What is sorely lacking today is an encryption solution for the intranet. When you are transferring confidential data (such as salary info) over the network in intranet situation we need to encrypt the information to prevent casual snooping using tools such as Wireshark. We don't need to verify the identity of the server because that's typically not a problem on the intranet.<p>Self-signed certificates used to be the solution in this situation. But browser makers have made it significantly harder, if not impossible to use self-signed certificates, by not allowing the user to visit sites that have self-signed certificates.<p>We need a simple solution for this -- a solution that works even for small businesses that do not have an IT department. (That means installing certificates on each end-user's machine is not a reasonable solution.)
I hope HTTPS-First mode would become the default, so that the full page warning can finally convince my classmate to adopt HTTPS on their website that "does not contain any private info so it doesn't need encryption".
> In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it's only the connection that's secure.<p>I had the idea that browsers were showing a grayed-down padlock for standard HTTPS certificates (ie, "connection is encrypted") vs a full-blown green icon with the company name next to it for the HTTPS certificates that also validate identity (DV? EV? I don't recall the meanings and acronyms).<p>I guess that's where we should go now: make HTTPs the default (thus showing a standard icon that doesn't call for any attention), a big red ugly icon alerting non-encrypted connections, and a green one with identity attached meaning you can indeed trust this particular site to really be your bank.
I don't understand the holy war against http. Let those who want https use it. Forcing the additional friction of certificates on every site and use case is dumb.<p>Not even touching on the fundamentally flawed trust model behind https, here's a sample of recent stories about expired certificates:<p><a href="https://news.ycombinator.com/item?id=25132182" rel="nofollow">https://news.ycombinator.com/item?id=25132182</a><p><a href="https://news.ycombinator.com/item?id=24237400" rel="nofollow">https://news.ycombinator.com/item?id=24237400</a><p><a href="https://news.ycombinator.com/item?id=24187920" rel="nofollow">https://news.ycombinator.com/item?id=24187920</a><p><a href="https://news.ycombinator.com/item?id=22227266" rel="nofollow">https://news.ycombinator.com/item?id=22227266</a><p><a href="https://news.ycombinator.com/item?id=18649932" rel="nofollow">https://news.ycombinator.com/item?id=18649932</a><p><a href="https://news.ycombinator.com/item?id=16541235" rel="nofollow">https://news.ycombinator.com/item?id=16541235</a>
Removing the lock icon is a very good idea. I’m not surprised that Chrome’s team found out that only 11% of participants to a survey understood what it really means.
Can anybody suggest what might be the motivation for this? Beyond the silly "bad people might tamper with the cat picture you're shown" one that is always given? Chrome hates http with such a passion that there must be some evil motive behind it that I'm not seeing.<p>Because they just keep making life more difficult for websites that don't need SSL.<p>So now in addition to seeing a scary icon on the url bar with a scary message, my users are going to have to click past an interstitial banner just so they can visit a website and read silly travel stories. Chromium will try their best to convince them to leave, lest some nefarious agency on their home wifi substitute alternate silly travel stories that somehow cause them harm. In the 20 years the site has been live, I skeptical that this has happened often enough that we need to get Google involved.<p>It's frustrating.
> In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it's only the connection that's secure.<p>Never really thought about that, but I guess it's pretty obvious. I can totally see my folks downloading/buying god-knows-what from a site because they see that lock icon.
My home network includes a router and several WiFi access points. They are managed through a browser, which means they have a built-in web server. I have them configured so they are only visible from the internal IP addresses and changed usernames and passwords from the built-in defaults, but there's no way to install a certificate in them, let alone force them to use https. So whenever I use Chrome to reconfigure one of these devices I get warnings of impending doom. A big PITA.
Interesting that "Linux" is the platform with the lowest observed adoption of HTTPS ... implies some kind of bias in the way Linux users use Chrome. ChromeOS, which is also Linux but I assume not included in the data with the Linux label, has by far the highest fraction of HTTPS.
Has anyone found scheduling information about this? When can we expect this in Chrome, for example?<p>Edit: Oh, here we go: <a href="https://chromiumdash.appspot.com/schedule" rel="nofollow">https://chromiumdash.appspot.com/schedule</a><p>This is for Chromium and not Chrome, though:<p>...<p>Feature Freeze Thu, Jul 29, 2021<p>...<p>Stable Cut * Tue, Sep 14, 2021<p>Stable Release Tue, Sep 21, 2021<p>...
HTTPS is not secure if someone has a root cert and wastes energy, if you need encryption you should roll your own.<p>I used <a href="https://datatracker.ietf.org/doc/html/rfc2289" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc2289</a> for login which is simpler and uses less energy than public/private key encryption and quantum safe out of the box.<p>Google of course has a root cert and is making sure less people can make web sites by building more protocol extensions that the average joe can afford to keep up with.<p>I expect to be severly down voted but it's ok, I'm used to it by this point. Truth is always downvoted by vested interests to higher degree than average joes are willing to upvote it.
HTTPS is complicated.<p>python -m http.server → you have a web server that you can use for ad-hoc needs.<p>Coding TLS into a web framework is hard. Ah, I should use a proxy? So installing a TLS on a proxy is hard. Ah, I should use caddy with LE? Sure (I use it for years), now how do I do that for 10.2.3.10?<p>I understand why HTTPS is useful (to encrypt your traffic, certainly not "to know you are on the right server"), but it is a failure form the start - usability-wise.
The "hit piss" (https) first thing is all very well but there are times when "hit pip" (http) is fine. You don't generally use an Enigma machine at home.<p>We generally live in a RFC1918 n stuff world which describes "internal" and "external". IPv6 focusses the boundary between you and me in a different way.<p>Why should my browser decide what I do on my own home network?<p>Why should a mere tool pontificate about stuff that I know more about than the kids who developed it? Fine, I should probably develop my own browser in ASM but I don't speak nonsense. I sort of know what a processor register is but it would probably bully me.<p>I am increasingly seeing top down decisions from monstrously huge corporations "for my own good" and I am increasingly getting worried. I rant at my elected government officials because that is what they are for (I don't really) but commercial corps are increasingly insinuating themselves into important discussions and their moral stance is undecipherable.