Is Google's Promotion of HTTPS Misguided?

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.

• The web is an open platform, not a corporate platform.

• It is defined by its stability. 25-plus years and it's still going strong.

• Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."

Pointless worry

[Gavagai80]

Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.

Re:Pointless worry

And you missed the point. It's not that chrome won't load HTTP sites-- it's that you won't be able to find them on google search. Instead you'll get redirected to 30 different versions of the same site promising a weird trick to fix your problem, all behind paywalls.

It's a nice way to divide the internet into "have" and "have nots". If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).

Re:Pointless worry

[jrumney]

If you can't afford a real, signed certificate, you can't get your message out

Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.

Re:Pointless worry

[tepples]

It costs more than $0 for the fully qualified domain name, and I imagine that most people who put an appliance with a web-based administration interface on a home LAN don't already own a domain.

Or to put it another way: What is the fully qualified domain name of your router? Your printer?

Not a risk?

[yarbo]

Downloading executable files, downloading risky file extensions (doc, pdf), and downloading any document where integrity matters means that http is a risk. If someone downloads some old games from an HTTP archive, malware could be added. If someone downloads some PDFs with an outdated reader, there could be malware. If someone downloads some forms they're going to fill out later, changing the location they're supposed to be emailed/faxed/whatever means someone could give out PII or financial information. If someone is reading old news stories, changing the content of those stories to suit an attackers narrative could be very valuable. Just because the author can't imagine the security implications, doesn't mean organized crime, bored hackers, or nation state actors aren't thinking about it.

Re:Not a risk?

HTTPS doesn't prevent that, if you already have the client or server compromised you are fucked regardless of HTTP/HTTPS and realistically that is far more likely than someone manipulating the content as a man in middle attack.

Re:Not a risk?

... HTTPS does not prevent malware.

It securly transmits the malware.

Re: Not a risk?

[Bing+Tsher+E]

Google wants content transferred 'securely' because they have their agents spread widely (googleanalytics, etc.) and don't want middlemen competing with them. They have control of the scripts, why should any other entity?

Re:Not a risk?

[Nemyst]

HTTP allows those changes to occur through MITM-type attacks, whereas HTTPS requires the client or server to be compromised. Considering the number of governments with the means and interests to perform MITM attacks, I'd say it's an absolutely valid concern.

Re:Not a risk?

[swillden]

... HTTPS does not prevent malware.

It securly transmits the malware.

HTTPS does prevent malware from being inserted by people who control one of the hops between the server and the browser. It obviously cannot prevent malware that is being served by the server.

It's about securing the web, not changing it

[misnohmer]

It's meant to secure the web. Two reasons:
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you

What would Google have to gain from pushing the web to https?

Re:It's about securing the web, not changing it

[Actually,+I+do+RTFA]

What would Google have to gain from pushing the web to https?

1) It reduces the number of trackers, which since they still track most sites through their analytics, raises the value of their data.

2) It gets people used to Google dictating how their websites look and function.

Legacy shouldn't hold us back

[Decameron81]

Legacy shouldn't hold us back. That's a sure way to make sure you stop progressing. Old sites not working anymore because they're not really maintained is not a good reason to try and stop progress.

We should instead just make sure we move forward in a way that makes sense from a technological and convenience point of view.

Re:I'm sympathetic

In order to save the village, we had to destroy it.

Re: I'm sympathetic

[Bing+Tsher+E]

Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.

LE isn't easy for devices on home LAN

[tepples]

LetsCrypt is an easy method to get a cert and use it.

Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?

Re:Misguided Like A Japanese Rocket Launch

[spire3661]

" Civilians are clueless, and it's up to the responsible ones to do the job. So we do it."

You are a fucking fool.

Re:Misguided Like A Japanese Rocket Launch

[jpaine619]

I was on the side that agreed with your statement.. But then I thought about it for a while... non HTTPS traffic (plain HTTP) can be modified in-stream. I think it was Comcast that was caught injecting ads into HTTP traffic a few years ago. You cannot do that with HTTPS. Do you want your ISP injecting or modifing the webpages you are trying to read? Besides, nothing prevents anyone from having two or three browsers.. If chrome isn't cutting it for you, there's always alternatives.

So.. maybe a position reevaluation is in order?

Re: The web is already broken

[peppepz]

On the other hand, it will put the power of censorship in the hands of domain name registrars, TLS certificate providers, and whomever has the power to decide which certificates are "not trusted" (Google).

Re:Misguided Like A Japanese Rocket Launch

[sjames]

Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?

Re:Misguided Like A Japanese Rocket Launch

[chmod+a+x+mojo]

Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.

Then you are already fucked. Period. There is nothing stopping the attacker from doing the exact same thing, but easier on your computer, all while being able to read the information in the decrypted form. That means the attacker is already in your network and can chain exploits until they own everything.

Not to mention - why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore? There's no reason for encryption for these older pages. Ever. There is no login information, user credentials, or even scripts being executed. It's fucking HTML, if the browser manage to fuck it up enough to be an exploit maybe, just maybe we should be looking at securing the browser instead of the transfer at that point.