It's called SNI. It's been around for ages. Unless your devices are really old it'll just work.

          That's how it is done.

          That said, I don't agree with this move by Google. It's poorly considered and will mislead people again. The problem with "secure" is that it is not secure - it's just encrypted between you and the point it terminates at. The site could have a web page under HTTPS that is spewing out all your details openly - it's not in any way an indicator of secure.

      2. iron

        @Tomato42

        If your ISP is injecting ads into the content of sites it is your problem and your responsibility to change ISP, nothing to do with the websites you visit. Perhaps try paying a decent sum for your internet access instead of going with the cheapest bargain basement option.

        If your TV went on fire would you expect someone from the BBC to come fix it?

        1. sweh

          Re: @Tomato42

          In the US, ISPs are mostly a local monopoly. You get your local cableco... or maybe Verizon if you're lucky. No real choice.

          And when we've seen Verizon, Comcast, AT&T all MITM traffic...

          And then you have people using Starbucks WiFi (are you sure you're on the Starbucks hotspot and not someone pretending to be it?) and other free hotspots...

          Basically, the underlying transport must be considered insecure.

    3. big_D

      Most CMS systems, like WordPress, now have automated scripts for putting in certs from letsencrypt, for example. This makes it relatively easy to update.

      1. Anonymous Coward
        Anonymous Coward

        "putting in certs from letsencrypt, for example"

        Which just makes them "encrypted", not "secure".... the two terms have very different meanings.

      2. David McCarthy

        The WordPress sites have taken about 1 hour on average, with most of the time chasing down links and images that didn't get changed by search/replace. Some bigger sites took 4 hours.

    4. Anonymous Coward
      Anonymous Coward

      "The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS."

      That may be what it is "designed" to do. It may have other effects such as to drive users away from Chrome. I trun

      Or perhaps Google just did it to deliberately piss people off just because they can. It is called the Ryanair school of management.

  3. Anonymous Coward
    Anonymous Coward

    Google Chrome

    Never used it, never will. #OpSecMatters

    1. I ain't Spartacus Gold badge

      Re: Google Chrome

      #HastagsAreBloodyAnnoying

      #ThisAin'tTwitter

      Not that I'm a fan of Chrome. Or sometimes disgusted with Google. Here they're using their ill-gotten monopoly power to control the internet for everyone, but with nobody's permission.

      Worse, they're doing it in a stupid way. False positives in security warnings absolutely destroy security. And that idiot security researcher quotes as saying people should be able to trust all websites unless told otherwise fails to understand both people and the internet.

  4. Joe Harrison

    What about public wifi

    When I go to Aldi my phone tells me it has connected to Aldi Free Wifi. Everything then stops working until I actively start a browser and go to an http site and the Aldi router/proxy/gubbins can intercept it, show me an advert for Aldi, then redirect me to where I pretended I wanted to go.

    All my bookmarks are by now https and I have to think hard for an http. Currently I am using BBC news site. What will public wifi operators do if http disappears?

    1. Ter9

      Re: What about public wifi

      I don’t think WiFi needs http to work, most newer devices can automatically recognize they’re in a captive portal network and show the splash page, without opening a plain http web page anymore

    2. JohnFen

      Re: What about public wifi

      "When I go to Aldi my phone tells me it has connected to Aldi Free Wifi."

      This sounds like you're allowing your phone to automatically connect to open WiFi hotspots when it sees them. If so, I strongly urge you to turn that off -- it's a really, truly terrible idea for a whole bunch of reasons.

      1. eldakka

        Re: What about public wifi

        This sounds like you're allowing your phone to automatically connect to open WiFi hotspots when it sees them. If so, I strongly urge you to turn that off -- it's a really, truly terrible idea for a whole bunch of reasons.

        Even if for no other reason than saving battery! Having WiFi on requires power, using up battery life. Should only turn on WiFi explicitly when you want it to be on, e.g. at home connected to your WiFi, at a friends house connected to theirs, etc.

        1. JohnFen

          Re: What about public wifi

          Indeed -- leaving WiFi on is, all by itself, a pretty bad idea (from a security/privacy point of view, but the battery point is valid as well).

          Personally, I use Tasker to periodically check the phone's GPS location, and when it finds itself near a WiFi AP that I am willing to use, it automatically turns the WiFi on and connects. When it leaves the range of that AP, it turns the WiFi off. In this way, I get the best of both worlds -- my WiFi is off most of the time, but I don't have to remember to turn it on and off myself.

          1. onefang

            Re: What about public wifi

            "Personally, I use Tasker to periodically check the phone's GPS location, and when it finds itself near a WiFi AP that I am willing to use"

            GPS is also a bit of battery drain you can turn off. I use cell tower locations for the same thing, coz that part of the phone is always turned on anyway.

  5. Keven E

    It's not "browsing" anymore..

    So my browser is gonna tell me that every time I access my print server's config page? Will I be able to tell it to add exceptions for future visits? I doubt it.

    1. Yet Another Anonymous coward Silver badge

      Re: It's not "browsing" anymore..

      Can you do https to a 192. address?

      1. SteveK

        Re: It's not "browsing" anymore..

        Can you do https to a 192. address?

        Yes, provided whatever equipment is on that address supports https, but to the best of my knowledge you can't buy a certificate for it from any legitimate certificate provider, so unless you also run your own certificate authority and can deploy a trust certificate to any of your devices that need to access it, or deploy every self signed certificate to the devices, you will continue to have to jump through an ever increasing number of hoops every time you want to browse to it.

        1. stephanh

          Re: It's not "browsing" anymore..

          This means that things like router configuration webpages will be marked as "insecure".

          It would be more reasonable to exclude 10.x.x.x and 192.168.x.x from this, but apparently Google decided otherwise.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's not "browsing" anymore..

            "It would be more reasonable to exclude 10.x.x.x and 192.168.x.x from this, but apparently Google decided otherwise."

            Large company intranets may use those address ranges for all their devices.

            1. Pascal Monett Silver badge

              Re: "Large company intranets may use those address ranges for all their devices."

              And Google is the authority to decide to flag those large company intranets as insecure.

              Sure.

          2. Hstubbe

            Re: It's not "browsing" anymore..

            "This means that things like router configuration webpages will be marked as "insecure".".

            And it would be correct to mark them as insecure. Whether that's convenient is another matter, but sending your router password unencrypted over the air is indeed considered insecure.

        2. onefang

          Re: It's not "browsing" anymore..

          "Can you do https to a 192. address?"

          "Yes, provided whatever equipment is on that address supports https, but to the best of my knowledge you can't buy a certificate for it from any legitimate certificate provider,"

          Certificates are for domain names, not IP addresses. You could for example, hang a web server off an external IP, and a free domain name from afraid.org, for long enough to get a valid free Lets Encrypt certificate, then stick that domain name in your internal hosts file/s, pointing to your internal 192. address. Done, dusted, accepted by all browsers. Probably pointless getting a paid certificate for this sort of thing, but you could do that to.

          1. Yet Another Anonymous coward Silver badge

            Re: It's not "browsing" anymore..

            So trivial then for every home user with a wifi printer, security camera, weather monitor etc

          2. really_adf

            Re: It's not "browsing" anymore..

            "Certificates are for domain names, not IP addresses."

            Nope, SteveK had it just right. IP addresses can be used in certificates but, as with domain names, commercial CAs (that browsers trust it off the box) must verify them, which isn't possible for RFC1918 addresses. This doesn't inhibit an internal CA.

          3. Anonymous Coward
            Anonymous Coward

            Re: It's not "browsing" anymore..

            Certificates can contain URIs, DNS names, IPs, and other names in "subject alternative names" - which are those a browser (or any other well written application) should check - not only the "commonName".

            So yes, you can issue a certificate to an IP address. Just, no well managed and sensible CA will ever release a certificate for LAN-reserved IPs.

            If you run your internal PKI, and for some reason you want HTTPS to work with IPs as well (i.e. to reach some devices even if DNS is not working), you can issue certificates which contain also the IP - of course this is has some risks unless you manage IP allocations and certificates properly.

        3. zapgadget

          Re: It's not "browsing" anymore..

          Yep. I tried setting a network printer to use HTTPS, and it created a self-signed certificate which Chrome and Firefox refused to connect to. I had to set it back to HTTP...

          1. big_D

            Re: It's not "browsing" anymore..

            @zapgadget I've never known Firefox or Chrome refuse to connect. They'll throw up a warning any you'll need to add an exception, but they will normally then let you through...

            I've set up hundreds of https devices on internal networks over the years (2 QNAPs and a couple of printers just yesterday) and I've never had problems with self-signed certs.

        4. ItsFullOfScars

          Re: It's not "browsing" anymore..

          You're right, public CAs won't issue a cert to an RFC 1918 IP address, but you can use public CA certs for internal web servers - as long as you're using an internet DNS name that resolves to your internal web server. The certificate authorities only care about the DNS name and whether you are the legitimate owner of that DNS name.

