Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Google's Promotion of HTTPS Misguided? (this.how)

Posted by EditorDavid on from the making-the-web-Googley dept.

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
  • The web is an open platform, not a corporate platform.
  • It is defined by its stability. 25-plus years and it's still going strong.
  • Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."


8 of 435 comments (clear)

  1. Re:Misguided Like A Japanese Rocket Launch by Anonymous Coward · · Score: 5, Informative

    Except that the rules for HTTPS have changed at least 3 or 4 times, and recently. First keys weren't long enough. Then SSL wasn't good enough. Then TLS 1.0 is broken.

    Managing ssl.conf across a few dozen servers has taken a fair amount of man hours at my organization in the last couple years-- and we have configuration management tools.

    And all of this is to protect the transmission of unrestricted, publicly accessible information.

    Do we really need https to display wikipedia? To see today's headlines on CNN? To read slashdot? Does the wayback machine of publicly viewable web pages need to be encrypted during transmission?

    A large percentage of the web doesn't need to be encrypted during transmission.

  2. Re:Misguided Like A Japanese Rocket Launch by spire3661 · · Score: 4, Informative

    I shouldn't have to get a cert to pop up a website, period. The fact that people like you think we should is foolish, stupid and a road to hell.

    --
    Good-bye
  3. Re:Misguided Like A Japanese Rocket Launch by tepples · · Score: 5, Informative

    Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?

    Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").

  4. Otherwise Comcast will insert JS into your site by tepples · · Score: 2, Informative

    Without a cert, how can your subscribers be certain that their ISP isn't tampering with the connection? Comcast has been caught injecting advertisement display scripts.

  5. Re:LE isn't easy for devices on home LAN by Octorian · · Score: 5, Informative

    This use case seems to be often ignored by the "HTTPS Everywhere" folks, yet we all constantly have to deal with it. While HTTPS probably is a good thing for all of these devices, someone needs to seriously take a step back, and actually give two shits about the certificate management problem presented here, before forging ahead and making our lives more difficult.

  6. Re: LE isn't easy for devices on home LAN by PrimaryConsult · · Score: 4, Informative

    That's what a trusted internal root certificate is for. Add your organization (home) certificate signer to your root CA store.

  7. Re:Pointless worry by Known+Nutter · · Score: 4, Informative

    https://letsencrypt.org/

    )$0.00

    --
    Beware of the Leopard.
  8. Re:It's about securing the web, not changing it by WaffleMonster · · Score: 4, Informative

    1. Privacy, so that ISP's and other companies don't get to record which old files you access and when

    This is bullshit. It's been proven to be bullshit. Creeps in the wires know where you are going. They see IP headers, SNI indications, public key identities and TLS session keys. They know size, timing and length of transfers.

    This is sufficient information to deduce exactly what you are doing on a publically accessible website with high degree of accuracy regardless of encryption.