Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Not Secure: Chrome
Old 11-15-2018, 09:22 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
imoldernu's Avatar
 
Join Date: Jul 2012
Location: Peru
Posts: 6,218
Not Secure: Chrome

Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privac...extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?
__________________

__________________
We grow too soon old, and too late smart-
Old Dutch saying
imoldernu is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 11-15-2018, 09:57 AM   #2
Thinks s/he gets paid by the post
Sojourner's Avatar
 
Join Date: Jan 2012
Posts: 1,089
If I understand you correctly, you're referring to the fact that E-R.org is not a "secure" web site. If so, all this means is that www.early-retirement.org does not use the HTTPS protocol for encrypting data that's transmitted between the web server and your Chrome browser. E-R.org uses plain old HTTP, which is what the majority of web sites used to use until fairly recently. HTTPS is needed for sites that contain highly sensitive, confidential information... for example, your online bank or brokerage, or sites that deal with personal medical and health data. E-R.org doesn't have any of that, so IMHO it's perfectly fine and quite reasonable that it doesn't use HTTPS. Long story short, there's nothing to worry about here.
__________________

Sojourner is offline   Reply With Quote
Old 11-15-2018, 10:12 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
imoldernu's Avatar
 
Join Date: Jul 2012
Location: Peru
Posts: 6,218
Thanks for that information. I assumed as much. In fact, I don't usually worry about most of the sites I visit.

My question, though, was if anyone had actually read what Chrome seemed to consider very important. There were things that were far over my head.

I suppose that this is now the way of the world. Ala the flap about Facebook.

But anyway... back to the first question. Anyone actually read the whitepaper?
__________________
We grow too soon old, and too late smart-
Old Dutch saying
imoldernu is offline   Reply With Quote
Old 11-15-2018, 10:12 AM   #4
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 3,151
+1

If you watch closely you'll notice that lots of tech/geek type sites remain on http. The crowd running those sites generally knows how the web works. For content lacking personal info they know https is overkill. If you're doing banking, well then sure, https. Some sites (non-banking, etc.) allow access via both http and https, which is a reasonable compromise as it lets the viewer choose.
GrayHare is offline   Reply With Quote
Old 11-15-2018, 01:46 PM   #5
Thinks s/he gets paid by the post
 
Join Date: Mar 2013
Location: Coronado
Posts: 1,185
Quote:
Originally Posted by imoldernu View Post
Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privac...extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?
Yes, I've read Google's whitepaper on privacy. I don't know if I've read the specific version you linked to though, it's been a while and I might have seen an older one. It was part of the job I got paid to do, so no big deal.

It's longer than the Constitution because it is aiming to be a whole lot less ambiguous.
cathy63 is offline   Reply With Quote
Old 11-15-2018, 02:06 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Posts: 5,259
Quote:
Originally Posted by imoldernu View Post
Would really like to know if anyone has gone through Chrome website, linked to the "not secure" note before the URL. Eventually this leads to this article.

https://www.google.com/chrome/privac...extendedreport

I started, then decided to see how long the article was and did a "Word Count". FWIW....

14,393 words 87,579 characters


BTW... the total number of words in the U.S. Constitution is
4,593.


Have we really come to this point in security?
We have been at this point in security for many years. In that page, G is trying to elevate your awareness of various aspects of safety. Essentially, you have a browser (pick one) that operates more and more like an O/S. The O/S has its security, but must work in concert with browsers which allow you to install additional software to enhance the browser. As with all things computer-related, there are layers of security in your computer. If a site continues to not support the latest security standards, then it's the obligation of a browser to alert you to that fact. Eventually, all sites come into compliance.

Comparing the number of words in the constitution to a tech white paper has no merit.
target2019 is offline   Reply With Quote
Old 11-15-2018, 02:21 PM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
imoldernu's Avatar
 
Join Date: Jul 2012
Location: Peru
Posts: 6,218
I figured... no one reads this stuff.
__________________
We grow too soon old, and too late smart-
Old Dutch saying
imoldernu is offline   Reply With Quote
Old 11-15-2018, 02:35 PM   #8
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 3,151
Well, it's a whitepaper. Those 14000 words cover far more topics than just http vs https. Looks to target system admins rather than the casual user.
GrayHare is offline   Reply With Quote
Old 11-15-2018, 02:37 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Posts: 5,259
Quote:
Originally Posted by imoldernu View Post
I figured... no one reads this stuff.
Actually, I live this stuff. The concepts in the white paper are not foreign to me. But, you don't have to read that whitepaper to be secure. You or I cannot possibly fathom security by reading a white paper. BTW, that paper is aimed at web developers. It's ok to be curious, but a lot of prior knowledge goes into understanding a technical paper like you referenced.

If you (a single user) have a Windows problem that can be replicated, you can find the fix, apply it, and be done. It is not necessary to understand why it occurred. A good troubleshooter fixes the problem so productivity can return. Of course, you will pick up some extra knowledge to become a better troubleshooter.

Actually, when common fixes fail, an expert may read a complete article like that one. But you don't read articles for hours cause you can. Fix the problem in the shortest interval possible, and move on.
target2019 is offline   Reply With Quote
Old 11-18-2018, 12:41 PM   #10
Full time employment: Posting here.
 
Join Date: Jun 2016
Posts: 838
10-11 years ago I was opening an online financial account where you have to attest that you have read and understood their Ts&Cs. So I started reading their document.
The session would time out. So I called them to open the acct... told them what was happening... there was a brief pause on the other end of the line before the response was "nobody actually reads those".


