The Downsides of Google’s Chrome Security Push

Google has world class security and privacy teams, but I continue to have misgivings about certain aspects of their Chrome browser security push — particularly regarding warnings to users when connections are using unencrypted http: as opposed to https: encryption.

While the push to encrypt Internet connections by default is a laudable one, it is also essential that fundamental aspects of practicality and user reactions also be carefully considered.

I touched on some of this over a year ago in “Falling Into the Encryption Trap” — but now that Google has made more explicit their plans for browser address bar warnings to users regarding http: connections, I’m again concerned.

Apparently in January of next year Google intends to replace the current quite reasonable “information circle” indicating non-encrypted pages, with an explicit “Not secure” warning — ultimately to be displayed in bright red with a danger triangle.

I am absolutely certain — based on the many queries I receive routinely from users who are already confused and concerned about other security warnings they see and misunderstand — that the escalation to these sorts of warnings by Chrome will vastly and unnecessarily increase confusion and even panic among significant categories of non-techie users when accessing various sites important to them.

Because the truth of the matter is that it remains both impractical and unnecessary for all sites to convert to https: at this time.

It is certainly true that theoretically any site could become a vector for misinformation or malware via man-in-the-middle manipulation of their connections, and the use of various insecure and/or poorly managed ad networks increases the risks in this context.

But as a practical matter, the vast majority of exploits that users must contend with do not come from the manipulation of Internet connections. Rather, infections via email phishing, contaminated sites, and similar techniques represent the overwhelming majority of successful attack vectors.

Still, it is inarguable that all else being equal, having all connections as encrypted https: rather than unencrypted http: is extremely desirable.

Unfortunately, all else isn’t equal.

There are uncountably vast numbers of legacy sites that provide widely referenced information to enormous numbers of users, yet do not sell anything, don’t collect usernames or passwords or other private information, and don’t participate in any ad networks.

Many of these sites have been online not just for many years, but even for decades. They typically use older software systems that are difficult or impractical to directly update, and frequently operate on a shoestring (or even zero) budget, while not creating any income at all.

It will frequently prove impossible from a money and/or time standpoint for the operators of such sites to convert to https: — yet Chrome’s warning system will likely confuse their users into assuming that they are actually being spied on — rather than the actual fact that such surveillance is in any given case theoretical (and in practice an extremely low probability) on those individual connections.

And while the cost of encryption certificates has now dropped to zero with the advent of services such as “Let’s Encrypt” — the effort required to actually make them work can be anything but trivial.

I recently converted all of my sites, some of very long standing, to https: using Let’s Encrypt. Even though my sites are not fancy in any way, it was an enormous amount of work, and required every ounce of knowledge I had regarding the sites’ internal architectures. While Let’s Encrypt promotes scripts to supposedly handle such conversions automatically, I cannot recommend those procedures except for the very most trivial and simplistic of sites — anything beyond that and you’re liable to end up with a mangled site configuration nightmare — you’d better have good backups handy!

I’m frankly uncertain how to best achieve a practical compromise position regarding browser security warnings.

I do know that a scary red “Not secure” warning is likely to unnecessarily panic many users and unreasonably disadvantage many sites.

This is especially true when there is no explicit indication to users as to how they can obtain more information about that warning — such as what does it really mean in terms of actual risks? — in language that non-techies will actually understand. Even now, the security details that Chrome provides if one knows to click on the address bar security icon are pretty much technical gobbledygook as far as most users are concerned.

My sense is that despite their great skills in privacy and security matters, Google has not genuinely considered the impacts of their upcoming browser warnings on significant segments of the user and site populations, who by and large do not live 24/7 in the same rarefied security worlds as do many of us.

Luckily, this is a fixable problem, if Google is willing to put forth the effort and outreach to fix it. I respectively urge them to do so.

Be seeing you.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Oscar’s Ageism and Society’s Disposable Workers

I’ve long had a policy of avoiding involving myself in Hollywood politics — not always easy having resided here in L.A. for my entire life to date.

But something’s going on with Oscar — or more precisely the Academy of Motion Picture Arts and Sciences (AMPAS) — that is disturbing both in and of itself, and for what it says about our society at large (including here in the tech world).

The Academy Award (Oscar) presentations have always tended to be quite “white” — more so than ever in recent years, leading to calls of racism and protests.

The Academy does have real problems in this respect. It’s not purposeful racism per se, but it is a form of effective racism that has been an outgrowth of AMPAS membership policies and the structural history of popular films and Hollywood production patterns pretty much since the dawn of the movie industry.

With recent protests being particularly embarrassing to the Academy, AMPAS has now moved to try deal with what they perceive to be their “too many voting old white men” problem.

But they’re doing it in exactly the wrong way, exchanging their existing diversity problems for outright ageism.

Rather than changing their membership and voting rules going forward for new members in a manner that would encourage racial and other diversity, they’ve decided to try cull their oldest members — some in their 90s who have been Academy members for many decades and have always played by the rules — by stripping them of their Oscar voting rights.

While this obviously does not rise to the level of the kind of rampant workplace ageism and discrimination as reported recently by The New York Times, it still is a slap in the face to loyal, older AMPAS members who have done absolutely nothing wrong, and is yet another example of society kicking older persons in the gut as an ostensible “quick fix” solution for complex structural problems. Quick “fixes” — I might add — that typically make those problems far worse rather than fixing anything at all.

Outside of the Hollywood ecosystem, the intricacies of who votes for or receives Oscars is not a matter of much import to most people.

But what AMPAS’ actions tell us about the treatment of older persons in general is very much in scope, and perhaps the sheer ham-handed, doltish approach of the Academy to their very real diversity problems shines a key light on society’s failings in this regard — illuminating the broader issues in a way especially difficult to dismiss or ignore.

And that’s the truth.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Network Solutions Still Operates Like a Bunch of Crooks

I still have a couple of my oldest Internet domains — including one that turned thirty years old this year and was among the first 40 dot-com domains ever issued — with Network Solutions (NSI) for historical reasons, and I continue to be impressed with the firm’s ability to closely emulate the practices of the worst kind of Internet crooks.

NSI sends out important notifications missing key information, worded like spam or phishing attacks, transmitted from unfamiliar domains, and as HTML-only email messages. All the hallmarks of illicit contacts, or at least of rank amateurs in action.

Their “off the shelf” domain renewal prices are abysmal of course, but even worse are their outrageous attempts at upselling during the domain renewal process.

They by default select (pre-check) expensive options like “private” domain registration (as far as I’m concerned, anyone doing business over the Internet should not be permitted to have a private registration, absent some relatively rare special situations — but that’s a discussion for another time). 

Their form sequences attempt to trick you into switching your domains to their DNS servers, to sign up for hosting services you don’t want or need, and they employ all of the lowlife tricks — confusing interfaces, low contrast decline buttons — you know the drill.

Network Solutions has been pulling these kinds of stunts for years, but it seems like they’re continually striving to reach even new lows.

These clowns don’t deserve our business. Hell, they don’t deserve to be in business. They’re a stain on the Internet. 

If you haven’t already done so, shun them as soon as you can.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

A Horrific New Animal Cruelty Commercial from Toyota

Toyota is running a new TV spot (internally titled “Camping”). It’s already triggering letters and petitions to Toyota to remove it from the air immediately. It’s breathtakingly stupid and could easily trigger dangerous copycats.

It features a moronic couple who throw a stick into a rapidly flowing river so that their dog will chase after it into the water. You then see the dog being rapidly washed away down the middle of the river. The couple races ahead downstream in their new Toyota to meet up with the dog who has somehow managed to survive the ordeal.

Then the woman says “My turn!” and throws the stick back into the river to bait the dog into the rapidly flowing water yet again.

It’s obviously supposed to be funny. Instead it’s hideous.

Whomever green-lighted this monstrosity at Toyota and their ad agency should be fired and never permitted to own animals of their own. What kind of total idiots produce a commercial like this that is bound to inspire other idiots to try the same thing?

Breathtakingly evil. Here’s the video of the spot. I’m told that there apparently is at least one additional version of this commercial that is even more disturbing.

Please let Toyota know how you feel about this. Thanks.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!