[ancarda]

An example from the real world -- Comcast, a large ISP in the USA, has been caught injecting JavaScript into websites: https://thenextweb.com/insights/2017/12/11/comcast-continues... It's not hard to imagine a more malicious use, like tracking or injecting adverts the ISP wants you to see on webpages.

This is only possible because the connection isn't encrypted.

Another example -- Verizon were injecting a header called X-UIDH which had a unique identifier, acting as a super-cookie that was present on all websites and couldn't be removed: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh

This is only possible because the connection isn't encrypted.

Every website needs SSL.

[tokenizerrr]

All of that is bad, none of it is a security issue. Privacy, sure. But not security. And the article specifically shows that Google is planning to mark example.org as insecure. Which it's not.

[ancarda]

But it quite literally is:

    insecure (adj.)
    (of a thing) not firm or fixed; liable to give way or break.
    not sufficiently protected; easily broken into.

A webpage loaded over HTTP is easy to tamper with. Let me give you an example of traffic over HTTP that is secure -- apt repositories; because you're only retrieving payloads protected by PGP, so the actual payload is firm, fixed, and not easily broken into.

How else do you define insecure? Have I misunderstood the definition?

[tokenizerrr]

I define insecure as a machine/user getting compromised. Malware, phishing and the like.

Anyway, your example is a good one as to why it's weird for Chrome to label these things as insecure.

[ancarda]

Insecure can't be used as a drop-in replacement for compromised though; Being insecure will get you compromised. One distinct thing might lead to another distinct thing

[MaxBarraclough]

> I define insecure as a machine/user getting compromised

So a bank using plaintext HTTP doesn't qualify an insecure?

[UncleMeat]

Integrity is one of the components of security.