Slashdot Mirror
Google Proposes To Warn People About Non-SSL Web Sites
mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Encryption has a cost, it isn't free. It increases CPU utilisation and power consumption. It interferes with caching and reduces network efficiency.
This is a dumb idea. A very dumb idea.
-1 Uncomfortable Truth
The major downside to this is promoting the idea that an https connection is "secure", because especially when it comes to https, there are so many different attacks to level against both an end user and a host that we'd be better using a risk grading system.
Problem with the web: too many websites with too much content, not one answer that can be given consistently to similar questions:
Solution: standardize the web, with Wikipedia, Google Knol, etc. and squeeze out those smaller websites so they stop mucking up the corporate profits.
When the sheep get warm and comfy enough, yank anyone who doesn't dish out for SSL, and make it so that it costs a thousand dollars a year to reasonably publish on the web, instead of the pennies it did a few years ago.
Then, you have total dominion and total control. For much profit!
Futurist Traditionalism
Nah... When getting concerned about control, the following usually holds true:
Rules that inform are good.
Rules that control are bad.
This rule informs. It's good. :-)
This has been a public service announcement.
Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.
Exactly. What's the benefit?
There's a time and place for encryption, and Slashdot ain't it.
Some folks at Belgacom may disagree.
Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.
If 90%+ sites used SSL this would be a great idea.
If only 33% sites use SSL, then this warning will be popping up on the majority of websites that people visit.
Guess what happens when an ordinary user sees a warning pop up repeatedly? That's right, they start ignoring the warnings.
On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working.
Google should do whatever it wants. After all, if I get annoyed enough by Google Chrome, I'll just switch back to Firefox or Opera. Only the ChromeOS/ChromeBook/ChromeBox users may be screwed (because they've made the mistake of locking their hardware to a specific vendor browser).
In any case, Google hasn't formally announced a decision yet, it has merely made a proposal public and started a discussion on the subject requesting feedback. The fact that everyone is condemning Google for this proposal vindicates all the companies that keep their discussions private and out of the public eye until they work them out -- all secretly first.
This rule misinforms. There is nothing alarming about a site not having encryption enabled. A security pop-up is very alarming to the average uneducated user. It's bad enough with the "this site is untrusted" warnings whenever self-signed certs are involved. I trust that self-signed cert more than any of your "trusted" CAs you fuckers!
Ultimately this is lying to your users because you believe that they do are not technology-literate enough to make the right choice.
I get that making a secure product that is easy for the average mook is hard, but social-engineering your way around ignorance is a lazy shortcut.
... You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.
Am I overreacting here? Or is Google going too far, too fast with this?
You are overreacting. It's a positive step and there is no good reason in 2014 that all internet traffic should not be encrypted. Oh, and it's a free browser and there are other options both free and proprietary.
Some privacy policy Slashdot.
I'm operating a small web site, mostly to promote my business. It's there, it works, I don't do much about it.
I've considered https, but it's too hard for me as a small web site owner: first I have to manage to get an SSL certificate (costs serious effort and money), then I have to figure out how to install it correctly (tried it before with a self-issued certificate and failed; while I'm fairly computer savvy), finally I have to somehow remember to renew it every few years or so - which is an interval way long enough to completely forget how the installation worked, so I have to start all over again.
Now it seems Google gives higher ranking to https sites - meaning my site gets a lower ranking, that's bad. Next Google is starting to warn people to stay away from my site as it's not secure: why should I want to encrypt what is otherwise public information, like event schedules and itineraries? I put that information on my web site with the express purpose of reaching as many people as possible.
There are many people like me, who put up a web site just for promoting their business. It doesn't make sense to encrypt this info, at all. It doesn't make sense to downgrade ranking for that reason. Very bad move by Google.
Make no mistake, Google doesn't do this because they have our best interest in mind, but because caching means they can't always tell exactly how many and who saw a particular page or ad. They hate caching unless it's them doing it. Going https instead of http defeats most caching, at the expense of the web sites easily having to serve twice as much data to serve the same number of visitors - some of that from the overhead of https, and some of that because of less caching.
Again, follow the money trail, and you'll get the answer for why Google wants to push everyone to https.
The guys over at squid-cache.org are not amused.
Riiiight because the site where I go to look at 1970s toys that has no comments or login NEEDS to be HTTPS because....reasons.
Might want to look up the concept of "security theater" bub because all this will do is train users that any site that doesn't show the "bad place" warning is safe to give any and all data along with CC numbers, its the classic "If we only have X then we'll be safe!" with X being whatever magic dust you wanna push today.
ACs don't waste your time replying, your posts are never seen by me.
Not overreacting, but not thinking rationally here either. Google may be going too far alone, but they are definitely not going too fast.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
Google have been quite pushy, but with interesting result. The world hasn't blindly bowed down to them but rather increased the speed at which they have solved other long standing problems which were getting no interest. I'm hoping the same thing will happen here, that one company doing something different may spur people into fixing what I believe is a horrendously broken approach to security.
That you can get free certs doesn't mean it's easy or in some cases even possible to install them. These days, you find web servers in lots of embedded devices. Should i have to click by a warning every time I want to access my DVR on my LAN?
Encryption is useful when it serves a purpose. It doesn't always, and then it's just a waste at best and a false sense of security at worst.
SSL is inherently a weak solution - it is never any stronger than the least strong of the enormous list of CAs built into every browser. If just one of them is compromised (or have handed over the keys to a three letter agency), visitors lose the protection against MITM attacks and similar.
Self-signed certs are actually far safer, if done right, where the user has to actually validate the cert the first time. But those gets warned against.
So make your own CA, create certificates using that, and trust the CA on the devices on your network. Problem solved: No warnings.