This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Journey To Enterprise Agility and have Daryl Kulak & Hong Li on-line!
See this thread for details.
Win a copy of The Journey To Enterprise Agility this week in the Agile and Other Processes forum! And see the welcome thread for 20% off.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Junilu Lacar
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Ganesh Patekar
  • Tim Moores
  • Pete Letkeman
  • Stephan van Hulst
Bartenders:
  • Carey Brown
  • Tim Holloway
  • Joe Ess

chrome marking http as insecure starting july  RSS feed

 
author & internet detective
Marshal
Posts: 38504
653
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chrome is marking http (vs https) as insecure starting July. I hope this doesn't scare non-technical users too much!
Source
 
Saloon Keeper
Posts: 9128
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It should scare non-technical users, and that's exactly the point. It will force websites that wish their users not to be scared to make their site HTTPS only.
 
Author and ninkuma
Marshal
Posts: 66783
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My (haven't-really-read-much-about-it) opinion is that it seems a bit heavy-handed. Why should sites that handle no sensitive information be forced to put up with expense and bother of certificates?
 
Stephan van Hulst
Saloon Keeper
Posts: 9128
172
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
They shouldn't. But they're not secure. Men in the middle can still serve content that's different from what the server intended to serve. If the end-user is fine with that, they can ignore the "Not secure" label.
 
Stephan van Hulst
Saloon Keeper
Posts: 9128
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also note that even if the original web page doesn't deal with sensitive information, the man in the middle can inject a page that seemingly does.
 
Stephan van Hulst
Saloon Keeper
Posts: 9128
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As an example, say I have created a website with the goal of informing people about the health risks of some kind of substance, and nothing more. A man in the middle can intercept the request and add a link to a page the spoofs the user's healthcare provider's page, containing a login section that's intended to capture passwords and stuff.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66783
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good point, but it's not something most of my clients with just "meet and greet" pages would worry too much about (and want to shell out $$$ for).

If Google wants to "foster" this on the web, they should be doing something to make certificates less expensive, and a lot less hassle to deal with.
 
Saloon Keeper
Posts: 1800
74
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not too sure that the cost is that much.
You can get a certificate from RapidSSL, a division of GeoTrust, which itself is a division of Symantec,
for $60 USD a year as seen here https://www.rapidssl.com/buy-ssl/ssl-certificate/.
This should make the "meet and greet" sites secure enough for Chrome not to complain.
At $60 a year is only $5 a month, and many people spend at least that on non essentials each month.
That said using HTTPS does require more from the server hardware and someone does need to install the certificate.
 
Saloon Keeper
Posts: 4687
117
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?
 
Pete Letkeman
Saloon Keeper
Posts: 1800
74
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Moores wrote:I thought Let's Encrypt essentially makes the cost of certificates go away (for non-commercial). Not so?

Interesting, I did not know about Let's Encrypt before this.

Looks like anyone can use Let's Encrypt

Let's Encrypt Community wrote:Commercial users are welcome to use Let’s Encrypt for commercial and for-profit purposes.
This is an intended use; we don’t have any desire to restrict the use of our services to non-profit or non-commercial purposes.

https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687/2

I do see one drawback to it, which is that each certificate is only good for 90 days as noted here https://letsencrypt.org/2015/11/09/why-90-days.html.
There is a path for most major servers to automatically renew the Let's Encrypt certificate, simply Google "letsencrypt auto renew yourWebServer" to find guides/info.
 
Master Rancher
Posts: 3260
33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another input:


Chrome’s Plan to Distrust Symantec Certificates


https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 38504
653
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isn't $5 a month a lot in some countries?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!