Reminder: Google Flips To HTTPS by Default Tomorrow

Reminder: Google Flips To HTTPS by Default Tomorrow

Starting tomorrow, Google Chrome will begin warning users who visit unencrypted websites that their traffic is flowing to an insecure location. It’s a transition we’ve covered several times already this year, and while it might seem to be a minor shift, getting news out to folks so they aren’t freaked out by the switch from “secure” messaging to “insecure” messaging is important — especially since some sites that don’t currently deploy HTTPS will undoubtedly need some time to finish doing so.

Today, browsers notify users that sites are secure with a green lock logo. After tomorrow, users will instead be told that sites are insecure rather than secure, and notified with various messaging from the browser vendors. The change is shown below:

Reminder: Google Flips To HTTPS by Default Tomorrow

Security researcher Troy Hunt is working on a site called WhyNohttps.com, which he intends to launch this week. It plans to gather a list of the largest websites that aren’t supporting HTTPS yet in the hopes of shaming them into adopting a more secure standard. CloudFlare has noted that despite more widespread adoption in recent months, a majority of the Top 1M most popular sites online are still insecure and do not offer HTTPS by default.

Friends, I’m after some support: @Scott_Helme and I are doing a little project with a site called https://t.co/Y4GlsInvu2 which will coincide with the Chrome 68 launch next week. It’ll list the world’s largest websites that don’t do HTTPS by default.

— Troy Hunt (@troyhunt) July 20, 2018

For those of you who aren’t aware, the “https” extension of HTTP means that a website is secured using Transport Layer Security, or TLS encryption. HTTPS protects against man-in-the-middle attacks, eavesdropping, and tampering with website data. It’s the functionality that Lenovo broke with its Superfish scandal several years ago, and is generally considered foundational to the entire question of browser security. And while not every website literally needs HTTPS, the availability of free encryption certificates from groups like LetsEncrypt (a non-profit founded by the EFF) makes it easier to adopt the security standard without paying hefty amounts of cash to do so.

Chrome is the first browser to take this step with HTTPS, but it’s expected that MS and Mozilla will both follow suit. Google’s web page on avoiding the “Not Secure” ranking in Chrome is available here. While somewhat dated (a few of the links on the page are from 2016), it appears to offer some useful information on avoiding Not Secure ratings, including the need to use native HTTPS rather than embedding an HTTPS login frame on an HTTP page. As the site says: “Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.”

Continue reading

Google Pixel Slate Owners Report Failing Flash Storage
Google Pixel Slate Owners Report Failing Flash Storage

Google's product support forums are flooded with angry Pixel Slate owners who say their devices are running into frequent, crippling storage errors.

Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps
Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps

Google has announced some significant changes to Photos, especially if you use the service for automatic backup.

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps
Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps

Both Nvidia and Google have announced iOS support for their respective cloud gaming platforms via progressive web applications. Apple can't block that.