Slashdot Mirror
Is Google's Promotion of HTTPS Misguided? (this.how)
Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes:
A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
- The web is an open platform, not a corporate platform.
- It is defined by its stability. 25-plus years and it's still going strong.
- Google is a guest on the web, as we all are. Guests don't make the rules.
"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."
And why are they called rockets when they are guided?
Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.
This space intentionally left blank
Downloading executable files, downloading risky file extensions (doc, pdf), and downloading any document where integrity matters means that http is a risk. If someone downloads some old games from an HTTP archive, malware could be added. If someone downloads some PDFs with an outdated reader, there could be malware. If someone downloads some forms they're going to fill out later, changing the location they're supposed to be emailed/faxed/whatever means someone could give out PII or financial information. If someone is reading old news stories, changing the content of those stories to suit an attackers narrative could be very valuable. Just because the author can't imagine the security implications, doesn't mean organized crime, bored hackers, or nation state actors aren't thinking about it.
As long as HTTPS is not required, this mostly a good thing. As long as we can still do anything at ZomboCom,...
>The web is an open platform, not a corporate platform.
>Google is a guest on the web, as we all are. Guests don't make the rules.
Money, corporate power, and censorship are rapidly and easily dominating your idealism. Just be thankful you got to live during the brief window where the internet really was open and free.
Yes the web is an open platform. Google is not changing that. In fact they are embracing the fact that the web is an open platform. No one is forced to use their services. Also their services are not preventing the rest of the web from being available. They are doing what has been done for years... advancing the technology.
BBS's were archived into the web if relevant. I don't hear anyone crying about Gopher or USENET. Forcing people to use SFTP and SSH vs FTP and Telnet doesn't seem to be a big deal.
The Internet evolves. Things that need to be preserved will be preserved. No single entity has ever forced the Internet to do anything. It just evolves with available technology and the will of the people.
Oh and if you think the will of the people is BS... well we still have the same old shitty email that has existed forever. No matter what alternatives are forced on people, they keep their email.
It's meant to secure the web. Two reasons:
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you
What would Google have to gain from pushing the web to https?
Q - Is Google misguided?
A - No. Google is simply evil. Once your privacy is completely dead they're going to go through its pockets looking for loose change.
Legacy shouldn't hold us back. That's a sure way to make sure you stop progressing. Old sites not working anymore because they're not really maintained is not a good reason to try and stop progress.
We should instead just make sure we move forward in a way that makes sense from a technological and convenience point of view.
diegoT
But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.
These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.
The age where you could just set up a box in the closet, use it to serve a page about your cat, and then forget about it is sadly long over. These days if you're not paying attention, installing updates and keeping up with what's going on with it you'll end up serving trojans, sending spam, or being a member of a botnet, if not something worse.
If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.
just like the op says, everything is open. no one is forcing anyone to use chrome, or even google search for that matter. so who cares?
How's that been doing recently? Especially with the current US administration?
We need an independent web system free from the clutches of Google. Wikimedia could have been close, but they shove things down the notability memory hole.
Scrape the http web and repost it on https with ads.
once the web is entirely encrypted, google will push their closed-source binary vision of it, where content is pre-compiled and/or pre-rendered (with optional drm) before delivery to the browser.. encrypted and binary = harder to block their fucking ads (aka their revenue stream).
https does not require user/password, the trust is established based on the user cert store and the signer of the web sites certificate. If the web site cert is signed by a trusted source (Cert Store) then it will establish a secure connection.
More like Dave WHINER, amirite?
#DeleteChrome
Nothing like the social media with their lack of freedom of speech and moderation access to whomever.
Where people are thrown out of groups and all their posts are removed or single posts are removed or eventually the company behind the service remove the whole account and all of its content.
In an oligopoly or monopoly situation the companies should be forced to keep everything since the channels for expressing oneself are so important.
Or the human collective should be running it together and guarantee it.
If your data cannot be viewed or tampered with by anyone except both parties, then:
1. They know the information you give them is truthful
2. They know their competition cannot read it
Companies like facebook and google have a vested interest in ensuring that all tracking an analytics are encrypted; because then no one can MITM the data; and therefore, making the data more valuable.
Your voice isnâ(TM)t worthy for Google to surface it in search results. Or if a corporation wonâ(TM)t advertize. With Google if it accepts selected dis-approved certificate Authorities then all we need is anyone with cash to buy a certicate Authority and Google will give them a veto power over Internet content? QED!
"Knowing everything doesn't help..."
I'm travelling through Indonesia at the moment.
My phone's ISP is intercepting HTTP traffic and changing the content, injecting inline adverts.
What's your ISP doing to your traffic?
It's fine to prefer https when available, but there should be a way to say: this site really is intentionally https, and not have it flagged as having cooties.
Google's response to many inqueries is typically, "We're just a search engine". People type something in, and they show them the results. But, they're a very evil search engine because they're penalizing and even censoring search results.
LetsCrypt is an easy method to get a cert and use it.
Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?
Without a cert, how can your subscribers be certain that their ISP isn't tampering with the connection? Comcast has been caught injecting advertisement display scripts.
Obviously the writer has never lived in a country where every ISP injects adverts into every http website. The effort in enabling https is absolutely minimal. If you can't be bothered enabling it, then perhaps it's not worth you having a website.
...
It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.
Add your organization (home) certificate signer to your root CA store.
I was under the impression that smartphone and smartphone-derived tablet operating systems made it difficult and/or annoying to add a root CA. How would you get the CA's root certificate onto a device in the first place if it can't read a flash drive? In addition, which graphical frontend to OpenSSL would less-technical users be using to operate this root CA, such as to issue a certificate before uploading it to the router or printer?
Plenty of people the world over cannot access large parts of the web because their governments censor it. That's the status quo. Creating technology that is privacy focused is key to making a web that really is open. In addition to thwarting less capable actors, it puts state actors in the awkward place of either having to embrace the tech, or be left vulnerable and outdated as the free world moves ahead.
When things get complex, multiply by the complex conjugate.
Try this:
1. Create a private certificate authority (CA) for your caching proxy. (If you're technical enough to operate a substantial proxy, you're probably technical enough to learn to use OpenSSL.)
2. Distribute this CA's root certificate to the users of your proxy to add to the trusted certificate store in each browser on each operating system on each device that each user uses.
3. For each website that a user of your proxy visits, automatically issue a certificate signed by your proxy's CA, and use that to man-in-the-middle the connections.
Without encryption you cannot make new versions of the protocols nowadays, thanks to middleboxes.
New versions of protocols are good for performance and security.
Incenting deployment of such is good for the web.
Google can work on hurting their monopolistic position if they want. I'll go with DDG where they aren't just using me to further their ad business.
Is allow the http site content to be displayed but not allow any scripts to run.
Keeps the ads safe down to your computer.
No other party can go looking at other ads to that secure user.
Ensures only approved ads get seen as approved ads are protected by HTTPS.
Ads sent by HTTPS are accepted by that user as they have to have HTTPS to see the site, use the service.
HTTPS is a secure lock but in the way ads are now locked into a site, service.
Trust a site for HTTPS and trust their HTTPS ads.
Security services and police, mil are not unhappy about VPN, HTTPS crypto use so thats not a change.
Domestic spying is now "Benign Information Gathering"
The OP has a serious crush on Google, blaming Google for their own personal problems. If you don't like Google controlling how you view the web, try another index.
Google is treating us better than Microsoft, Facebook, AOL, IBM, ATT, Apple and Sony ever did. But if you still don't like Google, use another index. You can do that in Chrome, Google isn't stopping you.
HTTPS Everywhere is 100% about ending unregistered user of the internet. It is censorship at its most beautiful. Without it, anyone with s public facing IP, hell anyone with as public facing socket can publish on the internet. HTTPS Everywhere is about fixing that freedom, about making sure googled knows exactly who is publishing what.
HTTPS helps prevent criminals from spoofing and launching MITM attacks, and it protects users from mass surveillance operations. It's foundational for the free and open internet in 2018. Using HTTPS on a site has literally nothing to do with requiring registration.
It's not like anyone else can code a web browser or a search engine right? Maybe even a special search engine just for old HTTP sites? As time goes by, old search results are likely to be less accurate and not be rendered properly in modern browsers. Might as well use a correct tool for the job, like you would use DOSBox instead of Windows 10 command prompt to run old games.
Show me your papers!
Or are you to lazy to carry a little paper around when you leave your house, hmm?
