cross-posted from: https://lemmy.world/post/3301227
Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.
Don’t use chromium based browsers.
Is this just general advice? If so, I agree, but if it’s specific to this, what’s the problem you see with it?
Google has shown that they’re going to go the Microsoft strategy with Browser control. So long as they have majority control, that means they can be as anti-user as they would like, but since everything is downstream of chromium, everyone just basically accepts it. Everything from Google AMP (which was their attempt to take over the web in whole), to their new “Web Integrity API” which aims to lock out any competitors.
Agreed, but to clarify, I was asking if there was an issue with this specific change (always using https if it’s available even if the URL uses http), as it does seem to be a positive that makes me wonder why it’s only happening now.
If we have to pick just one reason: WEI. As someone who’s been a professional software engineer for a decade and a half, this has the potential to mutate and ruin the internet at large in ways we’re only beginning to fully explore and understand.
It is general advice, but https should have been the default for a good while.
What’s the difference between the two?
I’m not sure which thing you’re referring to.
If it’s between http and https, the s stands for secure and the connection to the server is authenticated and encrypted.
Was curious, thanks
Just to expand on that, it’s a very basic encryption, but it provides a little bit of a safe standard. When ppl talk about “encrypted communication” they usually talk about more than that. For example, apps like telegram use some more advanced encryption iirc.
The latest version of TLS (used in the latest version of HTTPS), 1.3, is very secure. Most websites these days support 1.3/128 bits, making it quite hard to crack. One major weakness of HTTPS is that, if a certificate authority is compromised, the hackers can issue certificates for ANY website, which browsers will accept as secure until the certificates are revoked/expired/CA removed from trusted list in browser. This loophole can also be exploited by nation states (forcing the CA to issue certificates).
If you are doing something really private, use something like Matrix (E2EE mode), Signal, or Telegram (E2EE DM).
TLDR: Modern HTTPS is incredibly secure, except there is a loophole that nation states and hackers can exploit if they compromise/gain control of an approved certificate authority. If you are doing something you really dont want anyone to find out (top secret files), use an encrypted service that does not rely on the TLS/SSL/HTTPS stack.
Oh, there was an effort to solve above loophole, I’m not sure if it got anywhere though.
Edit: the point of my comment is to state that HTTPS encryption isn’t necessarily weak, just the handshaking process has some problems.
Is there a secure option that uses all the features minus the 3rd party certificate parts?
No, they were working on a solution a while ago, where a website would list what CA it used so you couldn’t get a random CA to issue a cert, but that effort was abandoned iirc.
