Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Chrome Desktops (Apple) Google Security Windows

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows (techcrunch.com) 90

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.
This discussion has been archived. No new comments can be posted.

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows

Comments Filter:
  • by duke_cheetah2003 ( 862933 ) on Friday October 20, 2017 @06:51PM (#55406985) Homepage

    Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

    As a side effect, this action they've promoted and encouraged mitigates the new WPA2 insecurity quite nicely. Not such a big deal if WPA2 is broken into, only to expose lots of HTTPS and/or VPN tunneling, and you're back to the drawing board. You just can't have enough security and layers of encryption.

    • Re: Well done! (Score:2, Insightful)

      by Anonymous Coward

      Yeah, its not like letsencrypt offering automated certificates for free had anything to do with it.
      It was google showing a message about http being insecure.

      • Yeah, its not like letsencrypt offering automated certificates for free had anything to do with it.
        It was google showing a message about http being insecure.

        We might not like to admit that, but that is the truth of it. Sure Let's Encrypt is great, use it myself. But you can bet your wallet Let's Encrypt had little to do with this shift. People don't like being branded 'insecure.' It looks bad. It looks inferior. It looks... uhh.. Insecure. Google pushing that had a huge effect. A visible indication your site is a security risk. That is the motivator right there, not freebie certs, though they didn't hurt.

    • by AHuxley ( 892839 )
      Keeps other ads out. All that information that has so much added value is kept extra safe until to gets to its real destination.
    • by Anonymous Coward

      Yes, let's all thank Google for raising the energy and operations costs of servers and lowering the battery life of our devices.

      This was a huge fuck-up by a big company who decided to double-down on trying to control the web. They only got away with it because Firefox was onboard with this screwing everyone.

      Ever wonder why the advertised 12 hour battery life of your mobile device has dropped to 8 or 6 hours? This is why.

      • by mikael ( 484 )

        I have an old smartphone with no SIM card or Wi-Fi connection. Battery life is about 10 days. With Wi-Fi or network SIM card, it's a day.

        • What do you do for ten days on an old smartphone with no simcard or wifi?

          I have a favorite Solitaire app. I suppose I could play Angry Birds. Otherwise, if I had a smartphone with no connection to the outside world, I'd rather just use my old Palm III instead.

      • by tepples ( 727027 )

        Ever wonder why the advertised 12 hour battery life of your mobile device has dropped to 8 or 6 hours? This is why.

        On which device, and with which websites, have you benchmarked a battery life difference of this magnitude between cleartext HTTP and HTTPS? Because otherwise, I'm more inclined to blame the growth in both lithium dendrites and ad display script complexity for reduced battery capacity.

    • Re:Well done! (Score:5, Insightful)

      by arth1 ( 260657 ) on Friday October 20, 2017 @09:10PM (#55407549) Homepage Journal

      Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

      You're too quick go give them credit. Follow the money trail. HTTPS and SPDY makes it far easier to ensure that ads are transmitted, and to whom. That HTTPS largely defeats anonymous proxy caching and other techniques that makes counting ad impressions harder is why Google pursues it; security is how they sell it, despite it being slower, to a high degree defeats bandwidth saving techniques, and requires extra resources on both server and client endpoints.

      There's little reason why publicly available non-controversial information should be encrypted, and that makes up the majority of the web. Snooping traffic generally doesn't happen mid-transfer, but at the end point, by companies like Google and their partners. HTTPS does nothing to prevent that.

      • There's little reason why publicly available non-controversial information should be encrypted

        For one thing, what you find non-controversial a third party may find controversial. For another, home ISPs such as Comcast can and do inject their own ads and other malware into cleartext HTTP connections.

        • yes they specifically inject adverts and show that your stream is not secure at all from MITM, the only way is to get rid of the Certificate Authorities who compromise everything...

           

      • I'm less worried about the interception of data in transit and more worried about the security of my data in many, many disparate databases at the far end. Nobody has yet addressed that to my satisfaction.

      • There's little reason why publicly available non-controversial information should be encrypted

        We live in a world where the consumption of publicly available information is criminal. This isn't even limited to shithole dictator regimes, but now we are starting to see it in the west too.

        The only person who can decide if it is important for the information to be encrypted is the person who stands to be persecuted for consuming it.

      • You're too quick go give them credit. Follow the money trail. HTTPS and SPDY makes it far easier to ensure that ads are transmitted, and to whom. That HTTPS largely defeats anonymous proxy caching and other techniques that makes counting ad impressions harder is why Google pursues it; security is how they sell it, despite it being slower, to a high degree defeats bandwidth saving techniques, and requires extra resources on both server and client endpoints.

        I'm ok with this. Computing power is cheap and only getting cheap and better. Also don't like having third-party intermediaries caching my stuff. Bandwidth is cheap too. Who cares? Besides you.

        There's little reason why publicly available non-controversial information should be encrypted, and that makes up the majority of the web.

        You don't get it? Privacy. I really don't give a flying f if I'm looking a recipe for peanut butter cookies, it's no one elses business and HTTPS means you have no idea what I'm looking at, just which server.

        • by arth1 ( 260657 )

          You don't get it? Privacy. I really don't give a flying f if I'm looking a recipe for peanut butter cookies, it's no one elses business and HTTPS means you have no idea what I'm looking at, just which server.

          Privacy is indeed the worry. With HTTPS, those who run the recipe site and their "partners" like Google knows who looked at the recipe for peanut butter cookies.
          The biggest privacy problem isn't people sitting in the middle snooping on the traffic, but the remote endpoints collecting data on you. HTTPS makes that easier, which is why Google is all for it. It's not out of the goodness of their hearts and concern for anything but the advertising dollars.

          • the remote endpoints collecting data on you. HTTPS makes that easier

            I am honestly curious: How does HTTPS make that easier?

        • "resources are cheap" was never a good excuse for inefficiency, but there are plenty of bandwidth-metered or battery-limited scenarios where the overhead does matter. SSL can also fail when, for example, the date is misconfigured on either end. Considering the majority of tracking of your internet usage isn't done using MitM methods anyway, and will continue unabated... I don't see who the principle of "security where it's needed, convenience and resilience where it isn't" is failing. Except maybe Google.
    • There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue.

      One reason is that your web server is private, and you don't own a domain.

      In order to set up HTTPS traffic to the owner of a home router, printer, or NAS, its owner would first have to acquire a domain and a certificate for said device. But as I understand it, most providers of dynamic DNS on a subdomain without charge still aren't in the Public Suffix List. And if the domain in which your subdomain is registered hasn't completed the process to be added to the Public Suffix List, and 20 other customers on t

      • If the webserver is for your own personal use - which, if it's on a residential connection and without domain name, is likely true - then you may as well just use self-signed.

    • You can keep your thumbs up, but, while anyone can implement HTTPS, few can do so without paying well over the odds for a cert. A cert is issued by a computer after a trivial amount of computing time, on the basis of the most trivial of investigation (probably only a check of the domain registry). This is about $0.1 worth of service, for which you are charged over $50, but there is no competition. various attempts at not for profit cert issuing have been stifled by the big boys.

      This is a big time scam.

      To

      • yes certificate authorities are the high risk and consolidate control neither of which you would want in a "secure" system

  • by Anonymous Coward

    If everyone needs a certificate, you can hold them back from people or invalidate them.

    It just seems like the real reason for this, why should a cat meme site need https for example.

    • by Desler ( 1608317 )

      You can get free certs...

      • Re: (Score:2, Troll)

        by DaveM753 ( 844913 )

        For how long? A year? Two years? Then how much will they cost?

        Sorry, but this whole thing smacks of a corporate-induced tax. Google plays the part of the police here.

    • by AHuxley ( 892839 )
      The pipe is secure from a site, to the user and anyone else who is "trusted".
      Some ads are more trusted than others :)
    • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday October 20, 2017 @07:48PM (#55407191) Journal

      why should a cat meme site need https for example

      To protect the users of the cat meme site from malicious parties on the network between their browser and the cat meme site. I don't mean to keep the cat memes secret, obviously that doesn't matter much. The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

      For lots of sites we could use a TLS cipher suite that doesn't actually encrypt anything. It's the authenticity and integrity properties of TLS that are valuable for every site. Encryption only matters for some.

    • by Hentes ( 2461350 )

      You can self sign.

  • by hcs_$reboot ( 1536101 ) on Friday October 20, 2017 @08:12PM (#55407313)
    That's interesting because, at first glance, the http(s) traffic has nothing to do with the user's computer OS, would it be a Mac or Windows. On average, Windows users tend to visit less secure websites than Mac users. OTOH, people usually don't really choose a website based on if it's https or not - except if it's for a payment, login, or subscription. Or would Windows users be a bit less security sensitive than Mac users, when it comes to performing these private transactions?
  • Now we just need public wifi to stop breaking https!

    • by tepples ( 727027 )

      Visit http://example.com/ through cleartext HTTP first in order to trigger the captive portal redirect.

    • It doesn't. This is the combination of two things:

      a) Your HTTPS connections appear broken and insecure due to HSTS demanding an SSL certificate for a site previously visited securely and the public wifi login page being unable to provide the correct one.
      b) Your browser not recognising the need to redirect because of the SSL error.

      This isn't the public wifi's fault. All you need to do is open a know non-https page that will force the redirect to the login page. Sometimes this won't work if you force your DNS

  • by Anonymous Coward

    Google is helping secure the web with HTTPS; great. Now we have to talk about securing the web from Google. Rather than Chrome, at least run open source Chromium, if not Brave or Firefox. Run Google searches with Startpage. Run CopperheadOS rather than stock Android to strip out all the proprietary Google code and secure the OS.

  • In not so distant past, you could code your own web server on a home desktop and make it available to any browser worldwide. With https you have to get a domain name and a certificate, adding ongooing expenses and implying someone needs to give you permission for what you want to serve to the world. Plus SSL is not something you can code from scratch on top of the OS as a hobby. We ought to at least establish a strong hobby Internet if commercial one has to be locked down.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...