Show me your papers you lazy bum!
Make the world a better place, a more organized place, a place that marches towards the future in lockstep, arm in arm,
But first...
SHOW ME YOUR PAPERRRRSSSS!!!!
SEOs will thank Google. Now, you won't be able to see any keyword data at all Unless of course you pay for AdWor^H^H^H Google Ads
Quite frankly, there is more dangers to insecure connections than whether your data can be intercepted. How about you being fed false data? You connect to http://www.reputablenewssite.c... only to get fed bogus information from your ISP that gets paid to "adjust" the news by someone.
Can't happen? 5 years ago I would've agreed. Today? I don't anymore.
Seriously, today more than ever, being able to actually verify that what you see is actually what you wanted to see is more important than ever.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
OOOo spooky. Now nobody will find my site. http://solaria5.fragcube.net/
Oh wait, nobody was finding it anyway...
Strange things are afoot at the Circle-K.
Converting the web to https is all about giving people the freedom to read and communicate what they want without being subject to surveillance by government or misguided companies.
The argument of not moving forward with this because of some site being unmaintained for 25 years is preposterous. Why would you want to trust information from such a source anyway?
The web isn't the web of 25 years ago, and it's plain FUD to bring up Google or "corporations" in general as trying to manipulate us into something that's not good.
Personally I think the fact Google is both in a position to force this by itself and is leveraging that position is a bad thing regardless of intent. In fact I would argument intent is entirely irrelevant. They could have all the best intentions in the world and it still wouldn't justify means.
What worked 25 years ago for a few nerds doesn't work for the bulk of humanity.
I've always found myself mildly amused of the cross section of people who put up websites or bother to learn enough wiki markup to contribute to Wikipedia. It was never just nerds. A surprisingly diverse crowd were willing and able to do these things and do them decades ago when systems were much less available and harder to use than they are today.
I personally believe the Internet is substantially worse off than it was 25 years ago. Power just keep getting more and more aggregated into the hands of fewer and fewer. Users are now being owned enmasse by corporations in ways that previously only illegitimate underground would dare contemplate.
We need something better. If you're not going to offer it, then don't conflate the efforts of many organizations as "Google's will" to make it sound evil.
What does it matter whether someone is able or willing to offer something better? How does their ability affect the merits of topic at hand?
You make really interesting points. Alas, I couldn't read the quoted article (I guess it's , because it's a Javascript rat's nest.
No, I don't allow my browser to execute random programs off the 'net. Thus your whole site is a black hole to me (well, in this case light grey, but you get the idea).
So I'll have to live without having read your article, sorry.
The bs about more security is that it - just bs. There are several MitM solutions available that easily decrypt any SSL/TLS traffic and do whatever they please with plaintext, see for example this: https://youtu.be/IgDXOGCpNz4 - in other words, that's just Google attempt to stimulate the CA and datacenter businesses by forcing web publishers to acquire SSL certificates and more powerful servers (because TLS isn't computationally free). The only security it gives is against script kiddies - anyone motivated enough to snoop on you will have no problem going around this.
about HTTPS. You just answered my question. They don't want the ISPs to have the detailed data google has (they still have URLs but no page content) and they can't replace google's ads with their own. Now it makes sense.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
HTTPS is not a solution for your fucked up telecoms. I am in Europe and if an ISP was allowed to do that (they are not) I'd have another 20 ISPs to choose from.
I am all for encryption!
Given the way things are going, we don't really need more HTTPS (though I feel better about an encrypted site than plain HTTP), but .onion domains. An easy way to establish an eco-system would be to have always an .onion for your regular site. Preferably site-independent, that way it also functions as redundancy. All negative points of HTTPS mitigated (I agree, there's some danger with censorship), same effect and just as secure without reliance on 3rd-party issuers.
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
You know there's an entire *profession* dedicated to maintaining it, yeah?
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
In theory, you could configure your web browser to connect to domains hosting financial web applications directly and other sites through the proxy. But I concede that major web browsers lack UI that specifically targets the edge case of selective deliberate use of a caching MITM on the client side of a harshly metered last mile.
What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google?
The article mentions policies implemented not only by Google Search but also by Google Chrome. If you read websites through Chrome, then everything you read is "being mentioned on Google" in this sense.
Also, if by "Google" you mean only Search: Wikipedia and the sources it cites. With cleartext HTTP, your ISP can insert patent nonsense into just your view of an article with no help from Wikimedia. But with HTTPS, the ISP would have to publish a revision through Wikimedia's server, where it'd get reverted in a heartbeat.
Most (All?) browsers and caching proxy servers do not save https content to disk.
Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.
Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.
Okay. But do you want your ISP to have that information? I'm all for legislation to restrict ISP's from storing any information about your web browsing history. You're paying them for a pipe, not a service in exchange for your info. Come to think of it, that applies to your credit card company and anybody else you do paid business with.
Posted from my Android phone. Oh, I can change this? There, that's better...
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
Zero dollars will get you a fully qualified domain from a DynDNS type of service.
If on your first attempt you hit the weekly rate limit for subdomains under a particular dynamic DNS provider, how practical is it to retry at random intervals for upwards of two days, as another Anonymous Coward suggested?
1. Why do you want your printer to show up in Google search results?
The summary mentions not only Search but also Chrome.
2. Do you really want your printer accessible directly over the Internet?
No, but web browsers' enforcement of Secure Contexts policy currently makes no distinction between machines on the LAN and machines on the Internet.
Nobody's suggesting it's a problem Google won't include search results from your router's configuration page.
The summary mentions not only Search but also Chrome. Chrome makes a policy distinction only between localhost and not-localhost, not between your LAN and the Internet. This is because it assumes your LAN could be a coffee shop WLAN, which ought to be untrusted.
https://letsencrypt.org/
Simple to set up. Renews itself.
The value in tampering with a public domain movie is to insert copyrighted scenes. Then someone who reuses portions of the movie in his own work, thinking it's in the public domain, gets framed for accidental civil copyright infringement. Unlike crimes, torts do not require mens rea (intent, recklessness, or negligence). Besides, thanks to copyright term extensions, I thought public domain movies were undesirable to the majority of viewers because they are silent and in black and white.
What you're ultimately asking for is some means for signing only, as opposed to encryption. This provides an integrity guarantee but not one of confidentiality. But how would this be integrated into web standards?
Most of the comments are off mark. What really matters is the simple fact that each and every certificate requires a permission from somebody. You have - at the very least - to proof the ownership of the domain and the certificate authority can deny your request for any reason - maybe it violates the religious believes? That's not a problem? Try to get a valid certificate for any .local domain. You can't. Not even from "Let's encode' . Why? They can't verify you.
m.
Public info doesn't require sec? Really, how do you know you are connected to the real site?
In theory, a cipher suite that does signing only and not encryption would allow this. A cipher suite that provides integrity without confidentiality would allow an intermediate proxy on the far side of a harshly metered link to replay the session to viewers behind that link, saving data transfer allowance across that link.
How do you know the info you read is real?
HTTPS does not prevent website operators from publishing fake news.
How do you know someone isn't checking what you read?
Some information, such as the National Weather Service forecast and radar image sequence for the city in which a user is located, is so generic that little information about the user's interests can be gleaned from observing that the user has viewed it. For these, integrity without confidentiality may be warranted. The problem is that current web technology offers no way to provide integrity without confidentiality.
You're proposing a technical solution be imposed on everyone, everywhere to fix a problem (lack of competiton allows behaviour customers don't like) with your specific market. How American of you.
How many visas does your country offer to people who seek asylum from the American regime and have work skills?
You're paying them for a pipe, not a service in exchange for your info.
Then all the ISPs will hike their rates. Those who want a pipe can pay double. Those who want what less technical users are used to would get a 50 percent off discount in exchange for interest gathering and advertisement injection service.
"Please federalize me", they scream.
I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
Bingo. You've found the real reason that governments are making travel more of a hassle. It isn't entirely to prevent terrorism against passengers; it's also to make it less convenient to attend key signing parties. Without attending key signing parties in faraway lands, you can't very well make your public key more densely connected in the global web of trust. You end up trusted on an island within bicycle range (that is, your home city) with some bottleneck keys in all trust paths in and out of the city. These bottleneck keys' owners are the key signing jet set, and they might as well be CAs.
