[ALUG] Chrome 68 and HTTPS

Tue Jul 10 15:59:48 EAT 2018

Pretty sure the email you sent to this list said Google and Mozilla,
and that they would deliberately break sites that didn't use https. I
remember at the time you defended their right to decide which sites we
could and couldn't visit using their browsers.

Tim

On 10 July 2018 at 12:58, Andreas Tauscher via Linux
<linux at mail.habari.co.tz> wrote:
> 10.07.2018 at 10:07 Tim Schofield wrote:
>
>> Initially Google's proposal was to ignore any css in pages that only
>> used http effectively making the pages useless to force people to use
>> https.
>
> It was not Google. It was Mozilla in 2015 thinking about to make new
> browser features like eg. hardware support for rendering only available
> for https pages. Or new html tags and features will be available only on
> https.
> This plan was never implemented.
> Thinking loud about such measurements is OK. Making people thinking.
> One problem in 2015: Getting a SSL certificate.
> Now we have 2018 and you can either use a LetsEncrypt certificate or
> thanks to LetsEncrypt CAs hat to reduce prices for certificates
> dramatically.
> No excuse anymore not having a certificate.
> Many hosting providers offering SSL certificates for free.
> I am still prying that DANE will make into the stable releases of
> browsers then the excuse you need a CA for getting a certificate is also
> gone.
>
> The way google chrome is doing it now is IMHO fine, more subtile.
> It is only straight forward that with chrome 70 the green marking of
> https sites will be removed. Not showing the user the page is secure
> while only the transport is secured.
> You still can have your http pages but the browser shows that the
> transport is not secure.
> If you are doing your website yourselves: Your problem. Solve it or
> ignore it.
> If you hired somebody: Pick the phone and ask why your page is now
> insecure and tell the guy get it fixed or I move somewhere else where
> they can fix this.
>
> For other services the change was done without anybody recognised it.
> E-mail e.g. nearly nobody any more is sending mails over unencrypted
> connections (except a few ignorants with their own mail system).
> But there are much more websites where the webmaster has a pretty wide
> control about the server configuration (.htaccess e.g.) than mail
> servers where anybody else than the hosting provider has any option to
> change anything in the configuration.
> A website needs more cooperation of the webmaster e.g. are all links
> written correct? Within your page/domain either relative, protocol
> neutral or protocol depending otherwise you will end up in either
> redirection loops or parts of the page might not be loaded.
>
> Getting the web more secure I have to kick some asses.
> On the server side: Difficult. On the client side there it is possible.
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at mail.habari.co.tz
> https://mail.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.

-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418
M +256 (0) 752 963 325
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/