          Super simple method for an "internal only" web server is to put the RFC 1918 addresses in public DNS. Or use an internal resolver and split-brain DNS, so DNS requests resolve differently for that domain inside your network.

          There are multiple methods for getting free LetsEncrypt certificates working on an internal web server: https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites

    2. big_D

      Re: It's not "browsing" anymore..

      Yes, you can use https on any address and most corporate devices these days use https.

      If your business is big enough, you will have your own trusted issuing authority set up, so you can issue certs for your internal devices, that your corporate devices will accept as valid.

      But you need to put work into it, so only larger businesses with dedicated IT staff will bother.

  6. Velv
    Boffin

    The problem with marking sites as “Not Secure” is that the vast majority of users then assume that everything else is secure.

    We know that there are varying degrees of secure. https has its vulnerabilities, it is not the answer in and of itself.

    While this is on the whole a good thing, we cannot stop the messages to Joe Public to consider security.

    1. Tomato42

      the whole point of marking http as insecure is to drop the, as you rightly point out, "secure" identifier on https sites

      so that we end with just websites, no "not secure", no "secure", just websites

    2. rnturn

      Experian's web site uses HTTPS...

      ...and how well did that work out for the N million people whose personal information was exposed? HTTPS is no panacea.

  7. Anonymous Coward
    Anonymous Coward

    Shared Hosting

    Dozens of small businesses, non-profits and sole traders I deal with have a basic internet presence. They're not selling anything on their website, it's really just a few pages to tell customers what they do, how to get in touch and where to find them. They just want to be able to be found on Google.

    These small sites are hosted on cheap shared hosting accounts costing a few quid a month, and for the amount of visitors they get and the simple sites they host are perfectly adequate.

    However, a lot of (maybe most?) shared hosting accounts don't come with an SSL certificate, and the likes of Let's Encrypt don't work on shared hosting.

    What are these guys going to do? Either their hosting fees increase considerably to upgrade to a server (virtual or physical) that supports SSL or their mostly tech-unsavvy visitors get the warning.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shared Hosting

      >the likes of Let's Encrypt don't work on shared hosting.

      No so, works fine. Most control panels support it these days, but SSL For Free will walk you through it if it's not available (presumably as the hosting provider would miss the commission/installation charge).

      There'll be a large queue ahead of you in the GDPR persecution queue, but if you're accepting personal data through http only, you're breaking the law in the EU.

      1. Grikath

        Re: Shared Hosting

        Note what AC1 states.....

        Those cases serve flat pages, no scripts. Like in the 90's... No need for any HTTPS there... And no GDPR to begin with, as there's no customer data being requested * at all* .

        1. Charles 9

          Re: Shared Hosting

          They can STILL be MITM'd.

      2. a_yank_lurker

        Re: Shared Hosting

        The original post is talking about an informational page with the company's contact information such as phone number. Many small businesses do not need to collect any customer information on the web and do not. HTTPS makes little sense for these sites. And there are lots of these sites on the web.

        Anyone who obtains personal information from the an user obviously needs to take security very seriously; the whole point behind the GDPR.

        1. Charles 9

          Re: Shared Hosting

          And MY point is that ANY unencrypted HTML page, even an Apache test page, can be hijacked by a man in the middle, altered on the fly to inject malware, and then sent alone with the end user none the wiser. It's what allows things like the Chinese Cannon and Verizon Supercookie to work (both use MITM techniques). THAT'S why the push to remove unencrypted HTML, no matter the content (because the content is irrelevant--it's the mere fact it's unencrypted that's the key here). Similar to why Telnet made way for Secure Shell.

          1. itzman

            Re: Shared Hosting

            Where is this man in the middle sitting?

            1. Anonymous Coward
              Anonymous Coward

              Re: Shared Hosting

              In Starbucks :-)

        2. Anonymous Coward
          Anonymous Coward

          Re: Shared Hosting

          >Many small businesses do not need to collect any customer information on the web and do not.

          IP addresses are explicitly included in GDPR - if you operate a website you have unavoidable obligations. Even if you aren't logging, and almost all static sites do, your hosting provider will be and it's your responsibility to inform visitors about it, provide a point of contact etc.

          >HTTPS makes little sense for these sites

          Avoiding 5 minutes of effort to properly secure visitors to your business' web presence and fulfill the requirements of GDPR makes little sense. If you can't be arsed or lack the technical skills you should use a third-party service which handles these issues and liabilities for you.

    2. onefang

      Re: Shared Hosting

      "Let's Encrypt don't work on shared hosting."

      Entirely untrue, I've done exactly that. Works for other certificate authorities to.

      1. Anonymous Coward
        Anonymous Coward

        Re: Shared Hosting

        Whether Let's Encrypt works on shared hosting depends entirely on the hosting provider in my experience.

        1and1 for example, give you 1 free SSL certificate with their shared hosting plans, but don't allow you to install any other SSL certificates that you haven't purchased from them. There simply isn't the control panel UI to allow it.

        So, "Let's Encrypt doesn't work on *some* shared hosting", (if the provider has chosen not to allow it), is what the person above should've said.

        1. Anonymous Coward
          Anonymous Coward

          Re: Shared Hosting

          >1and1 don't allow you to install any other SSL certificates that you haven't purchased from them

          All 1and1's offerings support Lets Encrypt - support will happily walk you through the install over the phone.

          ..or search 'Lets Encrypt' from front page for the tutorials.

          1. Anonymous Coward
            Anonymous Coward

            Re: Shared Hosting

            > All 1and1's offerings support Lets Encrypt - support will happily walk you through the install over the phone.

            Not all.

            Their cloud, virtual and dedicated servers do support Let's Encrypt - easily done yourself via the Let's Encrypt extension in Plesk.

            But their shared hosting doesn't allow any external SSL certificates to be installed - only the free supplied certificate or additional ones purchased from 1&1.

        2. Anonymous Coward
          Anonymous Coward

          Re: Shared Hosting

          1and1 have always given me the impression of being a company with a larger advertising budget than clue budget, to be honest...

    3. ItsFullOfScars

      Re: Shared Hosting

      These sorts of sites are usually hanging off cpanel. Many cpanel hosting providers have automatically started enabling Lets Encrypt for their customers.

      For customers using a provider who hasn't bothered to do this, it might be a good idea to move (many hosting providers will move your domains/services for you, for a modest fee)

    4. itzman
      FAIL

      Re: Shared Hosting

      It is impossible to have more than one certificate on a single IP address for the simple reason that the sites host name ins not revealed until decryption has taken place, and decryption does not take place without a valid certificate

      It IS possible thereafter to split the site into virtual sites with different names, via some dirty hack coding, But its ugly as sin.

      Essentially forcing https on everyone will destroy the small cheap site until and unless IPV6 addresses are the standard.

      In the case of the small business he has a stark choice: be seen to be 'insecure' by te browsers or spend an enormous amount more money getting a private IP address and moving to it, or go to a hosting company that will do that using IPV6.

      This is an ill considered move that has not been thought through.

      It is more quasi political virtue signalling.

      Once we would write an RFC and discuss how to achieve the objectives desired

      Today unilateral moves by large companies dictate the way things proceed.

      It is not progress.

      1. sweh

        Re: Shared Hosting

        Umm, you might want to look at the Server Name Indication (SNI) field of TLS; it allows exactly for the situation where multiple hosts share the same IP address.

        This solution is only about 10 years old. If your client supports TLS1.2 (and if it doesn't then you have bigger problems) then it should support SNI.

        1. nagyeger

          Re: Shared Hosting

          One little-discussed 'gotcha' of SNI is that, unexpectedly to the user who's been told 'no one can see

          what you're browsing with https' ... with SNI they can. Because SNI isn't sent encrypted.

          This gets significant when you, say, live in Iran and want to visit 'www.how-to-become-a-christian.org', (or in USA and want to visit 'diy.nuke.designs.nk')

          1. Tom Wood

            Re: Shared Hosting

            "no one can see what you're browsing with https" was never really true. The domain you are visiting is always sent in the clear during DNS resolution and the fact that you are connecting to a particular IP address is always visible (or the Internet protocol wouldn't work). Without SNI there was a one to one mapping from secured domain to IP address anyway.

            What particular URLs you are accessing (below the domain level e.g. Pages within a site) is encrypted, and is still encrypted with SNI.

        2. Anonymous Coward
          Anonymous Coward

          Re: Shared Hosting

          Hmm, indeed, the number of people in this thread who don’t appear to have heard of SNI is really rather worrying! (And probably has a large overlap with those people crazily still running WXP/IE6, for more than one reason!)

          [PS: sweh? That sweh? Spuddy? «waves, anonymously»]

      2. onefang
        FAIL

        Re: Shared Hosting

        "It is impossible to have more than one certificate on a single IP address"

        And yet I have five certificates for five different domains on my single IP address web server. It was easy, in some places it's trivial. As mentioned above by others, some hosting companies do it by default. You don't get much more trivial than "I didn't have to do anything". I could easily add another one in five minutes, for free, and that includes getting a new domain name. I'll be doing that for my home server sometime soon, though it already has the three domain names, I just need to add the certificates for them.