As I have set up a simple website for my brother's music group I'm not going to add https to it as I don't care. The site is purely static with no ability to enter and information in order to avoid security issues which I don't want to have to deal with. This site has been #1 for the past 10 years when you enter the band's name and account for 18 of the first 20 hits. The several non-band hits are from a group that are trying to use their name in the U.K. and another who named a song with the same name and are close to infringement ( not that we care that much as no one can copy their uniqueness. :)
So, what should I expect in the future if someone searches for their copyrighted name? If they play games with the stats what would we do? Probably nothing other than laugh and repeat, "Google IS EVIL".
Though the author is right in that the public information itself requires no hiding, the information about my am accessing a particular piece of information may be important...
And then there is the integrity aspect — without something like HTTPS, how do I know,the data has not been tampered with in-flight?
In Soviet Washington the swamp drains you.
As someone most involved in operations, I think you fail to appreciate how hard the basics are. Just try to keep ALL of a reasonably size organization's internet facing thingums patched. I haven't heard of a anyone being successful at that. Software and systems are thought of like consumer goods: you buy them, they have a natural life, and you repair for a while or replace before that gets too costly.
For internet facing services, it's more like fruit. You expect to put fresh fruit out there every week, because no-one is going to buy two month old watermelon. Acquire fresh fruit, qa them for damage, for ripeness, etc... and put them on the shelf, in a day or two. And a week later, you need new fruit.
That's the thing people aren't really grasping. When they contract out development, and they accept delivery from something. A week later, they either have support or it starts going bad and needs to be thrown out within a few months. You can't really buy software, or it's a really bad deal if you do, because a *perpetual license* is good for a week or two.
Patching is hard.
As in, for example, ICBM.
Think of the children's...energy prices. All that unnecessary encrypting costs electricity, times billions of pages per day.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com. No need to travel cross country for the 184th Buggy Whip manufacturer's Association of America convention.
Dave Winer seems to think this is a Google thing. In point of fact, HTTPS Everywhere is sponsored by the EFF and Tor. And Let's Encrypt is run by an umbrella organization whose members include the EFF and Mozilla as well as Google, Cisco, and Akamai.
I don't have much trust for Google, but I do have a lot more trust for the EFF than I do for some random software developer. Even if he's old. I'm sure Winer is well-intentioned (given his history), but he doesn't seem to have done his research very well, in this case.
The EFF's reasons for supporting https are a lot stronger than Winer seems to realize. Google's reasons, I can't address, since I'm not familiar with them, but the EFF's arguments are pretty strong. MITM attacks at the government actor level are not just hypothetical.
From the EFF's page:
Content injection is when someone adds data or code to your communications with an HTTP web page. For example, it's how GCHQ and NSA took over a Belgian ISP's computers. Content injection is also how China took down GitHub with a massive DDoS attack, dubbed "The Great Cannon". Content injection is also becoming popular with ISPs. Verizon injected tracking headers into every request made by their customers. And Comcast injects pop-ups into sites where they don't belong. All of these attacks can be stopped by HTTPS, provided it is implemented and made default on enough sites.
Now, I admit there are still some questions which aren't as frequently discussed as they should be, such as private LANs where https isn't an option. (I have http services running on such a LAN myself.) But that can be dealt with. For IP4, it's fairly easy--whitelist private ranges. For IP6, you'd have to have a way of designating your trusted network. But it can be dealt with. And the public Internet should be encrypted. Anyone who argues otherwise is simply clueless. (Or culpable.)
Google still has it, so it doesn't make any difference to me which mega corporation has it. Besides, I've said this before on this forum but I'm just not that worried about my privacy. I'm lower working class (I'd be doing better but my family has a lot of health problems and being American it's constantly crushing me financially). Privacy is mostly an upper middle class concern. In my income bracket I'm more worried about having basic needs met.
The way I see it is this: The ultra wealthy want to invade my privacy so they can use that information to oppress me. But the only reason they're bothering to oppress me is so they can take all the money for themselves. If we had a society where we didn't let them do that and didn't give them so much money that it truns into power I wouldn't care if they knew what web sites I browsed. In other words, if I had guaranteed access to food, shelter, healthcare, education then they wouldn't have any leverage to oppress me.
That's what true freedom really is. It's when nobody has any leverage over you. It's why I'm a Democratic Socialist. Nobody Should be too Poor to Live. And nobody should get to decide who lives and who dies.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com.
The next question is how you came to trust example.com in the first place. Is it that you trust com? If so, you've reinvented DANE, and the reason DANE hasn't taken off is registrars dragging their behinds on adding DNSSEC to the zone hosting bundled with a domain name.
Much like one comes to trust anything. First tentatively and in matters of little consequence, then moreso over time. Trust is a funny thing.
Consider, for some reason, Smiling Sam gets his online used car dealership the highest level of verified cert. So I can absolutely trust that the site really is ..... created by someone I know absolutely nothing about. OTOH, some student creates a page with a few useful formulas and tables on it and self-signs. I look it over and see that the ones I remembert he has correct. I trust him more than I trust Sam. I trust his signature on his friend's site more than I trust Dam's signature on a mechanic who will happily certify that Sam's cars are the best.
What I really need from most certs is assurance that the site I'm seeing today is the same one that slowly earned my trust over time. Or if it's a new cert, that someone who has earned my trust over time can verify that the site is the same one I have come to trust.
The CA's are really sort of a last resort since they boil down to "someone I have never heard of says someone else I have never heard of told them that his name is Joe Blow. Is that REALLY stronger assurance than a stranger walking up and saying "Hi, I'm Joe Blow"?
Back in the mid '90s, when https and Certs were just starting to be promoted, I talked to a Verisign rep at a show. He actually told me that I can trust the identity of any website with a cert because they contractually agreed to not lie when Verisign issued the cert. Because crooks never dare violate the terms of an unsigned contract.
and if not completely, then mostly useless.
Just take a look on the default trusted CAs, governments from 3rd world countries, companies you wouldn't trust your ugly wife with and more.
So yeah, the web will be encrypted, but the guys we fear the most will have the keys...
One could argue that a long unmaintained website is a likely target. You know, cause they're unpatched and shit.
This is really an argument about externalities, costs shoved off to society, instead of being paid for up front. There are costs to HTTPS, and a great deal of technical debt would be incurred in forcing older sites to deploy it. HTTPS is a set of trade offs, one of which involves centralizing trust (and thus the ability to censor) in the top level certification sites. Using HTTPS also prohibits the development of other options, any of which may actually be far superior, in other words, premature optimization.
There's no really good reason to force old web sites to change everything for your latest version of security kool-aid, and again in 6 months, and again in 6 months, ad hoc, ad nauseum. It won't actually do much good, and as stated above, does much harm by potentially removing history.
Grow up, kids.... HTTPS is like beta software... it's not done yet. Get back to me in when it hasn't undergone a revision in at least 5 years.
God forbid anyone type in a verbose URL or use a different search engine. I get around the internet just fine without using Google services.
That said, yes, securing your connection to websites is a great idea. Sometimes giant corporations actually do have good intentions.
My own site is updated now and again. Bunch of http stuff, documents with mainly text (yes, good old ASCII), source code. No need to encrypt it; it is there to be available to be read. No ads, ever, and no reason it should be encrypted. He who wants a copy can just make one or more.
If you or your search agent doesn't look, and is looking, say, for security engines, spreadsheets, authentication schemes, it will miss www.gce.name and will be somewhat impoverished. Useful information does not derive usefulness from being encrypted. If it is being given away, free, it is like lots of other information that has been given away free. Why impose a need to encrypt (and decrypt) such? What difference does it make that 3 letter agencies see such code get shared?
Would a copy, say, of gcc be useless unencrypted?
OK, if someone tampers with the disk content of the site, it gets tampered with. Just running https means the information gets transmitted same as this content. Still tampered with. If it happens to www.gce.name it will get noticed sometime & replaced with clean copies. But the whole site has little that lends itself to malware.
Using https makes sense if you want folks to have a hard time knowing what is being browsed. If OTOH you don't care who knows, why impose the extra overhead? Setting up https connections uses as I recall 60 or so times the processing that http connections do.
Some of us have been giving out code for decades now. Some of that remains useful. If Google won't index it because it is not given over the wire protection which it has never needed, Google's index is going to be impoverished, and with no good reason.
MITM happens all the damned time. Bad folks intercept HTTP and insert ads or malware or ads containing malware. Unauthenticated HTTP needs to DIAF.
Specwise, you're right.
Effectively, it is, though.
