Google will soon let Chrome users activate 'HTTPS-First mode'

Polycount

Posts: 2,867   +575
Staff member
Web security: Maintaining your security and privacy while browsing the web can be difficult, but tools like HTTPS make it a lot easier. HTTPS tech, where supported, encrypts your connection to a given website, ensuring that any data shared via that connection cannot be intercepted or altered by third parties. It's already a widely supported protocol, but Google is hoping to boost adoption rates even further via an upcoming "HTTPS-First" feature for Chrome.

This security tool will arrive with Chrome's upcoming M94 update in September. When it goes live, users that toggle HTTPS-First mode on in their browser's settings menu will find that all future page loads are automatically upgraded from HTTP to HTTPS when possible.

If Chrome can't accomplish that task for whatever reason, and the end-user is at risk of connecting to a site via an insecure connection, the browser will display a "full-page warning" before loading the address. This will give you a chance to opt-out of visiting the site if you feel it's not worth the risk. If you're willing to accept the danger, you can forge ahead anyway, of course.

Though it doesn't sound like Google is planning on making HTTPS-First mode the default with its initial release in Chrome 94, it may do so down the line. "Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future," the company said in a blog post.

HTTPS-First mode isn't the only work Google is doing to improve the HTTPS user experience. Moving forward, it will experiment with a new alternative to the standard HTTPS lock icon that you see on the left side of your browser's address bar (when the protocol is active, anyway).

According to Google, its studies show that the average internet user -- 88 percent of participants -- could not identify what the lock means. Most people seemed to think it meant the site they were visiting was secure, but HTTPS only guarantees the security of your connection, not the web pages you visit. A website designed to phish your personal information, or otherwise scam you in some way, could still (and likely does) have that notorious lock icon.

To dispel some of these misconceptions, Google will try replacing the lock with a downward arrow. When clicked, the standard "Connection secure" dialogue box will pop up.

Frankly, I don't think the proposed change will make much of a difference. For a less tech-savvy internet user, there's probably no difference between seeing the lock icon and seeing green text informing them that their connection is encrypted. Still, it's an admirable goal, and it would be nice if it makes a difference.

Permalink to story.

 

Geralt

Posts: 559   +785
Great business with the SSL certificates forced down our throats by good Google. So smart!

And the danger is so massive with only http? Eeer... Not really.
 

Geralt

Posts: 559   +785
Google should be sued for terrorism. They scare people away with those warnings if a website is using http. For example: "Hackers can steal your data". This is terrorism. In the past, before installing the damned SSL certificate, I had problems even accessing my own website because hackers could steal my data. Cheaters. The danger is not so massive but the SSL certificates are not very cheap.
 

trparky

Posts: 945   +1,004
What services does Let’s Encrypt offer?
Let’s Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.

What does it cost to use Let’s Encrypt? Is it really free?
We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.



Put that in your pipe and smoke it.
 

Geralt

Posts: 559   +785
What services does Let’s Encrypt offer?
Let’s Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.

What does it cost to use Let’s Encrypt? Is it really free?
We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

Put that in your pipe and smoke it.
My hosting company does not support this. I would have to install Cerbot by myself via SSH. I will speak with them.
 

trparky

Posts: 945   +1,004
My hosting company does not support this. I would have to install Cerbot by myself via SSH. I will speak with them.
I encourage you to talk to your web hosting company about getting Let's Encrypt to be supported. Either that or change to a new web host that does. In theory, any web hosting company that uses CPanel/WHM should support Let's Encrypt.
 

Geralt

Posts: 559   +785
I encourage you to talk to your web hosting company about getting Let's Encrypt to be supported. Either that or change to a new web host that does. In theory, any web hosting company that uses CPanel/WHM should support Let's Encrypt.
I will check, but they have also their business with the certificates, you know.
 

negroplasty

Posts: 547   +36
Google should be sued for terrorism. They scare people away with those warnings if a website is using http. For example: "Hackers can steal your data". This is terrorism. In the past, before installing the damned SSL certificate, I had problems even accessing my own website because hackers could steal my data. Cheaters. The danger is not so massive but the SSL certificates are not very cheap.

Sued for terrorism, seriously? That message is a warning to users about the potential of MITM attacks. Perhaps understand PKI and what it's for before you go grabbing the torches and pitchforks.
 

Geralt

Posts: 559   +785
Sued for terrorism, seriously? That message is a warning to users about the potential of MITM attacks. Perhaps understand PKI and what it's for before you go grabbing the torches and pitchforks.
Sued for terrorism, seriously? That message is a warning to users about the potential of MITM attacks. Perhaps understand PKI and what it's for before you go grabbing the torches and pitchforks.
I am webmaster. So I understand, friend.
 

spydercanopus

Posts: 872   +151
This sucks... I run a site with one purpose, to play a VLC mp3 stream from a radio station.

VLC as far as I know doesn't support HTTPS, so I've had to edit the .htaccess file to redirect all HTTPS requests to HTTP, otherwise the stream won't work.

Now I don't know what to do.
 

BobHome

Posts: 112   +47
This sucks... I run a site with one purpose, to play a VLC mp3 stream from a radio station.

VLC as far as I know doesn't support HTTPS, so I've had to edit the .htaccess file to redirect all HTTPS requests to HTTP, otherwise the stream won't work.

Now I don't know what to do.
Maybe you should write this to the VLC team? Maybe even send this article's link?
Justa Thot.
 

J Oelschl

Posts: 9   +10
More nag screens. today it is like browsing a xxx website in 90s

Ughhh because the overlays at the bottom of every website asking for cookie permissions
EVERYTIME I visit the site has been so effective in adding anything of value to the security equation 🙄🙄 /heavy sarc
 

negroplasty

Posts: 547   +36
I am webmaster. So I understand, friend.
Then you understand why what you said makes no sense at all…even on your own website, without a cert you’re vulnerable unless you’re literally at the server and directly hardwired or tunneled. Webmasters: the chiropractors of the IT world. Anyone can call email themself a webmaster. My 12 year old nephew is a webmaster, only he actually understands this stuff.
 
Last edited:

Cubi Dorf

Posts: 360   +233
I don't needing most of Internet traffic encrypted. It is not important to encrypt everything. I only want encryption when site needs to know who I am. Encryption can be use to track user Tracking user is certainly real motivation. Company like Google and Apple use theoretical security to hide real motivation.