I'm waiting for a court case argument to rule all these megavolume War-and-Peace novel length Ts&Cs/EULAs as invalid because not only does "nobody actually read these" but companies don't expect anybody to actually read them... they've become an industry joke.
Spock is offline   Reply With Quote
Old 11-18-2018, 12:56 PM   #11
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,244
Quote:
Originally Posted by Spock View Post
"nobody actually reads those".
Alas, it's true.

Quote:
A study out this month made the point all too clear. Most of the 543 university students involved in the analysis didn't bother to read the terms of service before signing up for a fake social networking site called "NameDrop" that the students believed was real. Those who did glossed over important clauses. The terms of service required them to give up their first born, and if they don't yet have one, they get until 2050 to do so. The privacy policy said that their data would be given to the NSA and employers. Of the few participants who read those clauses, they signed up for the service anyway.

"This brings us to the biggest lie on the Internet, which anecdotally, is known as 'I agree to these terms and conditions,'" the study found.
TOS agreements require giving up first born—and users gladly consent
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 11-18-2018, 01:05 PM   #12
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,058
Just so everyone is aware. Using HTTP means that your Userid and password is passed as CLEAR TEXT to www.early-retirement.org (and can be grabbed by any intermediary).

So while the advice to use different passwords for different web sites is important, it is especially important in terms of any password you use here.
copyright1997reloaded is offline   Reply With Quote
Old 11-18-2018, 01:44 PM   #13
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,244
Quote:
Originally Posted by copyright1997reloaded View Post
Just so everyone is aware. Using HTTP means that your Userid and password is passed as CLEAR TEXT to www.early-retirement.org (and can be grabbed by any intermediary).
The login page here (where you submit that information) is https.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 11-19-2018, 09:10 AM   #14
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,058
Quote:
Originally Posted by braumeister View Post
The login page here (where you submit that information) is https.
OK thanks, I'm too lazy to check or run a packet tracer - but what is being passed on subsequent get and posts etc as the session token?
copyright1997reloaded is offline   Reply With Quote
Old 11-19-2018, 09:23 AM   #15
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,244
Now you're beyond my level of knowledge.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 11-19-2018, 10:19 AM   #16
Administrator
Janet H's Avatar
 
Join Date: Feb 2007
Location: Pacific NW
Posts: 5,545
Quote:
Originally Posted by GrayHare View Post
+1

If you watch closely you'll notice that lots of tech/geek type sites remain on http. The crowd running those sites generally knows how the web works. For content lacking personal info they know https is overkill. If you're doing banking, well then sure, https. Some sites (non-banking, etc.) allow access via both http and https, which is a reasonable compromise as it lets the viewer choose.


Interestingly, although google drives the change to https with browser warnings and other tools (like search ranking) their ad platform which provides ads to sites like this one does not support this. In fact, if a site changes to https the ads that keep it online (support revenue) are often broken.


Back story for this site: Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

The forum software is built on an http platform and so this is difficult. We hand coded an update to make the LOGIN page https. This is the page where user credentials are passed and the only sensitive data we store. Once a member has logged in the site reverts to http (and the alert begins to display in browsers). Using https on all pages actually breaks the forum. Offsite links and hosted images may no longer work, ads don't display properly, etc.

So... as you login the page is secure (https) but once you have logged in the regular site is http. Since no login/pass info is being sent on these pages we believe this is safe and reasonable. There's little we can do to change this until we move to a new forum software platform which eventually we will have to do.

Here's a short read about the google alerts here: https://www.wired.com/story/google-c...-secure-label/
__________________
E-R.org Custom Google Search | You're only given a little spark of madness. You mustn't lose it. (Robin Williams)
Janet H is offline   Reply With Quote
Old 11-19-2018, 12:30 PM   #17
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,058
I spent a few minutes looking at the session data for the site. I'm pretty sure if I had access to the un-encrypted traffic to the site (i.e the http get and posts after login), that I could post as that user to the site, including as a moderator if I were sniffing the mod's session. Whether this is a problem or not is an interesting question.

The user's password session token appears hashed, I didn't spend any more cycles on this. The user identifier session token is not hashed. Sorry, too busy grading to spend much more than a quick look on this.

It is what it is, but my statement remains that I would make sure any password I use here isn't used on any other sites.

ETA: I mentioned session cookies because the http is 'stateless', in that each request to the server is independent of the prior requests. So even though you logged in using a https url, the subsequent requests need something in the data being sent to the server that tells it who the request is for - the server is in a sense like DORY in Finding Nemo so the browser tags the request with the session cookies (think bread crumbs) that tell the server who is making the request.
copyright1997reloaded is offline   Reply With Quote
Old 11-19-2018, 01:43 PM   #18
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,244
Quote:
Originally Posted by copyright1997reloaded View Post
I would make sure any password I use here isn't used on any other sites.
A good common sense approach to all websites.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 11-19-2018, 02:00 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Posts: 5,259
All recent browsers report this site "connection is not secure". Not just a Chrome "issue", but the alerts may be more (or less) noticeable in any given browser.
target2019 is offline   Reply With Quote
Old 11-19-2018, 02:04 PM   #20
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,058
Quote:
Originally Posted by braumeister View Post
A good common sense approach to all websites.
Which I stated in my first post.
__________________

copyright1997reloaded is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Not Secure frugal_dave Forum Admin 28 05-21-2019 08:29 AM
Computer locks up when using IE, not Google Chrome wolf Other topics 15 05-24-2016 04:52 PM
Google Chrome Browser / Firecalc Rustward FIRECalc support 6 04-01-2011 08:00 AM
Clever use of Chrome browser for a music video Sue J Other topics 1 08-31-2010 09:53 AM
Google Chrome - Google's new web browser Marquette Other topics 22 09-04-2008 02:24 PM

» Quick Links

 
All times are GMT -6. The time now is 12:38 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.