Connect with us

Communication

Google Chrome Plans to Mark All HTTP Traffic as Non-Secure Starting in 2015

Published

on

Standard HTTP communications provide absolutely no data security. Anyone can analyze packets sent over HTTP using easily-available tools like Wireshark to obtain passwords, credit card numbers, and other sensitive data in cleartext. The HTTPS protocol makes up for this lack of security by layering itself on top of the secure SSL/TLS cryptographic protocol. HTTPS is already used by many sites that handle sensitive information such as PayPal and Gmail. However, most of the internet still operates over HTTP, and Google Chrome hopes to change that.

// -- Discuss and ask questions in our community on Workplace.

The Chrome Security Team has proposed that browsers gradually start marking all HTTP traffic as non-secure. All popular web browsers currently display no warnings when accessing content over HTTP, even though it potentially makes users vulnerable to man-in-the-middle attacks and state surveillance.

The Need for HTTPS

XKeyscore HTTPNetwork surveillance and tampering isn’t simply a theoretical threat. Malicious users on public wifi hotspots as well as government agencies such as the National Security Agency have taken advantage of sensitive information sent over HTTP. In fact, this slide from the NSA’s formerly secret XKeyscore program succinctly states why the agency is interested in snooping on HTTP communications.

While the slide is a bit outdated, as sites like Facebook and Gmail now strictly enforce HTTPS, most of the internet still does not.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The Plan

Web browsers today typically show a lock icon in the address bar to indicate a connection is secure through HTTPS, or some sort of warning icon if there is mixed content on the page. Yet ironically, users aren’t presented with any warnings when a connection is completely non-secure.

Hacked.com HTTPS

Example.com HTTP

The Chrome Security Team categorises transport layer security into three general states:

  • Secure (valid HTTPS, other origins like (*, localhost, *));
  • Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
  • Non-secure (broken HTTPS, HTTP).

Instead of leaving HTTP websites unmarked in any way, Chrome suggests gradually marking HTTP domains from “Dubious” to entirely “Non-secure”. For instance, HTTP sites could initially be marked with an icon such as this one in the address bar rather than the blank page icon:

HTTP Dubious

This icon indicates to the user that there is a potential problem with the website. Clicking on the icon would provide more information. As site owners gradually shift towards using HTTPS (as Chrome hopes), non-HTTPS sites can eventually be marked as completely “Non-secure”:

HTTP Non-Secure

A red icon with an “X” looks far more serious than a light orange icon with an exclamation mark. However, if Chrome were to immediately start marking all HTTP addresses with the red icon starting tomorrow, most websites on the internet would be categorised as “Non-secure” and show the red icon. The user would see red “X”s everywhere, which could soon desensitise the user to any possible threat (similar to what happened when Windows first introduced User Account Control). Instead, by taking a gradual approach, Chrome hopes to give website owners enough time to switch from HTTP to HTTPS. The Electronic Frontier Foundation (EFF) has also announced an upcoming certificate authority that will provide site owners with free SSL certificates. Perhaps eventually, when HTTPS becomes the standard across the web, it will no longer be necessary to mark HTTPS addresses with a green lock icon. Only HTTP addresses would need any sort of marking.

The Chrome Security Team plans to move forward with this proposal in 2015 and is interested to hear opinions from both developers and users. Discussions are open in the following web standards mailing lists:

Featured image from Shutterstock. XKeyscore slide from The Guardian.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Communication

San Bernadino iPhone Case: Major Press Agencies Are Suing the FBI

Published

on

The Associated Press, Gannett, and VICE Media are suing the FBI to know more details about the agency’s hack of the San Bernadino killer’s iPhone.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

Toward Unbreakable Quantum Encryption for Everyone

Published

on

Hacked recently covered the efforts of the Chinese government to build unbreakable quantum communication networks. According to analysts, quantum communications networks are so expensive that they could have a “recentralizing effect,” enabling states to recover the ground that they have lost to decentralizing digital technologies. But what if ultra-secure quantum cryptography could be made available to everyone at low cost?

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

The Chinese Quantum Satellite QUESS: Toward Unbreakable Quantum Networks

Published

on

One year ago Hacked covered the race between the US and China to develop “military super-powers” by harnessing quantum science, and noted that Chinese scientists were developing quantum communication satellites that support unbreakable encryption. A few weeks ago, China launched its first quantum satellite.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending