Google Chrome Will Finally Default To Secure HTTPS Connections Starting in April (engadget.com)
- Reference: 0179906942
- News link: https://tech.slashdot.org/story/25/10/29/1715202/google-chrome-will-finally-default-to-secure-https-connections-starting-in-april
- Source link: https://www.engadget.com/cybersecurity/google-chrome-will-finally-default-to-secure-https-connections-starting-in-april-170000603.html
> The transition to the more-secure HTTPS web protocol has plateaued, according to Google. As of 2020, 95 to 99 percent of navigations in Chrome use HTTPS. To help make it safer for users to click on links, Chrome will enable a setting called Always Use Secure Connections for public sites for all users by default. This will happen in October 2026 with the release of Chrome 154.
>
> The change will happen earlier for those who have switched on Enhanced Safe Browsing protections in Chrome. Google will enable Always Use Secure Connections by default in April when Chrome 147 drops. When this setting is on, Chrome will ask for your permission before it first accesses a public website that doesn't use HTTPS.
[1] https://www.engadget.com/cybersecurity/google-chrome-will-finally-default-to-secure-https-connections-starting-in-april-170000603.html
End of Innocence (Score:2)
Remember when browsers would by default ask for your permission to connect to a secure site?
Innocent times...
Re: (Score:2)
That was before isp's started throttling Youtube (via sniffed packets) and rewriting google Adsense Ads. Suddenly, Google got the religion on HTTPs and - oh, they even wrote a thing with Verzion called Net Neutrality. Nothing to see here - move along - move along.
Next up: screw us over by disabling HTTP entirely (Score:2)
While this change is a good thing, I foresee a dark path ahead: One day we will wake-up to find that Chrome removed HTTP support. Suddenly technicians around the world won't be able to access all the little-known web services running on their own machines, or on LAN-based IoT devices, where security is not important and the chip doesn't have the CPU power to run AES. Google will back it out for a few months, then unexpectedly turn it on again and claim that HTTP is deprecated so everyone had an ample 2 mo
Re: (Score:2)
For quite some time I've been keeping really old versions of Firefox and java plugins in order to manage some very old but still critical stuff on the corporate internal network
Re: (Score:1)
Firefox 115.29.0esr , DuckDuckGo privacy Essentials , Privacy Badger, uBlock Origin, Port Authority . :) Works for me
Re: (Score:2)
FTP and Gopher support has already been removed from browsers, plus obsolete versions of TLS. Many features don't work on HTTP either. It is quite obvious that it will eventually be deprecated or at least put into "dev mode only". The lockdown of Android plus Microsoft's lock down of local accounts show where the trend is going. I've already declared the death of the open web, soon Chrome will be a DRM appliance for the AI-net.
Re: (Score:2)
Just block raw HTTP unless it's in a private IP address range. That should cover 99% of use cases where HTTP is still used. I would also consider allowing an option to blindly accept self-signed certificates on private IP ranges to encourage HTTPS for people too lazy to use Let's Encrypt or something like that, or are running older equipment on a local LAN.
I would assume these are already settings that just aren't turned on by default, as they seem pretty obvious.
triggering "sign in" pages for public wifi (Score:2)
I have one pain in the arse use-case for NOT wanting https all the time, and to have it use http when i ask for it.
public wifis don't always trigger the o/s (in my case, a mac) to prompt with the page that allows you to sign in (be it public password, here's my email, whatever). So when that doesn't happen, you have to to go an http page to trigger it. https urls won't do that because, well, the cert that would come up from the internal service is wrong for the domain and so the browser barfs at that. So i
Re: (Score:2)
The sign-in pages are stupid. Most of them are worthless click-throughs that should go away. A few do have you do some sort of sign-in, so they should be https.
But the whole process is a stupid hack. They did add a new DHCP option for sending a sign-in URL, but it was never widely adopted. That would have made it work much more reliably for everyone.
April? (Score:1)
April or October?