Google, HTTPS and Internet

[labbe5]

http://www.techworld.com/security/why-g ... r-3646416/

This article explains the next step Google is going to take to get people attention towards unsecure HTTP. Starting early next year, Chrome browser will have NOT SECURE in the address bar for websites still using HTTP.

The goal is to have HTTP deprecated, and that all websites use the secure HTTPS for a number of reasons :

Authentication
Data security and compliance
Privacy

What about cost? It is no longer a legitimate concern when you realize there is Let's Encrypt that now helps websites get certificates for free.

[belham2]

labbe5,

It is sweet irony that a thread is started about https and what Google is going to pop-up in the browser, yet the link is to a site that is "http..."

Before they rush headlong into https, the browser mftrs need to get off their collective butts and end ALL 64-bit cypher encryption. It's not only RC4 that needs to be deprecated and ditched, but also Blowfish and 3des. Heck, only 1-2% of websites are still on blowfish and 3des which is still a huge number when you think about the worldwide Net, but dang, collision attacks have made it easy to crack these ciphers in 72 hrs or less, rendering complete cookie decryption (that MITM grab every second of every day looking for cleartext). Google especially needs to kick these dragalong sites in the rear, but unbelievably they are too afraid to upset anything when it comes to the applecart of online ad revenue.


P.S. Https Everywhere, by the EFF Foundation, is by far the best add-on for any browser in existence, from Slimjet, Chrome, Opera to Firefox/Seamonkey/Palemoon/et al. It tries to force your browser to always use "https.." (if the site supports it) no matter if you want to or not.

[Scooby]

I've never trusted Google, and I never will.

[drunkjedi]

What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?

[s243a]

What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?

You'll get to wait longer for your wallpaper to download and have the piece of mind that it will only be third party adds certified by the site that will likely know which wallpaper you download.

This means for instances sites like facebook will be able to control better who sees your data therby allowing them to make more chedder.

That said you may get a small security benefit since there have been exploigs that hze immage files. However, such exploits are more likely to affect windows systems.

Also I suppose if someone can man in the middle your http connection then they could send you a page with malicious content and or links, which you may be valnerable to if your browser or browser plugin has unpatched security holes.

[bark_bark_bark]

What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?

this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.

[s243a]

What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?

this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.

but does that apply to his wallpaper site?

[bark_bark_bark]

What benefit I will be getting if say a wallpaper site I browse becomes https?
or say, this forum becomes https?

this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.

but does that apply to his wallpaper site?

Well if his wallpaper site used HTTPS, than than spy agencies won't know what wallpaper he is looking for.

[s243a]

Perhaps there needs to be an http protocal that only encrypts checksums and other meta data.

Browsers use to warn us when using get or post http methods. What is old is new again.

[s243a]

this forum would be significantly be more secure with HTTPS. Any website that stores personal information like usernames, emails addresses, and passwords SHOULD use HTTPS.

but does that apply to his wallpaper site?

Well if his wallpaper site used HTTPS, than than spy agencies won't know what wallpaper he is looking for.

So then he won't end up on a no fly list for downloading a "no bacon" wallpaper? Perhaps if we want better privacy we shohld use the darknet more.

[s243a]

On another note. I wonder if yahoo used https for their email service......

https://theintercept.com/2016/10/04/del ... o-account/

[8Geee]

There iss a small snag in https being the default access to a webpage.

For those in the US try logging into a McD or Dunkin Donuts free wifi. If your home page is a secure https you will get an error message that tthe cert is not trusted because McD or DD is not on the list of providers. (Translation = The provider needs to be a middle-man or provider. The https site will not allow us to do that.) The cure for the free-wifi bug is to go to a http page. Now McD or DD can intercept and become provider. (Translation + Google, et al are trying to force corporations other than search providers out of the wifi game. Thats why they want https connect. Their pals the phone Co.s {paid service} get revenue and kick some to the search provider.)

JMHO
8Geee

[belham2]

There iss a small snag in https being the default access to a webpage.

For those in the US try logging into a McD or Dunkin Donuts free wifi. If your home page is a secure https you will get an error message that tthe cert is not trusted because McD or DD is not on the list of providers. (Translation = The provider needs to be a middle-man or provider. The https site will not allow us to do that.) The cure for the free-wifi bug is to go to a http page. Now McD or DD can intercept and become provider. (Translation + Google, et al are trying to force corporations other than search providers out of the wifi game. Thats why they want https connect. Their pals the phone Co.s {paid service} get revenue and kick some to the search provider.)

JMHO
8Geee

Hi 8Geee,

Are you saying the https battle is one of not software but hardware, where vendors are the moving to outgun one another? Isn't there nothing stopping McD and DD from being wireless provider (that also allows https passthrough) if they become the point you attach to initially (with the correct hardware) ? Last time were we in Starbucks, were on https the whole time, so I am a little lost with what you are saying......

[8Geee]

As I was trying to explain, offering free wi-fi is one thing. Getting connected to it involves "jumping thru a hoop". The http site is the only way the free-provider can intercept the request and become "the ISP". Only then can the Customer access the free wi-fi offered.

So it turns out that https everywhere has one financial snag... no free wi-fi access. One must have a subscription to a paid network. That is, one must use the service that is paid for and "metered" that is already (to put it politely) in the smartphone.

Knowing this, I want http websites like Puppy Linux around... it unlocks free wi-fi. People here may not realize that Puppy Linux is a very intelligent OS, as nothing is "new school", one picks and chooses what one wants, including WHAT NETWORK CONNECTION to use ( the pay network that one is subscribed or a free one offered).

JMHO
8Geee

[bark_bark_bark]

The Puppy linux site should be encrypted with HTTPS. The forums hold user information, and the main site provdes download links. Without HTTPS, the site and forums are vulnerable.

[Semme]

Bee-S!

Financial happenings here on Murga? Nah. It's your choice whether to load valid credentials or not.

Face it Senior Paranoid Guy, unless you've got something worth having, you ain't worth being hacked.

[bark_bark_bark]

Hmm... Okay, so you don't think that there are users here that use the same password for this site on every other site they use? Do you want hackers to know your email address?

[GoogleFactChecker]

The 3 aspects of HTTPS:
a) HTTPS secures communication by preventing snooping and tampering.
b) HTTPS secures identify by providing proof that the server is who it claims it is
(c) Very important: both (a) and (b) is established by chain of trusts, which starts by trusting a "top" (or "root") authority. If you trust the "top" authority, you trust all other sites that the "top" authority has trusted (directly or indirectly).

People tend to forget about these 3 aspects. They only remember one of these, depending on the context. E.g. avoiding password snooping is (a). The Let's Encrypt program also focuses mainly on (a).

But (b) and (c) aren't less important. There is no point of securing the password, if you send that password to the wrong website in the first place (b). And (b) is facilitated by (c) - if somebody can get you to trust a bogus "top" authority, then anyone trusted by that authority will also be trusted by you (including the ability to snoop, and tamper, any messages you send/receive).

The the 3 aspects are dependent on each other. Each has its own weaknesses. To implement HTTPS correctly, all these 3 must be considered properly.

Rushing to switch to HTTPS with incorrect implementation will make things A LOT WORSE, because, with standard HTTP, at least we know we're in a untrusted, unsecured connection.

With improper HTTPS, we think we are secure, and thus places greater trust in the system, when in fact it may not be.

[Sailor Enceladus]

GoogleFactChecker, does your name mean that you use Google search to find information, or... ???

[drunkjedi]

Not information mate, Facts.... Google Facts.