Chrome browser prefers SSL

July 26, 2018

Google’s browser is to issue security warnings on non SSL sites.

It’s for our own good and we’ll have to jolly well get used to it and learn to be grateful. Google are only doing this because they love us and they know what’s best. At least that’s how I read this latest innovation designed to educate and inform our browsing habits

But surely secure browsing is a good thing?

My opinion is that it depends. I can’t imagine many people being happy if their credit card number were transmitted in clear text over an insecure network (the Internet) where it might be prey to being collected by those ever present l33t haxx0rs. That’s “Elite Hackers” to you and me.

However, if someone where to be able to see the text streaming from this web page to your computer, I’m not sure that’s such a big worry.

It’s my opinion that we should all be more concerned what happens to our data at the other end. That is, we should be aware of how the websites that we visit handle our personal information, rather than the bogey men who may or may not be listening in.

SSL encrypts not everything

Consider https://www.example.com/terrible_page.html

  • They (your Internet Service Provider, the Government, an eavesdropper) will know you have visited example.com because that part of the page request is sent in the open. Plus you may have used their DNS to locate example.com.

  • They will not know that you viewed terrible_page.html. However they may be able to infer which page from things like the length of the page title.

  • Most websites at a machine level can keep a log of visits which record, among other things, the IP address of the visitor, time and page visited. So an untrustworthy website, or one which has been compromised by a bad actor, can reveal exactly who has been looking at what and when.

  • My advice is that people treat their browsing activities like they are on CCTV. It’s difficult to equate the level of surveillance with the feeling of being in ones own space and in the privacy of ones own home. The upside is that there is so much traffic out there that unless you are engaged in anything really egregious what you’re up to will be of no interest to anybody but yourself.

SSL only encrypts data in transit

So:

  • If your computer has a data stealing trojan
  • If the website has been compromised into running a malicious program
  • If the website’s owners are lax and store your data on an insecure database
  • If the website staff or hosting staff abuse their powers of access

all the SSL in the world will not protect you.

Be safe - it’s a mean tough world out there.