Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Google remove secure mark from SSL enabled websites
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Google remove secure mark from SSL enabled websites

Google is assuming that web is safe by default. And, if there is no SSL, it will be marked " Not Secure "

Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).

Source : https://blog.chromium.org/2018/05/ev...ndicators.html

Thanked by 1Aidan
«1

Comments

  • Finally.

    I've had many overeducated employees hand out credentials as "the site(browser) said it's secure."

    Thanked by 1classy
  • deankdeank Member, Troll

    Secure, therefore safe to watch porn, download malwares, and teamviewer into wife's computer to search for evidence of cheating.

  • hostdarehostdare Member, Patron Provider

    This is what market dominance helps in dictating what they want , so govt cannot snoop into their customer data theft for so called personalized ads .

    Thanked by 1default
  • NeoonNeoon Community Contributor, Veteran
    edited August 2018

    Well, expected, they moved the tls info to the developer tab before.

    So a simple click wont make it, now they are removing that.... bullshit.

    With Firefox, you can get the certificate info with a single click.

    Thanked by 1Shazan
  • They should fix their fucking ERR_SSL_PROTOCOL_ERROR on chrome

  • jsgjsg Member, Resident Benchmarker

    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

  • JanevskiJanevski Member
    edited August 2018

    ssl/tls protects only somewhat from little brother, not from big brother. Plus, it's not as much for protection, as it is for delivering nicely encapsulated, closed advertising towards the end user. Encrypted data shall pass deep packet inspection, filtering proxies too. Also streaming encapsulated paid content, for example. https is good, but is being pushed forward due to all the wrong reasons - more control over the users. Same as it used to be with encrypted digital television pushing out terrestrial analog - DRM. It's not that the big guy cares about you little fella, he just wants a better leash.

    Thanked by 2Ole_Juul hostdare
  • joepie91joepie91 Member, Patron Provider
    edited August 2018

    @jsg said:
    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    That's OpenSSH, not TLS/SSL.

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    Thanked by 3Kris Aluminat maverickp
  • jsgjsg Member, Resident Benchmarker

    @joepie91 said:

    @jsg said:
    Google is a major member of the TLS/browser club and known to push BS. I for one don't care at all what they are preaching. TLS (and SSL) are not trustworthy.

    Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    That's OpenSSH, not TLS/SSL.

    And Chrome is Chrome and not TLS. So?

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    As far as I'm concerned I regret my quite substantial factual and practical knowledge of TLS/SSL ...

    But there are some good news too. Sometimes soon (well, ...) there will finally be a verified TLS implementation of 1.3 (or 1.4). I'd add that verified != properly designed.

  • joepie91joepie91 Member, Patron Provider

    jsg said: And Chrome is Chrome and not TLS. So?

    So... what does the link have to do with your claims that "TLS (and SSL) are not trustworthy"?

    Thanked by 1Kris
  • jsgjsg Member, Resident Benchmarker

    @joepie91 said:

    jsg said: And Chrome is Chrome and not TLS. So?

    So... what does the link have to do with your claims that "TLS (and SSL) are not trustworthy"?

    ...

    @joepie91 said:
    That's OpenSSH, not TLS/SSL.

    EDIT: Also, I see that there's the obligatory large amount of people in this thread with Opinions but very little factual knowledge of TLS.

    The context here suggests 2 to the 128+ as relevant range and you call 8 a "large number"? Seriously? Then you assert that a "large amount of people" [of the 8 in this thread excl. yourself] have very little factual knowledge of TLS. Based on what?

    Be a little more forgiving to others and try to avoid personal attacks and belittling others here.

  • More and more malware sites have letsencrypt ssl, so its a right choice.

    Thanked by 1Aidan
  • AluminatAluminat Member
    edited August 2018

    jsg said: Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    After reading, I still don't understand how this problem link with the conclusion:

    jsg said: TLS (and SSL) are not trustworthy.

  • angstromangstrom Moderator
    edited August 2018

    Seems to be empty.

    Anyway, the title of this thread may be considered slightly misleading because it's specifically about the browser Chrome (Chromium) and not about Google per se (other than that Chrome is a product made by Google).

  • jsgjsg Member, Resident Benchmarker

    @Aluminat said:

    jsg said: Here's an arbitrary link for those who care about reality -> https://latacora.singles/2018/08/03/the-default-openssh.html

    After reading, I still don't understand how this problem link with the conclusion:

    jsg said: TLS (and SSL) are not trustworthy.

    TLS doesn't somehow magically shield and protect. Much, for example, depends on really understanding it and on using it (the library) properly. This includes both the usual things (like e.g. pointers to buffers) and security specific things.

    OpenSSH obviously failed (see article) and the OpenSSH people are certainly no idiots. So maybe, just maybe, it could be imaginable that others using TLS libraries also made some bad judgements, misused the lib or made plain errors?

    Don't forget that applications don't get secure by this or that concept (e.g. TLS) but by properly using IMPLEMENTATIONS and by properly crafting ones own stuff on top of a library. Also don't forget that SSL/TLS libraries also need proper design and coding - which is well known and proven to not always being the case.

  • @jsg So, in short, you're assuming people who created TLS (and SSL) doing thing wrong. Just because, OpenSSH (completely different protocol) failed?

    Thanked by 1mrTom
  • jsgjsg Member, Resident Benchmarker

    @Aluminat said:
    @jsg So, in short, you're assuming people who created TLS (and SSL) doing thing wrong. Just because, OpenSSH (completely different protocol) failed?

    No, meanwhile I assume that you understand neither me/what I say nor TLS.

    Btw. The SSL/TLS people HAVE done quite some things wrong. That is well known.

    Oh and btw, compared to the OpenSSH developers the OpenSSL people indeed ARE a bunch of losers (they made some mistakes but still the OpenSSH devs are a very fine and competent bunch of professionals).

    Finally think a bit just for a second: what REAL service do you provide by blindly defending SSL/TLS?

  • Oh my god! no! Where will we ever get free certificates like from Let's Encrypt that would help us avoid this issue..!

    Yes sarcasm. We have known this is coming for 2 years. If you can't act in 2 years, well you are fucked anyways.

    Also, this is mainly a challenge for shared hosting where hosts do not allow LetsEncrypt certs or enable individuals to self-install their certifications.

    @Janevski said:
    ssl/tls protects only somewhat from little brother, not from big brother. Plus, it's not as much for protection, as it is for delivering nicely encapsulated, closed advertising towards the end user. Encrypted data shall pass deep packet inspection, filtering proxies too. Also streaming encapsulated paid content, for example. https is good, but is being pushed forward due to all the wrong reasons - more control over the users. Same as it used to be with encrypted digital television pushing out terrestrial analog - DRM. It's not that the big guy cares about you little fella, he just wants a better leash.

    If you are worried about big brother, maybe we should quadruple sign everything. At least make it hard if not impossible.

  • jsgjsg Member, Resident Benchmarker

    The problem (well, largely) is not crypto but implementation. And of course a completely rotten stack from the processor upwards. What security can you get when quite some bigger brothers can control your processor and PCIe bus (translation: your whole damn system)?

    Sooner or later "the 2nd Snowden awakening" will come and it won't be pretty. Then we'll learn that their problem anyway wasn't to hack us but only to do it in ways we don't see but feel oh so safe with TLS, Let's Encrypt and funny certificates.

  • angstromangstrom Moderator

    @jsg said:
    The problem (well, largely) is not crypto but implementation. And of course a completely rotten stack from the processor upwards. What security can you get when quite some bigger brothers can control your processor and PCIe bus (translation: your whole damn system)?

    Sooner or later "the 2nd Snowden awakening" will come and it won't be pretty. Then we'll learn that their problem anyway wasn't to hack us but only to do it in ways we don't see but feel oh so safe with TLS, Let's Encrypt and funny certificates.

    You're starting to sound like @bsdguy again.

    Thanked by 1mrTom
  • jsgjsg Member, Resident Benchmarker

    @angstrom said:
    You're starting to sound like @bsdguy again.

    Is that some weird insider game? Whatever, I don't care. In my universe it's not at all a problem to have views similar to some other people.

    How about worrying about REAL issues?

    You might want for example look for "Minix inside intel chipsets" or for kernel bugs (read: potential vulnerabilities) in all major OSs or for bugs in OpenSSL (and lots of other important libraries) or for a major SSL/TLS co-designer and also otherwise major figure in SSL/TLS circles (e.g. Let's Encrypt) reporting on bad decisions, serious problems, lack of verification, etc.

    I'd LOVE to be wrong but I'm afraid "you sound like XYZ" or "I don't like your hair and clothes" won't change facts or bring us forward or iron out bugs in important software. So, I suggest we stick to the matter.

