Not Secure: Chrome

[imoldernu]

Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privacy/whitepaper.html?hl=en-US#extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?

 

[Sojourner]

If I understand you correctly, you're referring to the fact that E-R.org is not a "secure" web site. If so, all this means is that www.early-retirement.org does not use the HTTPS protocol for encrypting data that's transmitted between the web server and your Chrome browser. E-R.org uses plain old HTTP, which is what the majority of web sites used to use until fairly recently. HTTPS is needed for sites that contain highly sensitive, confidential information... for example, your online bank or brokerage, or sites that deal with personal medical and health data. E-R.org doesn't have any of that, so IMHO it's perfectly fine and quite reasonable that it doesn't use HTTPS. Long story short, there's nothing to worry about here.

 

[imoldernu]

Thanks for that information. I assumed as much. In fact, I don't usually worry about most of the sites I visit.

My question, though, was if anyone had actually read what Chrome seemed to consider very important. There were things that were far over my head.

I suppose that this is now the way of the world. Ala the flap about Facebook.

But anyway... back to the first question. Anyone actually read the whitepaper?

 

[GrayHare]

+1

If you watch closely you'll notice that lots of tech/geek type sites remain on http. The crowd running those sites generally knows how the web works. For content lacking personal info they know https is overkill. If you're doing banking, well then sure, https. Some sites (non-banking, etc.) allow access via both http and https, which is a reasonable compromise as it lets the viewer choose.

 

[cathy63]

Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privacy/whitepaper.html?hl=en-US#extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?

Yes, I've read Google's whitepaper on privacy. I don't know if I've read the specific version you linked to though, it's been a while and I might have seen an older one. It was part of the job I got paid to do, so no big deal.

It's longer than the Constitution because it is aiming to be a whole lot less ambiguous.

 

[target2019]

Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privacy/whitepaper.html?hl=en-US#extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?

We have been at this point in security for many years. In that page, G is trying to elevate your awareness of various aspects of safety. Essentially, you have a browser (pick one) that operates more and more like an O/S. The O/S has its security, but must work in concert with browsers which allow you to install additional software to enhance the browser. As with all things computer-related, there are layers of security in your computer. If a site continues to not support the latest security standards, then it's the obligation of a browser to alert you to that fact. Eventually, all sites come into compliance.

Comparing the number of words in the constitution to a tech white paper has no merit.

 

[imoldernu]

I figured... no one reads this stuff.

 

[GrayHare]

Well, it's a whitepaper. Those 14000 words cover far more topics than just http vs https. Looks to target system admins rather than the casual user.

 

[target2019]

I figured... no one reads this stuff.

Actually, I live this stuff. The concepts in the white paper are not foreign to me. But, you don't have to read that whitepaper to be secure. You or I cannot possibly fathom security by reading a white paper. BTW, that paper is aimed at web developers. It's ok to be curious, but a lot of prior knowledge goes into understanding a technical paper like you referenced.

If you (a single user) have a Windows problem that can be replicated, you can find the fix, apply it, and be done. It is not necessary to understand why it occurred. A good troubleshooter fixes the problem so productivity can return. Of course, you will pick up some extra knowledge to become a better troubleshooter.

Actually, when common fixes fail, an expert may read a complete article like that one. But you don't read articles for hours cause you can. Fix the problem in the shortest interval possible, and move on.

 

[Spock]

10-11 years ago I was opening an online financial account where you have to attest that you have read and understood their Ts&Cs. So I started reading their document.
The session would time out. So I called them to open the acct... told them what was happening... there was a brief pause on the other end of the line before the response was "nobody actually reads those".


I'm waiting for a court case argument to rule all these megavolume War-and-Peace novel length Ts&Cs/EULAs as invalid because not only does "nobody actually read these" but companies don't expect anybody to actually read them... they've become an industry joke.

 

[braumeister]

"nobody actually reads those".

Alas, it's true.

