Why are non-https origins considered unsafe by browsers?

Asked

Viewed 72 times

3

I asked a question now asking about a feature that has become obsolete in a particular browser, why is it not a source with ssl.

I fully understand that the https improves the security of the site, since the data Are encrypted.

But why browsers use the term "insecure origin" (insecure origin) for sources that do not use HTTPS, since the security of a website does not depend only from an SSL certificate?

We have many things that make a site unsafe:

Saying that lack of ssl makes the site insecure is not exaggeration?

ssl

  • No, I’m not angry at the navigators.

  • The question that generated the questioning of this: http://answall.com/questions/95282/getusermedia-agora-be%C3%A1-depreciated-in-related%C3%B5es-n%C3%A3o-https

  • 1

    Ah, just to clarify the protocol SSL does not improve safety at all, it acts as a supplement to increase the level of security. If you put SSL injections and XSS are still possible, because generally speaking, SSL protects only the transmission channel -.

  • So I see @Edilson agrees with me ;)

  • Another thing is, site with or without SSL It’s basically the same thing, because if you look at it, most sites just use connections like https on pages where the user provides sensitive data and which normally require some secrecy so that they are not intercepted, "but" if the input data is problematic and the system is not able to handle them, you will have exactly the same problems.

  • In an ideal world I wouldn’t have anything unsafe on an HTTP site. Simply do not use HTTP to traffic sensitive data or actions that depend on credentials. What problem would a restaurant or fencing club site have of using HTTP for general access pages? It would even be more efficient to communicate, including. The problem is that now has even provider that changes the content of the pages in exchange for some money or worse.

Show 1 more comment

2 answers

5


PHP, SQL and similar injections occur in the application layer, which is not the scope of SSL - this occurs in the communication layer.

Concerns about communication are clear and valid. For example:

Given the ubiquity of the use of the Internet for transmitting sensitive process data (access to bank accounts, medical data, etc.), the safe traffic guarantee has high priority - so companies are adopting SSL as standard, and open sites considered unsafe.

  • Thanks, now yes clarified the paranauê

-1

"We at the Chrome Security Team propose to change your UX to display unsecured sources as affirmatively unsecured. We intend to design and start deploying a transition plan for Chrome in 2015.

The purpose of this proposal is to show users more clearly than HTTP does not offer data security".

HTTP sites will continue to work; we currently have no plans to block them in Chrome. All that will change are the security indicators.

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

  • Nor does HTTPS provide data security if the site has been programmed without taking care of the other items cited in the question. I still think this is an exaggeration. Soon no one will enter a site without https :|

  • In the link, are shown some criteria. I believe that if you adopt the necessary your site can leave this black list.

  • 2

    @Alanturing quote a sentence, and pass a link is not exactly enlightening, and this is well known.

  • @Wallacemaxters, reading their article, think it’s just a way to try to force websites to improve security.

  • @Edilson there are always the Haterz kkkkk

Browser other questions tagged ssl

You are not signed in. Login or sign up in order to post.