The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Firefox and Chrome start calling HTTP connections insecure
Christian J
post Feb 5 2017, 11:04 AM
Post #1


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



https://arstechnica.com/information-technol...tions-insecure/

QUOTE
The non-secure labelling will occur on pages delivered over HTTP that include forms. Specifically, pages that include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure.

My guess is this will primarily affect login pages on web forums (including this one). Most online payment and banking sites should hopefully use HTTPS already. Don't know about minor webmail providers.

QUOTE
A future version of Firefox will include a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP, and Mozilla plans to use the struck through padlock icon for every HTTP page. Similarly, Google intends to eventually include the "Not secure" message in the address bar for all pages delivered over HTTP, whether they contain passwords or not.

Of course if the majority of normal HTTP sites are labeled as "insecure", the warning will soon be ignored.

Some more opinions on the matter:
https://www.troyhunt.com/heres-how-broken-t...default-future/
https://konklone.com/post/were-deprecating-...oing-to-be-okay
https://medium.com/@b_k/https-the-end-of-an-era-c106acded474
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Feb 5 2017, 01:02 PM
Post #2


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,716
Joined: 9-August 06
Member No.: 6



Maybe it's good. People should be able to decide when not secure is OK. Even if some will probably through a hissy fit and think the site is dangerous. I've been known to forget to check if the connection is secure when I've paid for something online, so I just might find this useful.

BTW what's with this trend when people use SSL for the whole site? What's the use of that? I don't get it. unsure.gif
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 5 2017, 03:24 PM
Post #3


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



QUOTE(pandy @ Feb 5 2017, 07:02 PM) *

Maybe it's good.

It's good that the ISP and others cant monitor your traffic (I recall the ISP still sees the domain you connect to though, even with HTTPS).

QUOTE
People should be able to decide when not secure is OK.

We could see if the URL used an https:// protocol before too. Of course many users don't know what that means, but will they be more enlightened by a message like "Not secure", or even "Connection is Not Secure"? Not to mention very few know what SSL certificates are, or if they are secure. ninja.gif

QUOTE
Even if some will probably through a hissy fit and think the site is dangerous.

Indeed.

QUOTE
BTW what's with this trend when people use SSL for the whole site? What's the use of that? I don't get it. unsure.gif

Maybe they're preparing for this new browser feature? Or maybe they think it's simpler to use it for the whole site, to avoid mixing secure and unsecure content?

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Feb 5 2017, 05:34 PM
Post #4


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,716
Joined: 9-August 06
Member No.: 6



QUOTE(Christian J @ Feb 5 2017, 09:24 PM) *

We could see if the URL used an https:// protocol before too. Of course many users don't know what that means, but will they be more enlightened by a message like "Not secure", or even "Connection is Not Secure"? Not to mention very few know what SSL certificates are, or if they are secure. ninja.gif


Yeah, but do you honestly always remember to check? Is I said, in the heat of the moment I sometimes forget. When I see a bargain and there's only one or two items left I whip my card out so fast I haven't got time for looking for things like that. laugh.gif



QUOTE
QUOTE
BTW what's with this trend when people use SSL for the whole site? What's the use of that? I don't get it. unsure.gif

Maybe they're preparing for this new browser feature? Or maybe they think it's simpler to use it for the whole site, to avoid mixing secure and unsecure content?


Nah, it's been going on a while. Just the occasional site, but anyway. Can't think of an example right now. Often they brag about it too. "We've made the site more secure because we are so clever blah blah blah". What can text and images do to you that's eliminated by using a secure connection? Beats me.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 5 2017, 07:31 PM
Post #5


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



QUOTE(pandy @ Feb 5 2017, 11:34 PM) *

Yeah, but do you honestly always remember to check?

Looking at the screenshots in the linked article, I wonder how noticeable even the new alerts will be. Maybe they won't be noticed either, in which case it all becomes moot.

QUOTE
Is I said, in the heat of the moment I sometimes forget. When I see a bargain and there's only one or two items left I whip my card out so fast I haven't got time for looking for things like that. laugh.gif

See my reply above. tongue.gif

QUOTE
Often they brag about it too. "We've made the site more secure because we are so clever blah blah blah". What can text and images do to you that's eliminated over a secure connection? Beats me.

Secure webhosting used to be more expensive. Maybe they just do it to brag about it.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 6 2017, 08:44 AM
Post #6


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



HTTPS may also give the user a false sense of security. Even if a contact form is sent over HTTPS, the server-side script may still send the actual email in plain text --the browser has no way of knowing. Same thing if an HTTPS site stores user data as plain text in a database.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 18th March 2024 - 11:03 PM