  8. HxBro
    FAIL

    Shared hosting

    It's a bit bad if a host isn't supporting one of the free cert systems, chances are they aren't updating their control panels, cpanel/whm/plesk has had it for 2 years or so which probably covers the majority of hosting. ISPConfig has it, and a quick google of some of the others seems to come up with results too.

    If your host isn't updating control panels which control the system, it makes you wonder what they are doing with the rest of the system.

    Even for the home grown control panels, adding a few form fields, then having a cron job that checks for a letsencrypt install request for the domains in question, then running the command which does everything for you isn't exactly rocket science, after that add it to an auto renew cron and job is done.

    1. brotherelf
      Pirate

      Re: Shared hosting

      Simple answer: the hosters want to upsell. It really really is that simple. I can understand that my hoster wants to push me from a 15€/yr package to a 36€/yr package that does less. They just have no lever at all, other than lack of certs, because my use case only needs miniscule resources.

  9. adnim

    FFS Google

    Get off ya fuckin' high horse.

    Let webmasters decide if the content is worthy/requiring of SSL.

    HTTP is only insecure when sensitive information is being exchanged.

    Perhaps everything including the obvious should be encrypted?

    I hope no MITM replaces my kitty pics for pussy pics when my website is browsed.

    Joking aside and in all sincerity: Adapt to the Internet Google, don't try to control it....

    Pretty please?

    1. John Brown (no body) Silver badge

      Re: FFS Google

      "HTTP is only insecure when sensitive information is being exchanged."

      Such as all the analytics and tracking shit that most sites seem to use Google for.

    2. Charles 9

      Re: FFS Google

      "HTTP is only insecure when sensitive information is being exchanged."

      OR if it's being MITM'd like with the Chinese Cannon and the Verizon Supercookie...

  10. Anonymous Coward
    Anonymous Coward

    https != secure, https = an encrypted connection

    Howver, I'm pretty sure this will give Google access to more of your data than other third parties on an SSL connection.

    This is typical Google shite, stuff for thier benefit.

  11. Anonymous Coward
    Anonymous Coward

    Cue the web hosting firms sending out their "we can make your site HTTPS.....for a fee" emails.

    Mine has been sending out increasingly shrill sounding marketing shtick for months now, telling me "urgent action required!". It will cost an extra £30 per year on top of my usual hosting fees.

    They must be well chuffed with Google!

    1. Gerhard Mack

      So dump them

      No need to put up with bad service. Many hosting providers will give you an SSL cert for free.

  12. Anonymous Coward
    FAIL

    And so Google helps making the web more INsecure

    I've said it many times: this is the most dumbest thing they've done in a while. I'm still visiting tons of websites which don't use HTTPS and where there's totally no need at all.

    And I'm pretty sure that I know what'll happen next:

    "How do I get rid of all those annoying warnings?"

    "I know! start your Chrome with -ignore-certificate-errors, that should do it"

    And I'm sure many will follow up. The only problem of course is that this disables every warning. I'm aware of quite a few people already frequently using this because they want to access a website with an expired certificate, and Chrome doesn't let them. Even though there's absolutely no risk; expired or not, the certificate will still be used for encryption. There is no security problem, only a monetary problem. But yeah, that's what they're counting on!

    Idiocy like this will only make things less secure because people will start ignoring warnings much more often.

    1. John Brown (no body) Silver badge

      Re: And so Google helps making the web more INsecure

      "Idiocy like this will only make things less secure because people will start ignoring warnings much more often."

      Yoiu'd almost think they'd have learned from the "click yes/ok to everything" that Windows has trained it's users to do. It's almost like this is a new generation of kids who have no idea of what went before them. Are they scared of heights and so can't climb onto the shoulders giants any more?

    2. I ain't Spartacus Gold badge

      Re: And so Google helps making the web more INsecure

      My advice is going to be, "move from Chrome to Firefox". Which I'll then have to help them do. And hope Firefox don't join in this idiocy. I'll say it's Google trying to control the internet. The last thing you want is false positives in things like security and alarms. That's why everyone ignores car and house alarms - because they're always going off when they shouldn't. It's already hard enough getting people to even think about security, let alone understanding it.

      Anyway most of those people never installed Chrome. It came with an Acrobat or Flash download, as an unwanted extra...

  13. Anonymous Coward
    Anonymous Coward

    http download: 90 seconds, https download >= 45 min

    Those were the stats for the "media servers" at the trading firm where I used to work. There was a bug in that version of apache and after a fresh restart the SSL tax was not that high, but the longer it was left running the higher the tax got. Times for the http download (of our flagship trading platform) remained flat, but https times tracked asymptotically toward infinity. Clearly, there was a bug; a configuration issue; something quite wrong. But the point is (and one folks often forget) is that encryption / decryption is not free. It may well be worth it (I for one will not enter private info on an http site, e.g.) but it's not free.

    A/C since I want to remain on good terms with my old co-workers.... :-)

    1. Tomato42

      Re: http download: 90 seconds, https download >= 45 min

      https://istlsfastyet.com/

      1. eldakka

        Re: http download: 90 seconds, https download >= 45 min

        https://istlsfastyet.com/

        I assume that the reason you linked the URL was an attempt to debunk the encryption overhead costs.

        First, let me say that I think it is a good idea to move to TLS, if the circumstances warrant it, or if there are no great impediments to doing so.

        On to the document you linked, let me point out some phrases from the document itself:

        Good news is, modern hardware has made great improvements to help minimize these costs

        Nice assumption, that you are either:

        a) running on modern hardware; or

        b) are not already at the capacity limit of that hardware, such that even a little extra overhead will push it over the edge.

        Now let's look at modern hardware that includes (like most do now) hardware encryption units. Even if you are using such hardware, it is not magical. You must still have:

        a) driver support for the O/S in use;

        b) software support.

        for those accelerators. Which might be fine if you are using a recent version Microsoft IIS on Windows, which will undoubtedly have such support. But if you aren't running Windows or IIS? Sure, many O/Ses will have support (say commercial UNIXes on their platform of choice), and many webservers will have support (again for their O/S and hardware platform of choice), but far from all. And even if modern versions of the products you are using have support, does the version you are currently using have that support?

        A well tuned TLS deployment can make an enormous positive difference in the user experience,...

        To deliver the best performance, run down the TLS performance checklist and use a tool like Qualys SSL Server Test to scan your server for common configuration and security flaws....

        TLS exposes many different knobs and new config flags on every server. Our goal here is not to provide an exhaustive list (consult server docs for that), but to highlight status of important performance-oriented features:...

        TLS operational costs are still higher, right?

        Not necessarily. Once you enable and optimize your TLS stack...

        So it requires tuning, not just slapping a certificate into your web server and enabling TLS.

        Who's going to do that? How much will that cost? If you are large enough to have your own in-house IT support you'll probably have the inhouse expertise to do it. What about smaller shops who's IT support is the "person over there who knows a bit about computers"? Or even worse (and quite common) the "My ex-employees daughter set it up for us 5 years ago" situation?

        Look, I encourage anyone who has the capacity and/or necessity (i.e. you have an online shopfront) to move over to TLS.

        But the people who beat the "it's trivial", or "on modern hardware it has no significant overhead" drums are living in their own, blinkered (or ivory-towered) world. They are making assumptions that everyone is running on modern hardware, is using supported software, has in-house (or can afford consultants) IT staff, has the necessity to implement TLS. They must be the same people who beat the "everyone should be using IPv6" drum.

        It's easy and trivial if you know what you are doing or can afford to hire someone who know's what they are doing, but for the other 30% of sites out there, it aint, and for what they host on their website ("Who we are", "What we do", "contact details", "address details", "opening hours"), it's not worth the cost to do so.

        edit: added a few more choice quotes from the linked page

    2. HxBro

      Re: http download: 90 seconds, https download >= 45 min

      I'd be looking at hardware ssl accelerators, surely a trading firm of all places would know about getting the fastest speed out of everything, apache possibly not the right choice too.

      Does sound like an odd bug though, can't say I've come across it.

    3. tiggity Silver badge

      Re: http download: 90 seconds, https download >= 45 min

      Should have had the downloads via FTP!

      ... runs away

      CBA with joke icon

  14. Packet

    Idiots...

    What happened to critical thinking / analysis of what needs to be made secure and what doesn't?

    Especially when there's a cost aspect to it.

    Idiots

    1. Tom Chiverton 1 Silver badge

      Re: Idiots...

      "What happened to critical thinking / analysis of what needs to be made secure and what doesn't?"

      Lusers happened.

    2. Charles 9

      Re: Idiots...

      The Chinese Cannon happened. Now it's clear that ANYONE who wants to drive-by a victim can just hit a midpoint, sniff for HTML in the clear, inject malware, and PROFIT! Just like with Telnet, there's only one practical solution to a malicious MITM: give Mallory no cleartext to sniff.

