This week's book giveaway is in the Spring forum.
We're giving away four copies of Spring in Action (5th edition) and have Craig Walls on-line!
See this thread for details.
Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

chrome marking http as insecure starting july  RSS feed

 
author & internet detective
Posts: 38906
684
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chrome is marking http (vs https) as insecure starting July. I hope this doesn't scare non-technical users too much!
Source
 
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It should scare non-technical users, and that's exactly the point. It will force websites that wish their users not to be scared to make their site HTTPS only.
 
Marshal
Posts: 67163
169
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My (haven't-really-read-much-about-it) opinion is that it seems a bit heavy-handed. Why should sites that handle no sensitive information be forced to put up with expense and bother of certificates?
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
They shouldn't. But they're not secure. Men in the middle can still serve content that's different from what the server intended to serve. If the end-user is fine with that, they can ignore the "Not secure" label.
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also note that even if the original web page doesn't deal with sensitive information, the man in the middle can inject a page that seemingly does.
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As an example, say I have created a website with the goal of informing people about the health risks of some kind of substance, and nothing more. A man in the middle can intercept the request and add a link to a page the spoofs the user's healthcare provider's page, containing a login section that's intended to capture passwords and stuff.
 
Bear Bibeault
Marshal
Posts: 67163
169
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good point, but it's not something most of my clients with just "meet and greet" pages would worry too much about (and want to shell out $$$ for).

If Google wants to "foster" this on the web, they should be doing something to make certificates less expensive, and a lot less hassle to deal with.
 
Bartender
Posts: 1856
81
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not too sure that the cost is that much.
You can get a certificate from RapidSSL, a division of GeoTrust, which itself is a division of Symantec,
for $60 USD a year as seen here https://www.rapidssl.com/buy-ssl/ssl-certificate/.
This should make the "meet and greet" sites secure enough for Chrome not to complain.
At $60 a year is only $5 a month, and many people spend at least that on non essentials each month.
That said using HTTPS does require more from the server hardware and someone does need to install the certificate.
 
Saloon Keeper
Posts: 5038
134
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?
 
Pete Letkeman
Bartender
Posts: 1856
81
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Moores wrote:I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?

Interesting, I did not know about Let's Encrypt before this.

Looks like anyone can use Let's Encrypt

Let's Encrypt Community wrote:Commercial users are welcome to use Let’s Encrypt for commercial and for-profit purposes.
This is an intended use; we don’t have any desire to restrict the use of our services to non-profit or non-commercial purposes.

https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687/2

I do see one drawback to it, which is that each certificate is only good for 90 days as noted here https://letsencrypt.org/2015/11/09/why-90-days.html.
There is a path for most major servers to automatically renew the Let's Encrypt certificate, simply Google "letsencrypt auto renew yourWebServer" to find guides/info.
 
Rancher
Posts: 3314
33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another input:


Chrome’s Plan to Distrust Symantec Certificates


https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
 
Jeanne Boyarsky
author & internet detective
Posts: 38906
684
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isn't $5 a month a lot in some countries?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!