On Thursday, Google officially announced its anti-HTTP plan. The company isn’t going to shame all unencrypted websites all at once, but start only with HTTP sites that ask users to input passwords or credit cards. These sites will be flagged as “Not secure” in the Chrome address bar.
Then, in the future—Google is not saying exactly when yet—Chrome will flag all sites that don’t use TLS encryption as “Not secure” and also display a red triangle indicator, which Chrome already uses when users go to a dangerous website.
If the sole aim is to be able to avoid Google’s push for a more secure web, I wonder how that would fly. Also, it’s the browser - Chrome. Not the search engine. But we all know how these things work. Other browsers will shortly pick it up and follow suit.
Let countries decide what type of encryption a website needs same way they decide the security of their countries… When the Heartbleed bug was a problem a lot of websites were affected.
A more secure web depends on the web developer and the website administrators… If admin’s password is breached then the website is at the mercy of the “new admin”…
If the admin’s password is breached then the users data has also been breached… unless the web developer creates verification process before the admin can view users data …
That’s just the admin’s data… if the database itself has been breached the admin is on his/her own
HTTP and HTTPS are protocols for communicating with websites. Whatever user category (even admin), all your requests is subject to a man in the middle attack. In fact it’s so easy to do using something like Kali.
On the flipside, it could be counter-productive and be simply reduced to just another error message that users will learn to ignore just like UAC dialogs on windows
I was gonna start writing a long reply explaining all kinds of stuff about how the HTTP protocol works, packet sniffing, man in the middle attacks, etc. but I’ve decided against it. This is not new information and not up for debate either. People way smarter than you and I have done the research and concluded that the web is safer by encrypting traffic between clients and servers and that is that. The RFCs, books, blog articles, white papers, etc. are out there for you to find if you’re interested.
There’s no point debating it 'cos its not a subjective, it just is.
I welcome the idea of shaming non HTTPS sites (which somewhat inexplicably includes this site). I enable SSL for all sites I administer unless there’s a specific architectural reason not to (and there likely aren’t any these days). With stuff like Letsencrypt, its become incredibly trivial to do so.
