Chrome 70 drops HTTPS certificate provider Symantec

News, happenings
Post Reply
Message
Author
User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

Clarification about firefox-Mapquest

#16 Post by mikeslr »

Hi All,

Following dancytron's post above, I did the same. But this time I was on my computer running Xenialpup64. My previous experience was on my wife's Window 10 computer which is attached to the printer. The MapFox "offer' took up half the screen, was in the center and did not have a close button.

Maybe I just don't understand Windows 10. Maybe the ploy hasn't yet been ported to Linux versions of firefox.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#17 Post by Mike Walsh »

Following a read of an article on CNet, I felt some 'clarification' was in order.

The Forum will still work with Chrome 70, albeit with stronger warnings about being insecure.

The original post is about certain supposedly 'secure' sites that will run into problems; any site, in fact, with a certificate issued by Symantec (following a fall-out between Google's top brass and those at the helm of the company that brings you Norton AntiVirus, amongst others.)

-----------------------------------------

The following article was written back in late July, just to give context to date references.

From CNet, the 'roadmap' of the changes expected with the recent versions of Chrome (and those yet to arrive):-
"What'll I see in Chrome with an HTTP website?

Chrome's changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP "not secure" alert would arrive in July. Here are the steps in the transition.

Right now if you visit an HTTP website, Chrome shows a circled "i" icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, "Your connection to this site is not secure." That's not particularly alarming, though it isn't as comforting as the green padlock and word "secure" shown there for an HTTPS-protected connection.

Starting Tuesday with Chrome 68, an HTTP connection instead will show the words "not secure" alongside the information icon.

Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and "secure" word it shows now. Instead you'll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.

Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black "not secure" warning to a more alarming red color."
And there you have it. So I must apologise for perhaps misleading y'all, by being 'alarmist' over this one.....!

----------------------------------

Barry himself, a couple of posts back, mentioned Let'sEncrypt. At one time, the obtaining of encrypted HTTPS certificates meant jumping through many hoops, and was also quite expensive. But the afore-mentioned people now issue digitally-signed HTTPS certificates for free in just a matter of minutes.
"Why haven't we been using HTTPS all along?

HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.

Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let's Encrypt -- sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others -- means certificates are now free, and issued almost immediately."
Hardly surprising to see Google's name at the front of the list of 'sponsors', eh? With Chrome's market share approaching 60 %, this does, of course, give them even more global 'clout' than ever.....

However, some individuals believe an even more aggressive stance should be taken against websites that refuse to 'toe the line':-
"Google's choice to call out HTTP sites as insecure, though, means there's a strong new incentive for website operators not to put it off anymore.

Some would like to see browsers make us jump through even more hoops to load HTTP websites. "Users should have to opt-in to putting themselves at risk," said Josh Aas, executive director of Let's Encrypt. "Nobody is saying the old unmaintained websites have to be taken down. But it's absolutely not worth putting everyone at risk, by default, just to enable viewing historic or unmaintained websites.""
That last bit really smacks of 'Big Brother' and 'the nanny-state', don'tcha think? :roll:

(*jeez*)


Mike. :wink:

Post Reply