Google remove secure mark from SSL enabled websites
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Google remove secure mark from SSL enabled websites

liveinhostliveinhost Member, Provider

Google is assuming that web is safe by default. And, if there is no SSL, it will be marked " Not Secure "

Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).

Source : https://blog.chromium.org/2018/05/ev...ndicators.html

Thanked by 1Aidan

LIVEINHOST - Cheapest Web Hosting & OpenVZ SolusVM VPS
https://www.liveinhost.com 24/7 live chat | Starting at $2/Month VPS

Comments

  • AidanAidan Member

    Finally.

    I've had many overeducated employees hand out credentials as "the site(browser) said it's secure."

    Thanked by 1classy
  • deankdeank Member

    Secure, therefore safe to watch porn, download malwares, and teamviewer into wife's computer to search for evidence of cheating.

    Remember to disable signatures in your setting.

  • hostdarehostdare Member, Provider

    This is what market dominance helps in dictating what they want , so govt cannot snoop into their customer data theft for so called personalized ads .

    Thanked by 1default

    HostDare - One of the cheapest and coolest providers online! :) | Our premium unmanaged vps plans | Cheap Shared Hosting

  • NeoonNeoon Member
    edited August 2

    Well, expected, they moved the tls info to the developer tab before.

    So a simple click wont make it, now they are removing that.... bullshit.

    With Firefox, you can get the certificate info with a single click.

    Thanked by 1Shazan
  • Jona4sJona4s Member

    They should fix their fucking ERR_SSL_PROTOCOL_ERROR on chrome

    Just shout WOW

  • jsgjsg Member

    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

  • JanevskiJanevski Member
    edited August 4

    ssl/tls protects only somewhat from little brother, not from big brother. Plus, it's not as much for protection, as it is for delivering nicely encapsulated, closed advertising towards the end user. Encrypted data shall pass deep packet inspection, filtering proxies too. Also streaming encapsulated paid content, for example. https is good, but is being pushed forward due to all the wrong reasons - more control over the users. Same as it used to be with encrypted digital television pushing out terrestrial analog - DRM. It's not that the big guy cares about you little fella, he just wants a better leash.

    Thanked by 2Ole_Juul hostdare
  • joepie91joepie91 Member, Provider
    edited August 5

    @jsg said:
    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    That's OpenSSH, not TLS/SSL.

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    Thanked by 3Kris Aluminat maverickp
  • jsgjsg Member

    @joepie91 said:

    @jsg said:
    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    That's OpenSSH, not TLS/SSL.

    And Chrome is Chrome and not TLS. So?

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    As far as I'm concerned I regret my quite substantial factual and practical knowledge of TLS/SSL ...

    But there are some good news too. Sometimes soon (well, ...) there will finally be a verified TLS implementation of 1.3 (or 1.4). I'd add that verified != properly designed.

  • joepie91joepie91 Member, Provider

    jsg said: And Chrome is Chrome and not TLS. So?

    So... what does the link have to do with your claims that "TLS (and SSL) are not trustworthy"?

    Thanked by 1Kris
  • jsgjsg Member

    @joepie91 said:

    jsg said: And Chrome is Chrome and not TLS. So?

    So... what does the link have to do with your claims that "TLS (and SSL) are not trustworthy"?

    ...

    @joepie91 said:
    That's OpenSSH, not TLS/SSL.

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    The context here suggests 2 to the 128+ as relevant range and you call 8 a "large number"? Seriously? Then you assert that a "large amount of people" [of the 8 in this thread excl. yourself] have very little factual knowledge of TLS. Based on what?

    Be a little more forgiving to others and try to avoid personal attacks and belittling others here.

  • More and more malware sites have letsencrypt ssl, so its a right choice.

    Thanked by 1Aidan
  • AluminatAluminat Member
    edited August 5

    jsg said: Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    After reading, I still don't understand how this problem link with the conclusion:

    jsg said: TLS (and SSL) are not trustworthy.

  • angstromangstrom Member
    edited August 5

    Seems to be empty.

    Anyway, the title of this thread may be considered slightly misleading because it's specifically about the browser Chrome (Chromium) and not about Google per se (other than that Chrome is a product made by Google).

    "[...] the Linux philosophy is 'laugh in the face of danger'. Oops. Wrong one. 'Do it yourself'. That's it." (L. Torvalds)

  • jsgjsg Member

    @Aluminat said:

    jsg said: Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    After reading, I still don't understand how this problem link with the conclusion:

    jsg said: TLS (and SSL) are not trustworthy.

