Google adds HTTPS-only browsing to Chrome

Summary: Google has quietly released a pre-beta version of Google Chrome 2.0 with a new HTTPS-only browsing mode.

By Ryan Naraine for Zero Day | January 9, 2009 -- 16:03 GMT (08:03 PST)

Google has quietly released a pre-beta version of Google Chrome 2.0 with a new HTTPS-only browsing mode.

The new feature lets users add "force-https to your Google Chrome shortcut" to only load Web sites with valid security certificates. "Sites with SSL certificate errors will not load," the company explained.

The newest Chrome release also updates the WebKit and V8 JavaScript engines, offers a better implementation for SafeBrowsing (malware/phishing protection), and new code for the HTTP network protocol.

Google's release notes provide more detail on the changes.

ALSO SEE:

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments

Log in or register to join the discussion

lol

What about sites using poor SSL encyption?

croberts
10 January, 2009 09:15

Reply Vote
Does Chrome block Google?

I suggested using only secure Web connections on the Apache httpd user mailing list 2008-07-29. The limitations are bandwidth, virtual servers, and expectations. The bandwidth overhead for encrypted connections should have become irrelevant with ubiquitous high-bandwidth connections (cable and DSL.)

Name-based virtual servers have the "one certificate per IP Address" problem. SSL Certificates are issued to a domain or server name. 1996's SSL 3.0 expects one IP Address to handle one server name. The problem will be fixed when 2003's TLS 1.1 replaces SSL3 as the standard encryption method. [I am uncertain when virtual hosting was first used. Apache httpd 1.3 supported name-based virtual hosting by 1998. The terms were already common.]

Even in early 2009, expectations are for websites to use unencrypted HTTP connections. My Apache post mentioned Google as a problem. Today, https://google.com and https://www.google.com still redirect to http://www.google.com. Keeping your reading private is not sufficient if the path to the content is insecure.

Does Google's Chrome browser block Google because HTTPS is not allowed?

solprovider
11 January, 2009 00:34

Reply Vote
- The https to http issue is a server based redirect.
  
  [i]Today,[/i] https://google.com [i]and[/i] https://www.google.com [i]still redirect to[/i] http://www.google.com[i]. Keeping your reading private is not sufficient if the path to the content is insecure.[/i]
  
  This is due to that the servers used by Google are rerouting the https traffic (the URI you are using, port 443) to unencrypted http (port 80). This is a server setting and has nothing to do with the browser (Chrome, Firefox, IE, Opera, etc.). This is controlled through Apache modules.
  
  B.O.F.H.
  11 January, 2009 08:57
  
  Reply Vote
  - Google is Inconsistent
    
    1. Google uses the Google Web Server, a customized version of Apache httpd, typically counted separately from Apache httpd in most Web statistics. I believe this practice is to lower the number of Apache httpd websites to make Microsoft's Web server seem to be competing better against first-place Apache httpd.
    
    2. The redirect should have been handled with the Redirect command from the standard mod_alias module. People should expect:
    https://www.google.com/search?q=example
    to redirect to:
    http://www.google.com/search?q=example
    but Google loses the query and redirects to:
    http://www.google.com/
    
    3. So the redirect is probably being handled with the RewriteRule command from the standard (but must be enabled) mod_rewrite module.
    
    4. The software technology is not relevant to the discussion. Google redirects secure requests to insecure connections. This opposes the goals mentioned in the article. If Google cared about securing the Web,
    http://www.google.com/
    would redirect to:
    https://www.google.com/
    and if Google cared about visitors, the query would not be discarded during the redirect.
    
    solprovider
    11 January, 2009 19:39
    
    Reply Vote
RE: Google adds HTTPS-only browsing to Chrome

Google should trash Chrome and focus their effort on Firefox instead. The world does not need another browser and I can't see the ROI at all for Google here. Makes no business sense and the argument fir it are weak. It's just another crazy project by Google to burn money they don't know what to do with. Chrome won't make anyone use Google more. That's just bullshit...

Viklund
11 January, 2009 19:22

Reply Vote
- About trashing Chrome...
  
  I have both Chrome and a fully updated Firefox.
  
  I use Chrome almost all the time. It's much faster
  than Firefox. It's simple, secure and fast.
  
  I use Gmail (22,000+ archived emails) with the https
  enabled. I haven't had any problems.
  
  Joe.Smetona
  14 January, 2009 11:28
  
  Reply Vote
- In the end I have nothing against it if...
  
  ...it sticks to the standards. Sure, I'd rather see them helping to make firefox leaner (no doubt that FF will benefit from chromium source code even now though...) but as long as they dont start breaking standards, which was a common practise in mid-90s IE vs. NetScape war to break web-compatibility between browsers I cant really oppose them - them choosing to make their own browser instead is in the end up to them even if me and you disagree on sensibility of the choice.
  
  Btw, does google still support firefox development financially or did they drop that when they started with chrome?
  
  robsku
  20 January, 2009 22:19
  
  Reply Vote
RE: Google adds HTTPS-only browsing to Chrome

Great!!! thanks for sharing this information to us!
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>

birumut
4 May, 2011 16:53

Reply Vote