      1. itzman

        Re: Idiots...

        And how, pray does on 'hit a midpoint'

        The chinese cannon was only releavant to people attempting to contact Chinese websites

      2. Anonymous Coward
        Anonymous Coward

        "sniff for HTML in the clear, inject malware, and PROFIT!

        Because malware served to you via HTTPS by dodgy ad slingers (which means all of them) is any better? Actually any sites that serve you contents from other sources like ads network is performing a man-in-the-middle attack.

        Actually, today is far easier to distribute malware through ads than trying to intercept connections which may require a far higher access to the target network.

        1. Charles 9

          Re: "sniff for HTML in the clear, inject malware, and PROFIT!

          "Actually, today is far easier to distribute malware through ads than trying to intercept connections which may require a far higher access to the target network."

          Which well-resourced, well-connected, or state-sponsored actors (Chinese Cannon) are likely able to do.

  15. mark l 2 Silver badge

    I have no problem with Google putting a warning in the address bar than site is NOT SECURE like they currently do for HTTPS secured sites in Chrome.

    What I don't want is that everytime I visit a HTTP only site I have to jump through a load of hoops to get to the content, like they make you do for a site with an expired certificate.

  16. Anonymous Coward
    Anonymous Coward

    Will it be smart and except private IP space from this?

    If you are browsing to a random device in 10.x.x.x or everyone's favorite 192.168.1.x I hope it doesn't complain that it isn't using https. That will lead to a lot of unnecessary but meaningless warnings.

  17. jb99

    Time for a new browser

    This is abuse of a near monopoly by a company to push their own agenda.

    It needs to be resisted with all our might.

  18. Flywheel
    Meh

    Confusing for Joe (and Jo) Public

    I'm sure they'll feel reassured when they visit https://mafia.com and Google tells them that the site is secure. Well, technically it is, but as to whether the content is, that's another matter. I suspect most punters won't appreciate the difference.

  19. Bavaria Blu
    FAIL

    http://www.bbc.com/

    On Chrome beta 68.0.3440.42 I get "not secure" on BBC.com even though according to ssllabs the website has TLS 1.2 (as well as 1.0)

    The site seems to have content from dozens of http sites within it - I take it that is the reason, mixed http and https?

    1. sweh

      Re: http://www.bbc.com/

      Yes, mixed content is not secure. The browser doesn't (shouldn't!) even attempt to access the http content, by default, which is why some people are screaming ("our ad network is http only; it'll stop working if we move the main server to TLS").

      The ad networks will catch up. They'll have to.

  20. 89724102172714582892114I7751670349743096734346773478647892349863592355648544996312855148587659264921

    Google is not the Internet

    Yet another damned stupid decision! I really wish Google would cease attemting to redefine the entire internet in order to validate/increase the value of our usage data for their profit.

  21. Anonymous Coward
    Anonymous Coward

    Problem......

    For ages users have been able to view the security information on a site, eg my bank has the padlock plus an extended block of text that identifies them. Now if that is removed, phishing becomes trivially easy again. I just need https;/fakebank.com. Must be safe coz it's https, right?

    I can also think of ways to mitm https sites that'll be made easier by this.

    Hurry up and die google!

  22. hayzoos

    Shut up about the Chinese Cannon and the Verizon Supercookie

    Those running the Chinese Cannon will have no trouble performing a MITM attack on a HTTPS session. If you don't believe that, then go crawl back under the rock. In fact, you don't have to be a "state level actor" (TM) to MITM a HTTPS session.

    The Verizon Supercookie works at a lower layer in the network stack and HTTPS aint gonna help. Your ISP is by definition a MITM and can attack your session in a variety of ways. In the US the big ISPs are the only offering so you cannot find another. They also have a friend at their regulatory agency the FCC who will rule to their liking like killing net neutrality. So side gigs like supercookies, and ad injections are not frowned upon.

    1. Charles 9

      Re: Shut up about the Chinese Cannon and the Verizon Supercookie

      "In fact, you don't have to be a "state level actor" (TM) to MITM a HTTPS session."

      OK, then, explain. How do you MITM an HTTPS session without the private key, without breaking certificate pinning, AND if you've been there before (breaking the First Contact Problem)?

      1. Anonymous Coward
        Anonymous Coward

        Re: Shut up about the Chinese Cannon and the Verizon Supercookie

        your adnauseum "first contact problem" wouldn't apply here now would it.

        Lemme see. The stuff you look at to see where you are is being hidden more and more. So a brief re-direct and presto, those 0.0000001% of users whi bother to look can't, whereas the rest of luserland just blindly trusts the page they're looking. It looks like the RBS website and I'm way to smarf to be taken in after all!

