Google, HTTPS and Internet
Google, HTTPS and Internet
http://www.techworld.com/security/why-g ... r-3646416/
This article explains the next step Google is going to take to get people attention towards unsecure HTTP. Starting early next year, Chrome browser will have NOT SECURE in the address bar for websites still using HTTP.
The goal is to have HTTP deprecated, and that all websites use the secure HTTPS for a number of reasons :
Authentication
Data security and compliance
Privacy
What about cost? It is no longer a legitimate concern when you realize there is Let's Encrypt that now helps websites get certificates for free.
This article explains the next step Google is going to take to get people attention towards unsecure HTTP. Starting early next year, Chrome browser will have NOT SECURE in the address bar for websites still using HTTP.
The goal is to have HTTP deprecated, and that all websites use the secure HTTPS for a number of reasons :
Authentication
Data security and compliance
Privacy
What about cost? It is no longer a legitimate concern when you realize there is Let's Encrypt that now helps websites get certificates for free.
labbe5,
It is sweet irony that a thread is started about https and what Google is going to pop-up in the browser, yet the link is to a site that is "http..."
Before they rush headlong into https, the browser mftrs need to get off their collective butts and end ALL 64-bit cypher encryption. It's not only RC4 that needs to be deprecated and ditched, but also Blowfish and 3des. Heck, only 1-2% of websites are still on blowfish and 3des which is still a huge number when you think about the worldwide Net, but dang, collision attacks have made it easy to crack these ciphers in 72 hrs or less, rendering complete cookie decryption (that MITM grab every second of every day looking for cleartext). Google especially needs to kick these dragalong sites in the rear, but unbelievably they are too afraid to upset anything when it comes to the applecart of online ad revenue.
P.S. Https Everywhere, by the EFF Foundation, is by far the best add-on for any browser in existence, from Slimjet, Chrome, Opera to Firefox/Seamonkey/Palemoon/et al. It tries to force your browser to always use "https.." (if the site supports it) no matter if you want to or not.
It is sweet irony that a thread is started about https and what Google is going to pop-up in the browser, yet the link is to a site that is "http..."
Before they rush headlong into https, the browser mftrs need to get off their collective butts and end ALL 64-bit cypher encryption. It's not only RC4 that needs to be deprecated and ditched, but also Blowfish and 3des. Heck, only 1-2% of websites are still on blowfish and 3des which is still a huge number when you think about the worldwide Net, but dang, collision attacks have made it easy to crack these ciphers in 72 hrs or less, rendering complete cookie decryption (that MITM grab every second of every day looking for cleartext). Google especially needs to kick these dragalong sites in the rear, but unbelievably they are too afraid to upset anything when it comes to the applecart of online ad revenue.
P.S. Https Everywhere, by the EFF Foundation, is by far the best add-on for any browser in existence, from Slimjet, Chrome, Opera to Firefox/Seamonkey/Palemoon/et al. It tries to force your browser to always use "https.." (if the site supports it) no matter if you want to or not.
You'll get to wait longer for your wallpaper to download and have the piece of mind that it will only be third party adds certified by the site that will likely know which wallpaper you download.drunkjedi wrote:What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?
This means for instances sites like facebook will be able to control better who sees your data therby allowing them to make more chedder.
That said you may get a small security benefit since there have been exploigs that hze immage files. However, such exploits are more likely to affect windows systems.
Also I suppose if someone can man in the middle your http connection then they could send you a page with malicious content and or links, which you may be valnerable to if your browser or browser plugin has unpatched security holes.
Last edited by s243a on Thu 06 Oct 2016, 18:09, edited 1 time in total.
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.drunkjedi wrote:What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?
....
but does that apply to his wallpaper site?bark_bark_bark wrote:this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.drunkjedi wrote:What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
Well if his wallpaper site used HTTPS, than than spy agencies won't know what wallpaper he is looking for.s243a wrote:but does that apply to his wallpaper site?bark_bark_bark wrote:this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.drunkjedi wrote:What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?
....
So then he won't end up on a no fly list for downloading a "no bacon" wallpaper? Perhaps if we want better privacy we shohld use the darknet more.bark_bark_bark wrote:Well if his wallpaper site used HTTPS, than than spy agencies won't know what wallpaper he is looking for.s243a wrote:but does that apply to his wallpaper site?bark_bark_bark wrote: this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.
On another note. I wonder if yahoo used https for their email service......
https://theintercept.com/2016/10/04/del ... o-account/
https://theintercept.com/2016/10/04/del ... o-account/
There iss a small snag in https being the default access to a webpage.
For those in the US try logging into a McD or Dunkin Donuts free wifi. If your home page is a secure https you will get an error message that tthe cert is not trusted because McD or DD is not on the list of providers. (Translation = The provider needs to be a middle-man or provider. The https site will not allow us to do that.) The cure for the free-wifi bug is to go to a http page. Now McD or DD can intercept and become provider. (Translation + Google, et al are trying to force corporations other than search providers out of the wifi game. Thats why they want https connect. Their pals the phone Co.s {paid service} get revenue and kick some to the search provider.)
JMHO
8Geee
For those in the US try logging into a McD or Dunkin Donuts free wifi. If your home page is a secure https you will get an error message that tthe cert is not trusted because McD or DD is not on the list of providers. (Translation = The provider needs to be a middle-man or provider. The https site will not allow us to do that.) The cure for the free-wifi bug is to go to a http page. Now McD or DD can intercept and become provider. (Translation + Google, et al are trying to force corporations other than search providers out of the wifi game. Thats why they want https connect. Their pals the phone Co.s {paid service} get revenue and kick some to the search provider.)
JMHO
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
8Geee wrote:There iss a small snag in https being the default access to a webpage.
For those in the US try logging into a McD or Dunkin Donuts free wifi. If your home page is a secure https you will get an error message that tthe cert is not trusted because McD or DD is not on the list of providers. (Translation = The provider needs to be a middle-man or provider. The https site will not allow us to do that.) The cure for the free-wifi bug is to go to a http page. Now McD or DD can intercept and become provider. (Translation + Google, et al are trying to force corporations other than search providers out of the wifi game. Thats why they want https connect. Their pals the phone Co.s {paid service} get revenue and kick some to the search provider.)
JMHO
8Geee
Hi 8Geee,
Are you saying the https battle is one of not software but hardware, where vendors are the moving to outgun one another? Isn't there nothing stopping McD and DD from being wireless provider (that also allows https passthrough) if they become the point you attach to initially (with the correct hardware) ? Last time were we in Starbucks, were on https the whole time, so I am a little lost with what you are saying......
As I was trying to explain, offering free wi-fi is one thing. Getting connected to it involves "jumping thru a hoop". The http site is the only way the free-provider can intercept the request and become "the ISP". Only then can the Customer access the free wi-fi offered.
So it turns out that https everywhere has one financial snag... no free wi-fi access. One must have a subscription to a paid network. That is, one must use the service that is paid for and "metered" that is already (to put it politely) in the smartphone.
Knowing this, I want http websites like Puppy Linux around... it unlocks free wi-fi. People here may not realize that Puppy Linux is a very intelligent OS, as nothing is "new school", one picks and chooses what one wants, including WHAT NETWORK CONNECTION to use ( the pay network that one is subscribed or a free one offered).
JMHO
8Geee
So it turns out that https everywhere has one financial snag... no free wi-fi access. One must have a subscription to a paid network. That is, one must use the service that is paid for and "metered" that is already (to put it politely) in the smartphone.
Knowing this, I want http websites like Puppy Linux around... it unlocks free wi-fi. People here may not realize that Puppy Linux is a very intelligent OS, as nothing is "new school", one picks and chooses what one wants, including WHAT NETWORK CONNECTION to use ( the pay network that one is subscribed or a free one offered).
JMHO
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
-
- Posts: 4
- Joined: Sat 15 Oct 2016, 23:16
The 3 aspects of HTTPS:
a) HTTPS secures communication by preventing snooping and tampering.
b) HTTPS secures identify by providing proof that the server is who it claims it is
(c) Very important: both (a) and (b) is established by chain of trusts, which starts by trusting a "top" (or "root") authority. If you trust the "top" authority, you trust all other sites that the "top" authority has trusted (directly or indirectly).
People tend to forget about these 3 aspects. They only remember one of these, depending on the context. E.g. avoiding password snooping is (a). The Let's Encrypt program also focuses mainly on (a).
But (b) and (c) aren't less important. There is no point of securing the password, if you send that password to the wrong website in the first place (b). And (b) is facilitated by (c) - if somebody can get you to trust a bogus "top" authority, then anyone trusted by that authority will also be trusted by you (including the ability to snoop, and tamper, any messages you send/receive).
The the 3 aspects are dependent on each other. Each has its own weaknesses. To implement HTTPS correctly, all these 3 must be considered properly.
Rushing to switch to HTTPS with incorrect implementation will make things A LOT WORSE, because, with standard HTTP, at least we know we're in a untrusted, unsecured connection.
With improper HTTPS, we think we are secure, and thus places greater trust in the system, when in fact it may not be.
a) HTTPS secures communication by preventing snooping and tampering.
b) HTTPS secures identify by providing proof that the server is who it claims it is
(c) Very important: both (a) and (b) is established by chain of trusts, which starts by trusting a "top" (or "root") authority. If you trust the "top" authority, you trust all other sites that the "top" authority has trusted (directly or indirectly).
People tend to forget about these 3 aspects. They only remember one of these, depending on the context. E.g. avoiding password snooping is (a). The Let's Encrypt program also focuses mainly on (a).
But (b) and (c) aren't less important. There is no point of securing the password, if you send that password to the wrong website in the first place (b). And (b) is facilitated by (c) - if somebody can get you to trust a bogus "top" authority, then anyone trusted by that authority will also be trusted by you (including the ability to snoop, and tamper, any messages you send/receive).
The the 3 aspects are dependent on each other. Each has its own weaknesses. To implement HTTPS correctly, all these 3 must be considered properly.
Rushing to switch to HTTPS with incorrect implementation will make things A LOT WORSE, because, with standard HTTP, at least we know we're in a untrusted, unsecured connection.
With improper HTTPS, we think we are secure, and thus places greater trust in the system, when in fact it may not be.
-
- Posts: 1543
- Joined: Mon 22 Feb 2016, 19:43