    TLS doesn't somehow magically shield and protect. Much, for example, depends on really understanding it and on using it (the library) properly. This includes both the usual things (like e.g. pointers to buffers) and security specific things.

    OpenSSH obviously failed (see article) and the OpenSSH people are certainly no idiots. So maybe, just maybe, it could be imaginable that others using TLS libraries also made some bad judgements, misused the lib or made plain errors?

    Don't forget that applications don't get secure by this or that concept (e.g. TLS) but by properly using IMPLEMENTATIONS and by properly crafting ones own stuff on top of a library. Also don't forget that SSL/TLS libraries also need proper design and coding - which is well known and proven to not always being the case.

  • @jsg So, in short, you're assuming people who created TLS (and SSL) doing thing wrong. Just because, OpenSSH (completely different protocol) failed?

    Thanked by 1mrTom
  • jsgjsg Member

    @Aluminat said:
    @jsg So, in short, you're assuming people who created TLS (and SSL) doing thing wrong. Just because, OpenSSH (completely different protocol) failed?

    No, meanwhile I assume that you understand neither me/what I say nor TLS.

    Btw. The SSL/TLS people HAVE done quite some things wrong. That is well known.

    Oh and btw, compared to the OpenSSH developers the OpenSSL people indeed ARE a bunch of losers (they made some mistakes but still the OpenSSH devs are a very fine and competent bunch of professionals).

    Finally think a bit just for a second: what REAL service do you provide by blindly defending SSL/TLS?

  • Oh my god! no! Where will we ever get free certificates like from Let's Encrypt that would help us avoid this issue..!

    Yes sarcasm. We have known this is coming for 2 years. If you can't act in 2 years, well you are fucked anyways.

    Also, this is mainly a challenge for shared hosting where hosts do not allow LetsEncrypt certs or enable individuals to self-install their certifications.

    @Janevski said:
    ssl/tls protects only somewhat from little brother, not from big brother. Plus, it's not as much for protection, as it is for delivering nicely encapsulated, closed advertising towards the end user. Encrypted data shall pass deep packet inspection, filtering proxies too. Also streaming encapsulated paid content, for example. https is good, but is being pushed forward due to all the wrong reasons - more control over the users. Same as it used to be with encrypted digital television pushing out terrestrial analog - DRM. It's not that the big guy cares about you little fella, he just wants a better leash.

    If you are worried about big brother, maybe we should quadruple sign everything. At least make it hard if not impossible.

    Automate server mgmt w/ Runcloud - aff link gives +15 days for pro
    Click here for Runcloud w/o aff link and +0 days for pro.

  • jsgjsg Member

    The problem (well, largely) is not crypto but implementation. And of course a completely rotten stack from the processor upwards. What security can you get when quite some bigger brothers can control your processor and PCIe bus (translation: your whole damn system)?

    Sooner or later "the 2nd Snowden awakening" will come and it won't be pretty. Then we'll learn that their problem anyway wasn't to hack us but only to do it in ways we don't see but feel oh so safe with TLS, Let's Encrypt and funny certificates.

  • @jsg said:
    The problem (well, largely) is not crypto but implementation. And of course a completely rotten stack from the processor upwards. What security can you get when quite some bigger brothers can control your processor and PCIe bus (translation: your whole damn system)?

    Sooner or later "the 2nd Snowden awakening" will come and it won't be pretty. Then we'll learn that their problem anyway wasn't to hack us but only to do it in ways we don't see but feel oh so safe with TLS, Let's Encrypt and funny certificates.

    You're starting to sound like @bsdguy again.

    Thanked by 1mrTom

    "[...] the Linux philosophy is 'laugh in the face of danger'. Oops. Wrong one. 'Do it yourself'. That's it." (L. Torvalds)

  • jsgjsg Member

    @angstrom said:
    You're starting to sound like @bsdguy again.

    Is that some weird insider game? Whatever, I don't care. In my universe it's not at all a problem to have views similar to some other people.

    How about worrying about REAL issues?

    You might want for example look for "Minix inside intel chipsets" or for kernel bugs (read: potential vulnerabilities) in all major OSs or for bugs in OpenSSL (and lots of other important libraries) or for a major SSL/TLS co-designer and also otherwise major figure in SSL/TLS circles (e.g. Let's Encrypt) reporting on bad decisions, serious problems, lack of verification, etc.

    I'd LOVE to be wrong but I'm afraid "you sound like XYZ" or "I don't like your hair and clothes" won't change facts or bring us forward or iron out bugs in important software. So, I suggest we stick to the matter.

  • @jsg said:

    @angstrom said:
    You're starting to sound like @bsdguy again.