        That's without playing with dns poisoning, trivial for state level actors or the many admin/password remote management on by default routers still out there. Lots of not-updated browsers with bad certs, and most users will dumbly follow a page telling them how to add a new cert authority or how to bypass warnings ("you have beenn specially selected for our new trial site, but first you need to enable it by...")

        Dumb users who think they're smart make it easier.

        1. Charles 9

          Re: Shut up about the Chinese Cannon and the Verizon Supercookie

          But unlike your scenario, the Chinese Cannon is transparent. Even the most observant user can't tell whether an encrypted connection has been altered on the fly. In fact, there IS no way to tell until it's too late, PLUS there's no way to block it because it happens outside your control, unlike all your scenarios which require either user intervention (installing rogue certificates) or user ignorance (not noticing a bad certificate pin). So I say my scenario still stands, PLUS it's actually happened in real life, so we KNOW it CAN and WILL happen.

  23. DCFusor

    I'll switch browsers...

    For example, my homestead "LAN of things" usually has around 30 servers on it - it's a fancy off-grid homestead monitoring and control system - mostly ESP-8266, ESP-32, raspberry pies.

    I will NOT do the hassle to make all that HTTPS, if indeed I even can for the simpler things - I already have a real decent protection from the internet at large going on - in one spot, between all that and the 'net.

    I will change browsers or refuse to update, or both. Google will lose traffic, and if enough people do it - by voting the only way we really can - they'll cut the crap.

    Because what do you want to bet that chrome itself gives them some back-channel info? No need, we know it does. Anything with sync does, and know all sorts of non-obvious things from the metadata alone, even if they're not doing anything more explicitly nefarious. Loss of this data means loss of bucks - so ditching them is voting with your wallet, in a sense.

    1. Charles 9

      Re: I'll switch browsers...

      But how do you vote with your wallet when ALL providers are looking to swindle you AND you can't go without? It's not like you can go back to the Sears catalog, seeing as how Sears itself is on the brink.

    2. Charles 9

      Re: I'll switch browsers...

      "I will NOT do the hassle to make all that HTTPS, if indeed I even can for the simpler things - I already have a real decent protection from the internet at large going on - in one spot, between all that and the 'net."

      Also, doesn't this present a SPoF problem if someone goes out of their way to tackle you "one spot" to get at all the things behind it?

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll switch browsers...

        Probably they get at something behind it first and pwn the firewall from the inside. You say "SPoF", I say "minimal attack surface". You can make it real hard for a malicious bit to phone home, and the whole thing holds water.

  24. Anonymous Coward
    Anonymous Coward

    this is stupid

    They missed a level: secure, insecure, irrelevant.

    I don't need SSL to read a stupid web comic and I don't need my browser to wail at me about it. I also don't need a guy asking me why his browser is wailing about things that don't matter. Looks like dd-wrt doesn't do HTTPS. I suppose everyone follows Google's stupid trend, then my browser will feel entitled to indirectly demand that I get a new router.

    Maybe Waterfox won't.

  25. DerekCurrie
    Go

    Good! Next Step: Warnings When Visiting IPV4-Only Websites

    IPV6 is here, has been for effectively seven years, it works, it has far more annoying IP addresses, but it's more secure and it's the future, like it or not.

    Sorry, my fellow lazy apes. But playing Luddite isn't going to help the situation. Go IPv6 now and get it over with already.

    1. Charles 9

      Re: Good! Next Step: Warnings When Visiting IPV4-Only Websites

      If you try to drag people kicking and screaming, they'll retaliate screaming and shooting...and then yell, "Stop the Internet! I wanna get off!"

  26. Valen2

    This upgrade will seriously affect so many small businesses that are still using HTTP, because "Not secure" notice will scare potential customers away.

    My blog post on SSL certificate

    https://www.valen.com.ng/how-to-secure-your-website-with-ssl-certificate/

    1. Anonymous Coward
      Anonymous Coward

      will scare potential customers

      and scare former pseudo-employers into buying SSL certificates they didn't absolutely need. (because they thought *everyone* was going in with https:// and would see the scary warning about the self-signed cert that nobody had any reason to see, incl. the same person who kept seeing it because of a wrong habit vs. making and using a correct bookmark)

  27. PauloCasas

    I panicked when I saw that my site was going to be shown as unsafe. Fortunately, my hosting provider (Neolo) helped me install an SSL certificate and convert my site to secure protocol. They are the best.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon