If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(International Business Times)   Chrome will mark all sites not dedicated as "HTTPS" as unsecure beginning this July   ( ibtimes.com) divider line
    More: PSA, Web browser, HTTPS encryption, Chrome web browser, World Wide Web, HTTP sites, secure HTTPS web, Google, Hypertext Transfer Protocol  
•       •       •

806 clicks; posted to Geek » on 09 Feb 2018 at 3:05 PM (23 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



39 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2018-02-09 02:13:19 PM  
img.fark.netView Full Size
 
2018-02-09 02:47:45 PM  
Well, it's not like it lies and says they're secure now, just doesn't say anything at all.

HTTPS is the new normal.
 
2018-02-09 02:51:30 PM  
That made me look up my address bar to see how Fark was doing.
 
2018-02-09 03:10:51 PM  

Gubbo: That made me look up my address bar to see how Fark was doing.


Insecure on the desktop, secure on mobile?
 
2018-02-09 03:14:08 PM  

kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?


It's HTTPS on desktop. It doesn't protect against image redirects, though.
 
2018-02-09 03:18:41 PM  
img.fark.netView Full Size


What unsecured chrome might look like.
 
2018-02-09 03:19:43 PM  

meanmutton: kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?

It's HTTPS on desktop. It doesn't protect against image redirects, though.


That must be incredibly new...or wait I just tested with another browser:  Before you log in its still http...including the login itself which means the creds are still passing through as plain text.

*face palm*
 
2018-02-09 03:27:54 PM  
Just because a site uses HTTPS doesn't make it secure.

Don't confuse encryption with security.

Endpoint security is at least as important.
 
2018-02-09 03:29:09 PM  

BumpInTheNight: meanmutton: kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?

It's HTTPS on desktop. It doesn't protect against image redirects, though.

That must be incredibly new...or wait I just tested with another browser:  Before you log in its still http...including the login itself which means the creds are still passing through as plain text.

*face palm*


HTTPS on Fark is for TFers only
 
2018-02-09 03:30:53 PM  

cman: BumpInTheNight: meanmutton: kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?

It's HTTPS on desktop. It doesn't protect against image redirects, though.

That must be incredibly new...or wait I just tested with another browser:  Before you log in its still http...including the login itself which means the creds are still passing through as plain text.

*face palm*

HTTPS on Fark is for TFers only


I think you get it with Barefark too.
 
2018-02-09 03:32:52 PM  

cman: BumpInTheNight: meanmutton: kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?

It's HTTPS on desktop. It doesn't protect against image redirects, though.

That must be incredibly new...or wait I just tested with another browser:  Before you log in its still http...including the login itself which means the creds are still passing through as plain text.

*face palm*

HTTPS on Fark is for TFers only


Its showing me https right now (desktop) which I swear is very new even when I had TF.  But the point remains that its regular ol' http _until_ you've logged in, which means your login creds are sent across as clear text.
 
2018-02-09 03:35:01 PM  
So now my online portfolio website needs to be https now? That'll be overprotecting.
 
2018-02-09 03:37:54 PM  

BumpInTheNight: meanmutton: kittyhas1000legs: Gubbo: That made me look up my address bar to see how Fark was doing.

Insecure on the desktop, secure on mobile?

It's HTTPS on desktop. It doesn't protect against image redirects, though.

That must be incredibly new...or wait I just tested with another browser:  Before you log in its still http...including the login itself which means the creds are still passing through as plain text.

*face palm*


Fiddler shows submitting the login info does a tunnel to www.fark.com:443 which does negotiate an SSL connection.  That would happen before the content is sent back to fark so the credentials are safe.

Also, the headers:
Location: https://www.fark.com/login...
X-Drunk-On: schnapps
X-UA-Compatible: IE=edge,chrome=1
Cleartype: on

Made me laugh, how very Fark-y.
 
2018-02-09 03:39:50 PM  

freidog: Fiddler shows submitting the login info does a tunnel to www.fark.com:443 which does negotiate an SSL connection. That would happen before the content is sent back to fark so the credentials are safe.

Also, the headers:
Location: https://www.fark.com/login...
X-Drunk-On: schnapps
X-UA-Compatible: IE=edge,chrome=1
Cleartype: on

Made me laugh, how very Fark-y.


Oh yah?  Okie cool then, I admit I was going purely on what the prime page's protocol was displaying.  I mean I get why they don't want the added overhead of encrypting all the randos' traffic that just silently lurk around the place.
 
2018-02-09 03:44:40 PM  
Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.
 
2018-02-09 03:50:53 PM  

RoomFullOfMonkeys: Just because a site uses HTTPS doesn't make it secure.

Don't confuse encryption with security.

Endpoint security is at least as important.


Regardless of whether or not HTTPS is secure, HTTP is not secure and will be labeled as such by Chrome.
 
2018-02-09 03:54:10 PM  

downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.


Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.
 
2018-02-09 03:57:59 PM  

Gubbo: downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.

Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.


Free yes, but kind of a pain in the dick because the certs expire pretty rapidly from my experience with them. But if all you are managing is a songle blog or so would not be that difficult to stay on top of.
 
2018-02-09 04:00:09 PM  

downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.


You can get free SSL certificates from Let's Encrypt as long as you're not lookin for anything complex.
 
2018-02-09 04:02:43 PM  

KiefKommando: Free yes, but kind of a pain in the dick because the certs expire pretty rapidly from my experience with them. But if all you are managing is a songle blog or so would not be that difficult to stay on top of.


It's also pretty easy to set up Let's Encrypt certificates to auto-renew (assuming you or your shared provider has a basic degree of system administration knowledge)
 
2018-02-09 04:04:12 PM  

KiefKommando: Gubbo: downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.

Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.

Free yes, but kind of a pain in the dick because the certs expire pretty rapidly from my experience with them. But if all you are managing is a songle blog or so would not be that difficult to stay on top of.


The base protocol is going through the IETF now, so you should see competitors with varying policies emerge soon.  Some of the baseline comes from the CA/Browser forum, though, so it will have some level of policy consistency.

Remember that most sites won't run OCSP, so shorter renewals make some sense.
 
2018-02-09 04:04:17 PM  

KiefKommando: Gubbo: downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.

Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.

Free yes, but kind of a pain in the dick because the certs expire pretty rapidly from my experience with them. But if all you are managing is a songle blog or so would not be that difficult to stay on top of.


Would moving your site behind CloudFlare also work for free SSL?
 
2018-02-09 04:08:40 PM  

Gubbo: Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.


It works kinda like Google's webmaster tools; you verify the site is yours with a special URL and it gives you a certificate. The limitation is that the cert needs to be updated every 90 days and wildcard certs are not allowed.
 
2018-02-09 04:29:58 PM  

xevus11: downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.

You can get free SSL certificates from Let's Encrypt as long as you're not lookin for anything complex.


Well.  Now ya tell me!
 
2018-02-09 04:32:12 PM  

Chagrin: Gubbo: Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.

It works kinda like Google's webmaster tools; you verify the site is yours with a special URL and it gives you a certificate. The limitation is that the cert needs to be updated every 90 days and wildcard certs are not allowed.


Oh never mind then, that's a massive hassle.  And wildcards are often important (but I admit not for normal ol' blogs.)
 
2018-02-09 04:35:39 PM  
 
2018-02-09 05:00:54 PM  

downstairs: Chagrin: Gubbo: Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.

It works kinda like Google's webmaster tools; you verify the site is yours with a special URL and it gives you a certificate. The limitation is that the cert needs to be updated every 90 days and wildcard certs are not allowed.

Oh never mind then, that's a massive hassle.  And wildcards are often important (but I admit not for normal ol' blogs.)


You can have a cron job automatically renew every two months, giving you a month buffer if something goes wrong. Nothing has gone wrong for any of my certs.
 
2018-02-09 05:22:03 PM  

Gubbo: KiefKommando: Gubbo: downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.

Https://letsencrypt.org

Not sure how all that actually works, but I recall reading it was free.

Free yes, but kind of a pain in the dick because the certs expire pretty rapidly from my experience with them. But if all you are managing is a songle blog or so would not be that difficult to stay on top of.

Would moving your site behind CloudFlare also work for free SSL?


I don't know that CloudFlare will do SSL on the front if it doesn't have SSL to your actual host. Worst investigating I suppose

SSL Dragon will give you a decent cert for a year for $8
 
2018-02-09 05:54:24 PM  
Ironic that this article is being served over HTTP.
 
2018-02-09 06:03:36 PM  
I tried Chrome once.

img.fark.netView Full Size


I used it to download some freeware games from the web. Afterwards when I went to play them I opened the download directory and they were gone.

Chrome downloaded them then helpfully deleted them on my behalf without informing me because the filenames were obscure, thus assumed to be malicious without any testing whatsoever.

Google are a bunch of coonts.
 
2018-02-09 06:15:20 PM  
Great, so everyone in IT will be getting tons of extra calls from the befuddled masses of users saying "I'm getting this message when I open this webpage saying it's insecure. Have I been hacked? There's this 'Proceed to site (Unsafe)' button, is it OK to press it? Are you sure it won't give my computer a virus?"

/Working in IT isn't worth having to put up with this kinda crap all the time
 
2018-02-09 06:25:36 PM  

LurkerSupreme: Great, so everyone in IT will be getting tons of extra calls from the befuddled masses of users saying "I'm getting this message when I open this webpage saying it's insecure. Have I been hacked? There's this 'Proceed to site (Unsafe)' button, is it OK to press it? Are you sure it won't give my computer a virus?"

/Working in IT isn't worth having to put up with this kinda crap all the time


Nope, Proceed to site (Unsafe) is only for websites that don't match their cert or are flagged as known malicious.

Maybe for the former, but it already does this on Firefox and it was never really a thing. Users struggle to ensure that the domain they're visiting is correct after clicking a link on an email, let alone see the Unsecure denomination next to it.

Also there's no real excuse now that trusted certs are free and Cloudflare offers the option to people locked into shiat hosting (like I was with iPage, have since moved to a VPS and it's literally 10x faster at serving pages and half the price).

/www.oilandgasinternational.com is now HTTPS
//Google the site and "not secure" if you don't remember their story
///They need to look into anti-aliasing
 
2018-02-09 07:28:43 PM  

downstairs: Eh.... I'm able to afford HTTPS for my sites (many of which do not take ANY information beyond a contact form)... but I sort of feel this is a crappy blanket move for people with small blogs and the like.  I know non-savvy users and can see them thinking reading a regular ol' blog (no login/password required) is going to STEAL THEIR IDENTITY!!!!

SSL is cheap for some, but not for everyone.  Especially those that totally do not need it.  Drop the price for SSL and I think I'm cool.  GoDaddy (which may not be the cheapest, I do not know) is $74.99/yr.  To some that's not much.  To others that is quite a chunk of change.

Maybe it won't be a big deal, but I sort of don't like this move.

I think it may be better to only mark pages where input is sent.  That seems more logical.  And I'd hope it is a friendly message, not something to scare people off from communicating things that do not need security.


Namecheap is cheap.  $12/yr for a single domain.
 
2018-02-09 09:57:52 PM  
Meh.  It's stupid.  Not encrypted is not insecure.
 
2018-02-09 11:39:35 PM  
freidog
Also, the headers:
Location: https://www.fark.com/login...
X-Drunk-On: schnapps


That's actually the name of one of Fark's servers; likely the one which processed your request.

~> for i in 'seq 192 255'; do echo "64.191.171.$i" 'nslookup 64.191.171.$i | grep name | cut -d ' ' -f 3| cut -d '.' -f 1-3 ' ; done

64.191.171.192 = net-dmz.fark.com
64.191.171.193 = puregrain-dmz.fark.com
64.191.171.194 = ns1.fark.com
64.191.171.195 = spare195.fark.com
64.191.171.196 = ale.fark.com
64.191.171.197 = rum.fark.com
64.191.171.198 = spare198.fark.com
64.191.171.199 = spare199.fark.com
64.191.171.200 = www.fark.com
64.191.171.201 = total.fark.com
64.191.171.202 = m.fark.com
64.191.171.203 = m.total.fark
64.191.171.204 = img.fark.net
64.191.171.205 = ssl.fark.com
64.191.171.206 = app.fark.com
64.191.171.207 = www.foobies.com
64.191.171.208 = spare208.fark.com
64.191.171.209 = spare209.fark.com
64.191.171.210 = spare210.fark.com
64.191.171.211 = bourbon.fark.com
64.191.171.212 = whiskey.fark.com
64.191.171.213 = tequila.fark.com
64.191.171.214 = gin.fark.com
64.191.171.215 = champagne.fark.com
64.191.171.216 = brandy.fark.com
64.191.171.217 = schnapps.fark.com
64.191.171.218 = wine.fark.com
64.191.171.219 = mead.fark.com
64.191.171.220 = spare220.fark.com
64.191.171.221 = spare221.fark.com
64.191.171.222 = spare222.fark.com
64.191.171.223 = spare223.fark.com
64.191.171.224 = spare224.fark.com
64.191.171.225 = spare225.fark.com
64.191.171.226 = spare226.fark.com
64.191.171.227 = spare227.fark.com
64.191.171.228 = spare228.fark.com
64.191.171.229 = spare229.fark.com
64.191.171.230 = spare230.fark.com
64.191.171.231 = spare231.fark.com
64.191.171.232 = spare232.fark.com
64.191.171.233 = spare233.fark.com
64.191.171.234 = spare234.fark.com
64.191.171.235 = spare235.fark.com
64.191.171.236 = spare236.fark.com
64.191.171.237 = spare237.fark.com
64.191.171.238 = spare238.fark.com
64.191.171.239 = spare239.fark.com
64.191.171.240 = spare240.fark.com
64.191.171.241 = spare241.fark.com
64.191.171.242 = spare242.fark.com
64.191.171.243 = spare243.fark.com
64.191.171.244 = spare244.fark.com
64.191.171.245 = spare245.fark.com
64.191.171.246 = spare246.fark.com
64.191.171.247 = spare247.fark.com
64.191.171.248 = spare248.fark.com
64.191.171.249 = spare249.fark.com
64.191.171.250 = dhcp250.fark.com
64.191.171.251 = dhcp251.fark.com
64.191.171.252 = dhcp252.fark.com
64.191.171.253 = dhcp253.fark.com
64.191.171.254 = puregrain2-dmz.fark.com
64.191.171.255 = broadcast-dmz.fark.com

 
2018-02-10 06:54:20 AM  

The Voice of Doom: freidog
Also, the headers:
Location: https://www.fark.com/login...
X-Drunk-On: schnapps


That's actually the name of one of Fark's servers; likely the one which processed your request.

~> for i in 'seq 192 255'; do echo "64.191.171.$i" 'nslookup 64.191.171.$i | grep name | cut -d ' ' -f 3| cut -d '.' -f 1-3 ' ; done

64.191.171.207 = www.foobies.com


That still exists?
 
2018-02-10 09:36:47 AM  
Because nobody has LANs or Intranets, or runs services on Localhost.
 
2018-02-10 04:32:18 PM  

The Voice of Doom: www.foobies.com


What is this foobies you speak of?
 
2018-02-10 06:50:30 PM  
Will it allow you to log into the insecure sites anyway?  That is the problem I keep running into with my mobile; the guest WiFi in a university library insists that you enter your e-mail address, but when I try to do that, the OS insists that the site is not secure and won't let me.
 
Displayed 39 of 39 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking

On Twitter





Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report