• Post Reply Bookmark Topic Watch Topic
  • New Topic

chrome marking http as insecure starting july  RSS feed

 
author & internet detective
Marshal
Posts: 38152
617
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chrome is marking http (vs https) as insecure starting July. I hope this doesn't scare non-technical users too much!
Source
 
Saloon Keeper
Posts: 8766
163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It should scare non-technical users, and that's exactly the point. It will force websites that wish their users not to be scared to make their site HTTPS only.
 
Author and ninkuma
Marshal
Posts: 66613
161
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My (haven't-really-read-much-about-it) opinion is that it seems a bit heavy-handed. Why should sites that handle no sensitive information be forced to put up with expense and bother of certificates?
 
Stephan van Hulst
Saloon Keeper
Posts: 8766
163
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
They shouldn't. But they're not secure. Men in the middle can still serve content that's different from what the server intended to serve. If the end-user is fine with that, they can ignore the "Not secure" label.
 
Stephan van Hulst
Saloon Keeper
Posts: 8766
163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also note that even if the original web page doesn't deal with sensitive information, the man in the middle can inject a page that seemingly does.
 
Stephan van Hulst
Saloon Keeper
Posts: 8766
163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As an example, say I have created a website with the goal of informing people about the health risks of some kind of substance, and nothing more. A man in the middle can intercept the request and add a link to a page the spoofs the user's healthcare provider's page, containing a login section that's intended to capture passwords and stuff.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66613
161
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good point, but it's not something most of my clients with just "meet and greet" pages would worry too much about (and want to shell out $$$ for).

If Google wants to "foster" this on the web, they should be doing something to make certificates less expensive, and a lot less hassle to deal with.
 
Saloon Keeper
Posts: 1435
43
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not too sure that the cost is that much.
You can get a certificate from RapidSSL, a division of GeoTrust, which itself is a division of Symantec,
for $60 USD a year as seen here https://www.rapidssl.com/buy-ssl/ssl-certificate/.
This should make the "meet and greet" sites secure enough for Chrome not to complain.
At $60 a year is only $5 a month, and many people spend at least that on non essentials each month.
That said using HTTPS does require more from the server hardware and someone does need to install the certificate.
 
Saloon Keeper
Posts: 4422
108
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?
 
Pete Letkeman
Saloon Keeper
Posts: 1435
43
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Moores wrote:I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?

Interesting, I did not know about Let's Encrypt before this.

Looks like anyone can use Let's Encrypt

Let's Encrypt Community wrote:Commercial users are welcome to use Let’s Encrypt for commercial and for-profit purposes.
This is an intended use; we don’t have any desire to restrict the use of our services to non-profit or non-commercial purposes.

https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687/2

I do see one drawback to it, which is that each certificate is only good for 90 days as noted here https://letsencrypt.org/2015/11/09/why-90-days.html.
There is a path for most major servers to automatically renew the Let's Encrypt certificate, simply Google "letsencrypt auto renew yourWebServer" to find guides/info.
 
Rancher
Posts: 2978
32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another input:


Chrome’s Plan to Distrust Symantec Certificates


https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 38152
617
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isn't $5 a month a lot in some countries?
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!