Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Encrypts All Blogspot Domains With HTTPS

Posted by msmash on from the https-everywhere dept.

Reader Mickeycaskill writes: Google is continuing its crusade to encrypt the web by enabling an HTTPS version of every single domain hosted on Blogspot. The search giant started the rollout last September, but as an opt-in service. Now users can opt to visit an HTTPS version of a site without its participation, while administrators can turn on an automatic redirect so all visitors are sent to the encrypted version. "HTTPS is fundamental to internet security; it protects the integrity and confidentiality of data sent between websites and visitors' browsers," said Milanda Perera, security software engineer at Google. Google already encrypts its search results, Google Drive and Gmail, while it also ranks HTTPS-enabled sites higher in the search. Blogspot rival WordPress began rolling out HTTPS in 2014.

8 of 56 comments (clear)

  1. Let's Encrypt by tepples · · Score: 5, Informative

    The downside is that a SSL or TSS certificate is often not free

    Certificate cost is no longer the obstacle it used to be, as a TLS certificate is free unless you need organizational validation. StartSSL and WoSign have been providing domain-validated (DV) certificates without charge to individuals for years, and automated ACME CA Let's Encrypt has been in operation for several months.

    1. Re:Let's Encrypt by NotInHere · · Score: 4, Interesting

      Its almost free for google anyway. They have their own CA, so while they have to maintain to fulfill CA requirements and do all the paperwork, they do not have to pay for one particular certificate.

    2. Re:Let's Encrypt by heypete · · Score: 2

      Certificate cost is no longer the obstacle it used to be, as a TLS certificate is free unless you need organizational validation. StartSSL and WoSign have been providing domain-validated (DV) certificates without charge to individuals for years, and automated ACME CA Let's Encrypt has been in operation for several months.

      Indeed. TLS certs are, as you point out, available for free. Even if one wishes to pay for a cert, DV certs are available for a pittance: Comodo's PositiveSSL certs are available for as low as $14.97 for three years ($4.99/year) from SSLs.com, a reseller owned by NameCheap. I spend more getting take-out lunch one day than it'd cost to get a cert for three years. That's basically a non-issue when it comes to even the most budget-constrained websites.

      Other interesting details:
      - Comodo's PositiveSSL offering is one of the very few CAs that will not only sign elliptic curve certs, but will do so using a separate, all-ECC certificate chain. Their ECC root is in all major browsers, but it's cross-signed by their UserTrust RSA root for legacy users. Naturally, PositiveSSL also offers an all-RSA chain for those who prefer RSA certificates, but I thought it was cool they offer an all-ECC chain and charge the same price for ECC or RSA certs.
      - StartSSL recently started signing ECC certs from their RSA chain (4096-bit root, 2048-bit intermediate). While not as quite secure as an all-ECC chain, it's fast: clients can verify the RSA signatures quickly, and the server can perform fast ECDSA signatures/ECDHE key exchanges quickly.
      - WoSign uses StartPKI, StartSSL's managed-PKI offering that chains up to the StartSSL root. Nifty. I knew StartSSL has offered that for a while but I'd never seen any such intermediates in the wild before.

      Full disclosure: I have no relationship with Comodo, StartSSL, SSLs.com, NameCheap, etc. other than being a paying user. I don't get any compensation, direct or otherwise, from mentioning them.

  2. Re:Who signs the certificates and maintains the ke by heypete · · Score: 3, Insightful

    This may be overly cynical of me, but could they be doing this to imbue the sense of improved security, while still being able to decrypt and observe the traffic themselves? For themselves as well as for the government, where the particular datacenter is located?

    How is encryption of data on-the-wire relevant to the observation of data stored in their datacenters?

    Whether or not they use HTTPS, Google has always been able to access the content of Blogspot-hosted blogs because Google runs Blogspot and the data resides on their servers. Adding HTTPS doesn't change that at all.

  3. Re:Simple question by guruevi · · Score: 2

    There have been 'free' SSL certificates for a very long time. You don't need to buy a certificate to enable encryption (it's just more convenient).

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  4. Re:Who signs the certificates and maintains the ke by Archangel+Michael · · Score: 2

    The data between server and client is secured. Nobody can steal your passwords in route because they are locked up in an envelope. This is marginal security improvement, and a much needed one.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Re:I don't understand by heypete · · Score: 4, Informative

    HTTPS provides several benefits:

    - Encryption which, as you point out, keeps other parties from knowing the content of data you access. Sure, the bulk of that data may be mundane, everyday stuff that you don't really care if anyone knows about, but there's no harm in keeping it private in transit. It's the same reason you enclose letters in envelopes rather than sending postcards.

    - Verifying the authenticity of the server. Domain-validated certificates offer a relatively low level of validation, but they still provide you reasonable assurance that the server you're communicating is the one operated by the actual owner of that domain name -- your connection isn't being intercepted and spoofed by some shady wifi hotspot, for example. Organization-validated and Extended Validation certificates provide higher degrees of validation, and include details (e.g. company name, location, etc.) of the entity to whom the certificate was issued.

    - Tamper-resistance. All HTTPS connections provide tamper-resistance by using either HMAC or AEAD ciphersuites. This prevents third parties from altering the content. A public hotspot or your ISP may inject content, malicious or not, into unencrypted connections. HTTPS prevents this.

    Considering that there's essentially no costs for using HTTPS (certificates are free or exceedingly cheap, CPUs have hardware support for AES so there's basically no overhead for encrypting data, ECDHE key exchanges are extremely fast, as are ECDSA signatures, and so present minimal load to servers. RSA signing is a bit slower for servers, but modern CPUs are fast and TLS handshakes are brief and only happen occasionally.) and many benefits, why wouldn't everyone want to secure data in transit?

  6. Re: Simple question by xenobyte · · Score: 2

    You can get a basic SSL certificate for $5 or something like that these days.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --