A heads up for those of you who use Google's Chrome web browser:
quote:
Chrome 68 to condemn all unencrypted sites by summer
Google in July will start inserting a 'not secure' label in the address bar of every website that uses HTTP connections between its servers and users. By Gregg Keizer Senior Reporter, Computerworld | FEB 13, 2018 3:10 AM PT
Google has put a July deadline on a 2016 promise that its Chrome browser would tag all websites that don't encrypt their traffic.
"Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as 'not secure,'" wrote Emily Schechter, a Chrome security product manager, in a Feb. 8 post to a company blog.
Google has scheduled Chrome 68 to release in Stable form - analogous to production-level quality - during the week of July 22-28.
Starting then, Chrome will insert a "Not secure" label into the address bar of every website that uses HTTP connections between its servers and users. Sites that instead rely on HTTPS to encrypt the back-and-forth traffic will display their URLs normally in the address bar.
Google's campaign to call out HTTP websites as unsafe began in 2014, with the search giant ramping up the effort in September 2016, when it told users Chrome 56 would shame pages that didn't encrypt password or credit card form fields. Chrome 56 debuted in late January 2017, and immediately started to apply the "Not secure" label to pertinent pages.
The push for always-HTTPS - backed by Google and others, including Mozilla, maker of Firefox - has worked, Schechter argued. Eighty-one of the web's top 100 sites, she asserted, now used HTTPS by default, while 68% of Chrome traffic on Windows and Android (by pages) and 78% on both macOS and Chrome OS was encrypted. That was up significantly from September 2016, when Schechter said half of all Chrome desktop page loads were being served via HTTPS.
Eventually, Chrome's "Not secure" label will be accompanied by a red-for-danger icon.
Users can enable Chrome's new HTTP tagging now by typing chrome://flags in the address bar, then finding the item described as "Mark non-secure origins as non-secure." Selecting "Enable (mark with a Not Secure warning)" and relaunching Chrome replicates what Chrome 68 will display after Google sets that option as the default. Choosing "Enable (mark as actively dangerous)" displays the red icon as well.
What Google does - or doesn't - with Chrome has a huge impact on the web simply because of the browser's massive influence. In January, for instance, analytics vendor Net Applications pegged Chrome's user share at 61.4%, making it as dominant as Microsoft's Internet Explorer was in 2010, when Google's browser was just two years old.
That user share has enormous sway over all sites, a club and carrot that Google constantly wields. No site wants to give all those Chrome users the impression that it's unsafe, and to be avoided. As a result, many sites have fallen in line with Google's demand that the web go all-in on HTTPS.
Why post about a five-month-old article now? Because the projected release date for Chrome 68 stable was July 24. Tomorrow.
"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
I think most (major) sites already perform a re-direct if you use "http" to "https."
If you type just www.somedomain.com in your browser URL field and hold the Control (Command on Macs) key as you press enter, the browser will automatically fill in the "http" or "https" protocol.
You can't truly call yourself "peaceful" unless you are capable of great violence. If you're not capable of great violence, you're not peaceful, you're harmless.
NRA Benefactor/Patriot Member
Posts: 2857 | Location: Peoples Republic of North Virginia | Registered: December 04, 2015
Originally posted by fpuhan: I think most (major) sites already perform a re-direct if you use "http" to "https."
You're ignoring one obvious site...
Yes, exactly.
Most people don't even realize that Sigforum is HTTP and not HTTPS.
People should know that their data is being floated back and forth to Sigforum in an unencrypted state. It's not a huge deal, since we don't send private messages, or have a paywall or ecommerce functions here, but there's a chance that username and password combos are being sent as plaintext. People should know about and understand that risk before they send potentially sensitive data.
Posts: 13067 | Location: Orange County, California | Registered: May 19, 2002
Chrome is going to flag sites as unsecure so that the user is aware. Good.
Yes, it is a non-issue in that it won't prevent anybody from visiting non-HTTPS sites. It will, however, almost certainly raise questions.
That's why I issued the heads up.
"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
Chrome is going to flag sites as unsecure so that the user is aware. Good.
Yes, it is a non-issue in that it won't prevent anybody from visiting non-HTTPS sites. It will, however, almost certainly raise questions.
That's why I issued the heads up.
Mozilla's Firefox has been flagging for at least 6 months. It doesn't prevent me from visiting, but made me spend a few minutes Googling before logging in the first time the warning popped up. Now, it's just 5 extra seconds so no biggie.
Ego is the anesthesia that deadens the pain of stupidity
DISCLAIMER: These are the author's own personal views and do not represent the views of the author's employer.
Posts: 23952 | Location: Northern Suburbs of Houston | Registered: November 14, 2005