Google Chrome: HTTPS by default D-Day is tomorrow.

[HanaBi]

Something to be aware of if you use Chrome v68.x as your browser of choice.

If you're not sure of the version of Chrome you're currently running, just click the three vertical ellipses on the extreme right of your browser, followed by Help and then "About Google Chrome"

HTTPS, is not completely secure for obvious reasons (TLS encryption is so dead in the water these days), but is a step up from HTTP for those sites that transact personal or financial information. Not all sites need to be HTTP compliant and as a consequence users will be badgered with alerts saying this site is not secure (but you might able to add them to your white list)

Chrome is the first to highlight this, but expect the usual suspects to follow


Google Chrome: HTTPS by default D-Day is tomorrow, folks

 

[tinkerdan]

I'm not surprised:
I have to administer the website at work and since the boss pays all sorts of people for analytical work I've had to upgrade the site to a certified HTTPS: because Google and others we're positioning themselves to begin to bury the HTTP: sites to the bottom of the stack.

So anyone with a website who is concerned about search related traffic should be upgrading to a certified HTTPS site. The operative word is certified--because that requires some monetary exchange to take place and that makes this less about security and more about money.

I'm of the opinion that security on the web is about like locking your home or your car. It keeps honest people from slipping up and adds a layer or two of complexity to the ones who want to get in--they will get in if they are intent upon doing so. The best thing you can do is have a warning system set up to advise you when they do; so that you can try to minimize the damage.

Google has been making a lot of changes to their browser and many of the available services are requiring the user to re-apply them because of the changes that might compromise past security and open the user up to some of the data mining going on by Google 'partners'.


Note: both Google and Yahoo are my biggest source of exploits that I've had to worry about at work. Anyone running their free email client have to put up with scripted advertisement and they apparently are lax about the scripts going into the ads. I've had several instances where an add has spawn one of those exploit windows with the phone number to a person who will claim to be MS certified to remove the exploit they just put on your computer. Of course it's possible that the users have had a deeper exploit that has ridden in along with Google and Yahoo to insert the scripts--it's always difficult to tell and one wouldn't want to go around falsely accusing Google and Yahoo of being negligent.

I should add that I did lodge a complaint once: The answer was that if I upgrade them all to paid accounts I wouldn't have to put up with those scripted ads at all.

 

[HanaBi]

D-Day today, and already many well known websites have been flagged up a being insecure, including Sky Sports, Argos and the Daily Mail amongst others

Not the end of the world, but rather embarrassing for said sites that really should know better, especially given that even basic secure certificates are free!

The BBC link below suggests this advice for those visitors hopping onto non-secure sites:-

Should I avoid sites that are flagged as not secure?
No, but you should be wary on those that require you to sign in or which let you buy goods and services through them.

To stay safe, pick a hard-to-guess password and ensure your browser and other software on your device are up to date. If there are other methods you can use to secure transactions, such as two-factor authentication, it could be well worth adopting them.

Why is the Daily Mail's site 'not secure'?