  • angstromangstrom Moderator

    @jsg said:

    @angstrom said:
    You're starting to sound like @bsdguy again.

    Is that some weird insider game? Whatever, I don't care. In my universe it's not at all a problem to have views similar to some other people.

    How about worrying about REAL issues?

    You might want for example look for "Minix inside intel chipsets" or for kernel bugs (read: potential vulnerabilities) in all major OSs or for bugs in OpenSSL (and lots of other important libraries) or for a major SSL/TLS co-designer and also otherwise major figure in SSL/TLS circles (e.g. Let's Encrypt) reporting on bad decisions, serious problems, lack of verification, etc.

    I'd LOVE to be wrong but I'm afraid "you sound like XYZ" or "I don't like your hair and clothes" won't change facts or bring us forward or iron out bugs in important software. So, I suggest we stick to the matter.

    If you're right about the (negative) practical consequences (as opposed to the merely theoretical situation), then the end is indeed near.

    I personally think that climate change will negatively affect all of us sooner, but that's probably just me.

  • KrisKris Member

    People asked you why you had some long winded rant about Google / TLS but linked to something completely unrelated about OpenSSH. As a result you attacked them as 'defending the other side blindly for only asking what you were on about.

    /r/iamverysmart material all over this thread compliments of @jsg.

    PS: Before you ask what I get - just a small stipend from Google and the Koch Brothers for every single positive thing I say about TLS.

  • will they now penalize ranking of site with no ssl?

  • angstromangstrom Moderator

    @jcaleb said:
    will they now penalize ranking of site with no ssl?

    They might, but this thread is really about the browser Chrome/Chromium, as I tried to say earlier above.

    Thanked by 1jcaleb
  • jsgjsg Member, Resident Benchmarker
    edited August 2018

    @angstrom said:
    If you're right about the (negative) practical consequences (as opposed to the merely theoretical situation), then the end is indeed near.

    Please note that I largely talked about well known facts. The "2nd Snowden awakening" however was indeed a mere assumption.

    @Kris said:

    People asked you why you had some long winded rant about Google / TLS but linked to something completely unrelated about OpenSSH....

    You'll probably turn that against me but if you really think that OpenSSH and SSL/TLS are "completely unrelated" you obviously lack relevant understanding.

    /r/iamverysmart material all over this thread compliments of @jsg.

    I see. So I should put the experience of my profession and everyday job aside and instead offer arbitrary memes preferably ones in favour of TLS?

    PS: Before you ask what I get - just a small stipend from Google and the Koch Brothers for every single positive thing I say about TLS.

    I didn't and still do not assume that you are a paid shill. I know quite well that very many people hold similar beliefs and that's OK unless they are in the field of IT security, in which case they should know better (but might have different reasons guiding their view).

    @jcaleb said:
    will they now penalize ranking of site with no ssl?

    Unfortunately OPs link doesn't work but I guess that Google might increasingly "punish" sites using SSL or even using TLS < 1.1 (or whatever).

    I personally was always opposed to enforcing sites to use SSL/TLS. That said I would however support "punishing" sites using old versions. IF one is using SSL/TLS then one should use min. TLS 1.2 and not e.g. SSL 2.0 and/or weak algorithms (e.g. SHA-1).

    P.S.: WPA2-PSK a very widely used protocol (WiFi) has been hacked and should be considered insecure. Not directly related to SSL/TLS but yet another example of what I talk about and what I consider a major problem field.

    Thanked by 1jcaleb
  • I am just converting my sites to Lets Encrypt. Is that enough?

  • jsgjsg Member, Resident Benchmarker
    edited August 2018

    @jcaleb said:
    I am just converting my sites to Lets Encrypt. Is that enough?

    Not really. You also need to configure anything TLS based properly, e.g. to not accept SSL and to only use a reasonable set of algorithms. But that's largely specific for each server software so you'll have to search for something like "configure TLS 1.2 for [your server, e.g. nginx]".

    Thanked by 2jcaleb maverickp
  • Or you could use https://cipherli.st/ by @raymii or Mozilla's page for recommended configurations.

    Thanked by 2jcaleb maverickp
  • https://Cipherli.st is a quick and easy copy paste if your experienced and know what your doing. I recommend reading the mozilla wiki page to get a better understanding of the behind-the-scenes.

    Thanked by 2seanho jcaleb
Sign In or Register to comment.