Until you can cook your own certificate up and the browser won't shit itself and fall in it and then pull the user in afterwards screaming about risk when they get the FrightDialog(tm) shoved in their face, HTTPS will remain more of a money-grubbing scam than a usable option for anyone not doing e-commerce or secret data collection.
And no, let's encrypt's time-limited certs are not a good solution.
I've fallen off your lawn, and I can't get up.
Proxy filters like Privoxy (https://www.privoxy.org/) are ineffective when HTTPS is used. Google has an interest in bypassing as many adblocking methods as possible.
I can't believe I got all the way to the bottom and nobody ripped into Dave Winer for bringing it up.
like Internet. They have to worry about government regulation if they raise the price too high. Or at least they used to. With the current administration I don't think that's the case. I know my bill's gone up $20 in the last 6 months and it'll jump another $40 by the end of the year (assuming I want the same tier service I have now).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
So, I used to work at Google. And my goal was HTTPS across all of www.google.com, which... was a task, and not one that I did solo, by any stretch of the imagination. I've worked in industry for 20+ years. I've never been more proud to work on a project.
As far as "there's tons of unmaintained content out there", I'm... not entirely convinced; that feels like saying something that should be true, but just isn't. Bandwidth costs money, so if you've got a machine serving any amount of content... someone's paying for that machine. Do you have examples or data backing up the claim of the tons of unmaintained stuff?
My personal website has been around since 1998. I provide/share information on topics that interest me. I have never served ads or collected personal information (logging is not turned on at my website). I can enter search terms on Google and use "I'm Feeling Lucky" to find my website. But now Google is going to downgrade me since I don't use HTTPS, so they can have exclusive access to search results to access my website information. WTF? Not all the information on the web needs to be encrypted.
And so begins the decline of Google as a search engine? Or do you continue to support their monopoly position that allows them to get away with stuff like that?
Just look at their 'Material Design' bullshit - the worst user interface design the world has ever seen, because a bunch of young 20 somethings think they know best. Did they bother asking their customers? Have you tried using Google Maps recently? I just LOVE the way they've made the outlines of roads virtually white, so that you are left looking at a white page with random street names on it - but as good as invisible streets! Do they give you an option to CHANGE the outline of the roads, so that you can see them? (i.e. make them black.) Of course not - because most people would change them, and then the idiots who came up with the 'So light, it's almost white' bullshit would have to admit they are wrong.
I also own my own domain for my business. It's is not HTTPS either.... why? Because it's a static information page that gives info on me and my business, what I do and how to get in touch with me and some samples of my work. There are no logins, no user accounts, no private information being stored or asked for. There is absolutely ZERO reasons for me to deal with the hassle of setting up and maintaining
I thought of more than three reasons:
1. Prevent MITM from injecting a Monero mining script into samples of your work
2. Prevent MITM from injecting intrusive tracking for delivery of interest-based advertisements into samples of your work
3. Prevent MITM from injecting a redirect to some madarchod's tech support scam in India into samples of your work
4. Prevent MITM from injecting drive-by downloads of ransomware into samples of your work
Obtaining a Cert every 6 months and having my hosting provider install it for me (since I can't myself, due to the need to have root privileges on the server)
File a support ticket with your hosting provider to offer you an API with which to install a certificate. Then you can set up an ACME client to upload a renewed certificate to that API on a cron job. Also search for competing shared hosting providers that do offer such an API.
This article is spot on, the public available portal for sites like Slashdot, news, and Wikipedia and many many thousands of other sites is not required.
For news, it's becoming increasingly common to have to log in as site after site goes behind a paywall due to falling advertisement revenue.
Scenario 2 is exactly the kind of thing HTTPS and modern browsers protect against. When you attempt to visit an HTTPS site, your browser will not just begin fetching unencrypted components.
That used to be the case. It has since changed with the introduction of captive portal detection in the major web browsers. If a web browser gets a certificate error, it will try fetching something over cleartext HTTP like example.com. If that turns out to be MITM'd, the web browser will assume that you're on a network that requires all users to sign in, such as a coffee-shop LAN, and open the sign-in page in a new window.
Even a self signed cert is better than plaintext especially if its registered with a service like SSL lighthouse. Better yet would be web of trust system where site certs have signatures from businesses & people that they have an actual relationship with rather than some faceless CA nobody has ever heard of.
There is a play you should read. Its all the rage.