Surely a good thing since marking HTTPS as "secure" was always a bit misleading and normal users didn't understand that you were still subject to phishing attempts and such even with an encrypted transport and authenticated servers.<p>Now it reflects the real world better: HTTPS is necessary but not sufficient for security, but with HTTP only you definitely don't have much security. I guess that's the best you can guarantee or communicate via the browser UI.
So has Google said how they expect router configuration pages, network printers, NAS boxes and other local-network-connected devices to deal with this?<p>I mean, I know Plex has an arrangement where they provide a dynamic DNS style record and they have a special deal with Digicert to issue loads of wildcard certificates [1] but that needs a bunch of infrastructure and a special deal with a CA, as well as precluding offline use and breaking if the supplier ever drops support.<p>And obviously, you can also use a self-signed certificate - but that means teaching users "Just click ignore on the invalid certificate warning" and I've heard people say we shouldn't train users to ignore invalid certificate warnings.<p>Is there some alternative solution Google is proposing?<p>[1] <a href="https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/" rel="nofollow">https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...</a>
For anyone wondering exactly what the current plan is regarding these secure/not-secure indicators in upcoming releases, the Chromium Project has a detailed proposal and timeline: <a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure" rel="nofollow">https://www.chromium.org/Home/chromium-security/marking-http...</a><p>Basically it comes down to eventually removing "secure" indicators completely and only indicating when a page is considered "not secure".<p>As an aside, Let's Encrypt has been a godsend to me during this change.
Anyone else got stories like this?<p>JustHost, one of the hosts I have a few clients websites on for years, suddenly started to offer free Let's Encrypt SSL certs to protect users from this change (previously you had to pay for fixed IP, and the certificate itself) - what a great thing to happen.<p>All I had to do was change a few .htaccess files, a few DB entries and track down a few template files that had HTTP external JS references.<p>It was enough work that I had to invoice for the conversion (with the option of not bothering) - but annual fees are still the same, clients websites have SSL and <i>every</i> client wanted the upgrade, rather than be marked "insecure".<p>I really think this is a breakthrough change!
As somebody on the dev build train normally I've seen this change for quite a while now and my brain quickly stopped processing the warning on HTTP only sites.<p>I hope that flipping the switch now will cause enough of the remaining non-https sites to start looking into switching before Chrome feels the need to start adding "more prominent" warnings (for example using a modal dialog).<p>I agree that, yes, in general, we should all be using HTTPS on the internet, but non-secured HTTP still makes sense for example during development or for home routers and printers where traffic encryption is less important compared to the initial UX (my parents could probably set up a home router on their own if it's using non-encrypted HTTP but they would be totally unable to proceed if it's using a self-signed cert).
For all those that scream about local devices and HTTPS: if you really want HTTPS (and your printer/router supports HTTPS) you can get a certificate very easily from let's encrypt:<p>- create an "internal" domain for your lan, e.g. home.example.com<p>- make AWS Route53 handle that zone<p>- create some AWS IAM credentials for Route53<p>- create some hosts (e.g. router.home.example.com)<p>- use certbot with the route53 dns option to get a certificate and private key. Certbot will automagically add some TXT records to verify hostname ownership and provide you with that.<p>NO NEED to expose anything on your public IPs, but mind you: your hostname will appear in public CT logs. No "greatnascontainingmypartnersnudephotos.home.example.com" hostnames!
In China, many mainstream websites are still HTTP-only. 99% of government websites are HTTP, including the ones you input very sensitive information into. No wonder black data market for any kind of records including medical, surveillance, tax etc. here is so well developed and cheap. Somehow, SSL certificates for CDNs cost around US$2000/year. Proprietary DNS extensions on Baidu, Alibaba, and Tencent clouds like 30x redirects do not work with HTTPS at all.
Not related to the 'not secure' marking, but on the page it says they fixed a medium severity security bug reported in <i>2014</i>.<p>> [$500][394518] Medium CVE-2018-6169: Permissions bypass in extension installation . Reported by Sam P on 2014-07-16<p>And given the relatively low issue number (e.g. <a href="http://crbug.com/394520" rel="nofollow">http://crbug.com/394520</a> is from 2014), it's not a typo.
Now it's time to make local development environment also HTTPS. Make yourself a Certificate Authority CA and issues local certificates. This makes for no warnings in browsers and ensures a better development experience. A post from my colleague on how to do it.
<a href="https://reactpaths.com/how-to-get-https-working-in-localhost-development-environment-f17de34af046" rel="nofollow">https://reactpaths.com/how-to-get-https-working-in-localhost...</a>
To play the devil's advocate and being very cynic (which is always fair game IMHO):<p>This change has the effect of pushing even mundane websites to use SSL, and so locking out corporate-level and other players from analysing web usage, or at least making them less effective, which enhances and increases the Google's "web scale" analysis dominant position even more.
I'm surprised nobody's talking about the political implications here. This could do more damage to the open internet than revoking net neutrality.<p>Here's a link to hn.algolia.com for the search 'ssl revoked.'<p><a href="https://hn.algolia.com/?utm_source=opensearch&utm_medium=search&utm_campaign=opensearch&query=ssl%20revoked&sort=byPopularity&prefix&page=0&dateRange=all&type=story" rel="nofollow">https://hn.algolia.com/?utm_source=opensearch&utm_medium=sea...</a>
Goodbye chrome then.
Basically corporate scumbags pushing their own agenda with just enough plausibility that the gullible will help push their agenda for them.<p>What happened to "do no evil". Seems to be all google do now.
All legacy content heritage that is hosted using http protocol just became not secure in Chrome. What solution does google suggest? Who will pay to upgrade old infrastructure? Pandora box.