[LINK] Browsers should mark HTTP as insecure?

Stephen Loosley stephenloosley at zoho.com
Fri Dec 26 12:35:11 AEDT 2014


> https://letsencrypt.org
>
> Let’s Encrypt is a free, automated, and open certificate authority
> run for the public’s benefit. The key principles behind Let’s Encrypt
> are: * Free: Anyone who owns a domain name can use Let’s Encrypt
> to obtain a trusted certificate at zero cost.. It’s clear that encrypting
> is something all of us should be doing. Then why don’t we use TLS (the
> successor to SSL) everywhere? Every browser in every device supports it.
> Every server in every data center supports it. Why not just flip the switch?


https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure


Chrome engineers have proposed that all websites that don't encrypt traffic be marked as insecure by browsers.

By Gregg Keizer (Computerworld (US)) on 23 December, 2014 02:31


.. Chrome's argument is that, without HTTPS and SSL/TLS encryption, traffic between a user's browser and a website is inherently unsafe.

If this change is made, it would reverse decades of leaving HTTP unmarked, and tagging only those sites that are encrypted. Browser users have long been told to look at the address bar for signs of encryption, not for signs of the lack of it.

While Google did not spell out exactly how HTTP addresses would be marked as insecure, it suggested that browser makers take a measured, step-by-step approach in 2015, when normal HTTP addresses would somehow first be marked as "dubious" and only later be tagged as "non-secure" with in-browser flags. Those would most likely be coded using color or designated with an icon, the practices now used in browsers to peg HTTPS, but the specifics would be left up to each browser developer.

At some point down the line, the signs for HTTPS -- such as the lock icon -- would disappear as encrypted traffic would be assumed as the norm.

Google's idea has support from Mozilla, whose developers cross-posted comments on their own discussion forum, although there were others who pointed out problems. "The really critical question for me here is the timeline," said Richard Barnes, a security engineer at Mozilla, in a follow-up message. "It's pretty much out of the question to deploy an indicator like this today, because it would appear so often."

Mozilla has backed Let's Encrypt, a project to deliver free security certificates, making encryption possible for small websites.

Those certificates would be important. If browsers marked HTTP as not secure, website owners would want to avoid the warnings -- afraid they would scare off visitors -- and so need a certificate to encrypt their traffic.

Google has been aggressively promoting HTTPS. In August, for instance, Google said it may lower the search ranking of websites that aren't encrypting connections with TLS.

Large swaths of the Internet would have to move to HTTPS to avoid the negative browser signals and public shaming under Google's concept, as most major players don't encrypt their primary domains. Neither microsoft.com nor apple.com use HTTPS, for example, although parts do, including their online stores and some of their services, like Microsoft's Outlook.com and Apple's iCloud.

http://www.arnnet.com.au/article/562935/google-wants-turn-browser-signals-web-encryption-upside-down/

Cheers,
Stephen





More information about the Link mailing list