The ramblings of paulsnar

Chrome and Firefox will warn users about sending sensitive data over insecure connections

◆ Permalink originally by James Vincent

The march for HTTPS isn’t slowing down any time soon, and that’s a good thing.

Let me tell you – nowadays there’s fewer reasons to avoid using HTTPS than ever. But there are still a couple of hurdles to overcome, and some of the progress seems incredibly slow.

Speaking of the linked browser behaviour change in particular, it will initially hurt the user (some pages are still mixed content and do not care enough to secure all of it properly, or they’re just too big to do that in a reasonable timeframe), however the complaints will either force the site owners to implement security or just tell (mostly corporate) users to GTFO and get back to IE9 or something.1

I do my part – all of the stuff I serve is sent exclusively over HTTPS.2 It’s not really been any trouble, however that might be in part because I now have a very well developed workflow for integrating Nginx, Cloudflare and Let’s Encrypt. However the good people over at EFF have been working on Certbot and making it more user friendly, so I doubt that the workflow would be anyone’s biggest problem right now. It’s the server-side support. I can afford the luxury of managing my own VPS, so all the liability to ensure the functioning of HTTPS falls on me and makes me get my ass off the ground and work on it, so I’ve done that. Others don’t have that much luck. But all I can do is rant.

People, it’s time to switch to a more secure internet. Or HTTP/2. Either’s good.3

  1. Did you know that there are still sites out there that claim to only work in Netscape Navigator 3.0? I’ve met a couple. 

  2. There exists a single exception, however it’s intentional (Lattelecom-Free users rejoice!) 

  3. For those of you not in the know: HTTP/2 de facto requires TLS, so an insecure option isn’t really a thing.