A study out this month made the point all too clear. Most of the 543 university students involved in the analysis didn't bother to read the terms of service before signing up for a fake social networking site called "NameDrop" that the students believed was real. Those who did glossed over important clauses. The terms of service required them to give up their first born, and if they don't yet have one, they get until 2050 to do so. The privacy policy said that their data would be given to the NSA and employers. Of the few participants who read those clauses, they signed up for the service anyway.

"This brings us to the biggest lie on the Internet, which anecdotally, is known as 'I agree to these terms and conditions,'" the study found.

TOS agreements require giving up first born—and users gladly consent

 

[copyright1997reloaded]

Just so everyone is aware. Using HTTP means that your Userid and password is passed as CLEAR TEXT to www.early-retirement.org (and can be grabbed by any intermediary).

So while the advice to use different passwords for different web sites is important, it is especially important in terms of any password you use here.

 

[braumeister]

Just so everyone is aware. Using HTTP means that your Userid and password is passed as CLEAR TEXT to www.early-retirement.org (and can be grabbed by any intermediary).

The login page here (where you submit that information) is https.

 

[copyright1997reloaded]

The login page here (where you submit that information) is https.

OK thanks, I'm too lazy to check or run a packet tracer - but what is being passed on subsequent get and posts etc as the session token?

 

[braumeister]

Now you're beyond my level of knowledge.

 

[Janet H]

+1

If you watch closely you'll notice that lots of tech/geek type sites remain on http. The crowd running those sites generally knows how the web works. For content lacking personal info they know https is overkill. If you're doing banking, well then sure, https. Some sites (non-banking, etc.) allow access via both http and https, which is a reasonable compromise as it lets the viewer choose.

Interestingly, although google drives the change to https with browser warnings and other tools (like search ranking) their ad platform which provides ads to sites like this one does not support this. In fact, if a site changes to https the ads that keep it online (support revenue) are often broken.


Back story for this site: Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

The forum software is built on an http platform and so this is difficult. We hand coded an update to make the LOGIN page https. This is the page where user credentials are passed and the only sensitive data we store. Once a member has logged in the site reverts to http (and the alert begins to display in browsers). Using https on all pages actually breaks the forum. Offsite links and hosted images may no longer work, ads don't display properly, etc.

So... as you login the page is secure (https) but once you have logged in the regular site is http. Since no login/pass info is being sent on these pages we believe this is safe and reasonable. There's little we can do to change this until we move to a new forum software platform which eventually we will have to do.

Here's a short read about the google alerts here: https://www.wired.com/story/google-chrome-https-not-secure-label/

 

[copyright1997reloaded]

I spent a few minutes looking at the session data for the site. I'm pretty sure if I had access to the un-encrypted traffic to the site (i.e the http get and posts after login), that I could post as that user to the site, including as a moderator if I were sniffing the mod's session. Whether this is a problem or not is an interesting question.

The user's password session token appears hashed, I didn't spend any more cycles on this. The user identifier session token is not hashed. Sorry, too busy grading to spend much more than a quick look on this.

It is what it is, but my statement remains that I would make sure any password I use here isn't used on any other sites.

ETA: I mentioned session cookies because the http is 'stateless', in that each request to the server is independent of the prior requests. So even though you logged in using a https url, the subsequent requests need something in the data being sent to the server that tells it who the request is for - the server is in a sense like DORY in Finding Nemo so the browser tags the request with the session cookies (think bread crumbs) that tell the server who is making the request.

 

[braumeister]

I would make sure any password I use here isn't used on any other sites.

A good common sense approach to all websites.

 

[target2019]

All recent browsers report this site "connection is not secure". Not just a Chrome "issue", but the alerts may be more (or less) noticeable in any given browser.

 

[copyright1997reloaded]

A good common sense approach to all websites.

Which I stated in my first post.

 

[sengsational]

Since you can make a post on this site using http, that means a man in the middle attack is trivial. That means if you use this site at a coffee shop (aka open wifi), someone can post as if they were you. Facebook used to work like this site, but then came FireSheep, so they changed to https all the time.