    Is that some weird insider game? Whatever, I don't care. In my universe it's not at all a problem to have views similar to some other people.

    How about worrying about REAL issues?

    You might want for example look for "Minix inside intel chipsets" or for kernel bugs (read: potential vulnerabilities) in all major OSs or for bugs in OpenSSL (and lots of other important libraries) or for a major SSL/TLS co-designer and also otherwise major figure in SSL/TLS circles (e.g. Let's Encrypt) reporting on bad decisions, serious problems, lack of verification, etc.

    I'd LOVE to be wrong but I'm afraid "you sound like XYZ" or "I don't like your hair and clothes" won't change facts or bring us forward or iron out bugs in important software. So, I suggest we stick to the matter.

    If you're right about the (negative) practical consequences (as opposed to the merely theoretical situation), then the end is indeed near.

    I personally think that climate change will negatively affect all of us sooner, but that's probably just me.

    "[...] the Linux philosophy is 'laugh in the face of danger'. Oops. Wrong one. 'Do it yourself'. That's it." (L. Torvalds)

  • KrisKris Member

    People asked you why you had some long winded rant about Google / TLS but linked to something completely unrelated about OpenSSH. As a result you attacked them as 'defending the other side blindly for only asking what you were on about.

    /r/iamverysmart material all over this thread compliments of @jsg.

    PS: Before you ask what I get - just a small stipend from Google and the Koch Brothers for every single positive thing I say about TLS.

  • jcalebjcaleb Moderator

    will they now penalize ranking of site with no ssl?

  • @jcaleb said:
    will they now penalize ranking of site with no ssl?

    They might, but this thread is really about the browser Chrome/Chromium, as I tried to say earlier above.

    Thanked by 1jcaleb

    "[...] the Linux philosophy is 'laugh in the face of danger'. Oops. Wrong one. 'Do it yourself'. That's it." (L. Torvalds)

  • jsgjsg Member
    edited August 7

    @angstrom said:
    If you're right about the (negative) practical consequences (as opposed to the merely theoretical situation), then the end is indeed near.

    Please note that I largely talked about well known facts. The "2nd Snowden awakening" however was indeed a mere assumption.

    @Kris said:

    People asked you why you had some long winded rant about Google / TLS but linked to something completely unrelated about OpenSSH....

    You'll probably turn that against me but if you really think that OpenSSH and SSL/TLS are "completely unrelated" you obviously lack relevant understanding.

    /r/iamverysmart material all over this thread compliments of @jsg.

    I see. So I should put the experience of my profession and everyday job aside and instead offer arbitrary memes preferably ones in favour of TLS?

    PS: Before you ask what I get - just a small stipend from Google and the Koch Brothers for every single positive thing I say about TLS.

    I didn't and still do not assume that you are a paid shill. I know quite well that very many people hold similar beliefs and that's OK unless they are in the field of IT security, in which case they should know better (but might have different reasons guiding their view).

    @jcaleb said:
    will they now penalize ranking of site with no ssl?

    Unfortunately OPs link doesn't work but I guess that Google might increasingly "punish" sites using SSL or even using TLS < 1.1 (or whatever).

    I personally was always opposed to enforcing sites to use SSL/TLS. That said I would however support "punishing" sites using old versions. IF one is using SSL/TLS then one should use min. TLS 1.2 and not e.g. SSL 2.0 and/or weak algorithms (e.g. SHA-1).

    P.S.: WPA2-PSK a very widely used protocol (WiFi) has been hacked and should be considered insecure. Not directly related to SSL/TLS but yet another example of what I talk about and what I consider a major problem field.

    Thanked by 1jcaleb
  • jcalebjcaleb Moderator

    I am just converting my sites to Lets Encrypt. Is that enough?

  • jsgjsg Member
    edited August 7

    @jcaleb said:
    I am just converting my sites to Lets Encrypt. Is that enough?

    Not really. You also need to configure anything TLS based properly, e.g. to not accept SSL and to only use a reasonable set of algorithms. But that's largely specific for each server software so you'll have to search for something like "configure TLS 1.2 for [your server, e.g. nginx]".

    Thanked by 2jcaleb maverickp
  • seanhoseanho Member

    Or you could use https://cipherli.st/ by @raymii or Mozilla's page for recommended configurations.

    Thanked by 2jcaleb maverickp
  • RaymiiRaymii Member

    https://Cipherli.st is a quick and easy copy paste if your experienced and know what your doing. I recommend reading the mozilla wiki page to get a better understanding of the behind-the-scenes.

    Thanked by 2seanho jcaleb
    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • jcalebjcaleb Moderator

    I find that using @raymii config works out of box on my Debian 8 servers. But not working on my Ubuntu 12:04

  • JohnMiller92JohnMiller92 Member
    edited August 8

    jsg said: Not really. You also need to configure anything TLS based properly, e.g. to not accept SSL and to only use a reasonable set of algorithms. But that's largely specific for each server software so you'll have to search for something like "configure TLS 1.2 for [your server, e.g. nginx]".

    @jsg, since you seem well versed in this. I have a question if u don't mind

    Will using cloudflare and having a redirect rule (all http to https) be enough? For example, I don't have any SSL setup with nginx for my forum, and will just use cloudflare's stuff.

    Bit confused on your "to not accept SSL and to only use a reasonable set of algorithms" part. What algorithms do you mean exactly? Or am I overthinking this

  • jsgjsg Member

    @jcaleb said:
    I find that using @raymii config works out of box on my Debian 8 servers. But not working on my Ubuntu 12:04

    Maybe a misunderstanding, but from what I see you use that stuff on your desktop to create a config for the server.

    Regarding the tools suggested by @seanho and @Raymii, particularly the Mozilla page I think that's a good starting point for many. There are however still a lot of caveats and things one should think about. SHA-2 256 is an example and so are certain Nist propagated curves which you do not need for most sites unless you are doing business with a certain clientele.

  • jcalebjcaleb Moderator

    I am using on my websites. some vps I have are using 12.04 because I bought many years ago. But more recent website uses Debian 8. I have less pain in Debian 8

  • jsgjsg Member
    edited August 8

    @JohnMiller92 said:
    @jsg, since you seem well versed in this. I have a question if u don't mind

    Will using cloudflare and having a redirect rule (all http to https) be enough? For example, I don't have any SSL setup with nginx for my forum, and will just use cloudflare's stuff.

    Bit confused on your "to not accept SSL and to only use a reasonable set of algorithms" part. What algorithms do you mean exactly? Or am I overthinking this

    Re. %$"§Flare I guess your approach is right (I can only guess because I never used them nor will I ever).

    Re. your other question: Keep in mind that TLS is but renamed new SSL versions. So saying that one should not accept SSL is just another way of saying that one should not use OLD SSL/TLS versions but at the very minimum TLS 1.1. Somewhat similarly one should use and accept only relatively modern crypto algorithms; a good (and a bit exaggerated for clarity) example is to avoid MD5 hashes and to use use SSH-2 384+ or SHA-3.

    A bit extra explanation as still many seem not to know that: SSL/TLS has diverse crypto algorithms available on both the server and the client side. Which ones are actually used is negotiated between the two at the beginning. Each side can exclude certain algorithms, maybe because they are considered too old and/or weak or maybe because they are considered too expensive (in terms of computing); A major server for example with non-critical content (say a big cooking community) but tens of thousands of connected clients in the evening will probably not want to waste valuable resources on high-grade key exchange and encryption and such make the server considerably slower.

    Basically it works like this: both the server and the client "offer" a set of crypto algos and SSL/TLS versions, they are ready and willing to use. And then they use some that they both have in common.

    As your site goes through %$"§Flare that seems to not concern you and it might be assumed that they have reasonable selections and parameters in place. Maybe (Again: I do not KNOW that and can only speculate. Check with them!) %$"§Flare even offers an interface for customers to have some power over e.g. min. TLS version.

  • @jcaleb said:
    I am using on my websites. some vps I have are using 12.04 because I bought many years ago. But more recent website uses Debian 8. I have less pain in Debian 8

    Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

    "[...] the Linux philosophy is 'laugh in the face of danger'. Oops. Wrong one. 'Do it yourself'. That's it." (L. Torvalds)

  • jcalebjcaleb Moderator

    angstrom said: Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

    true, but seems risky. maybe just transfer my site to a new vps running debian

  • jsgjsg Member
    edited August 10

    @jcaleb said:

    angstrom said: Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

    true, but seems risky. maybe just transfer my site to a new vps running debian

    You should listen to @angstroem. Keep in mind that it's virtually always the -implementation- and not the algorithm that's vulnerable and get's broken.

    Translation: You should definitely absolutely use an OS that (still) has updates and patches available!

    Plus you have the advantage anyway that Ubuntu and Debian are similar enough that the transfer to a new (current Debian) VPS should be relatively painless. So DO IT!

    Thanked by 1jcaleb
  • Wow, great news from Google. Many SSL providers will be happy. :3

Sign In or Register to comment.