Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Google's Promotion of HTTPS Misguided? (this.how)

Posted by EditorDavid on from the making-the-web-Googley dept.

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
  • The web is an open platform, not a corporate platform.
  • It is defined by its stability. 25-plus years and it's still going strong.
  • Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."


8 of 435 comments (clear)

  1. Pointless worry by Gavagai80 · · Score: 4, Insightful

    Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.

    --
    This space intentionally left blank
    1. Re:Pointless worry by Anonymous Coward · · Score: 5, Insightful

      And you missed the point. It's not that chrome won't load HTTP sites-- it's that you won't be able to find them on google search. Instead you'll get redirected to 30 different versions of the same site promising a weird trick to fix your problem, all behind paywalls.

      It's a nice way to divide the internet into "have" and "have nots". If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).

    2. Re:Pointless worry by jrumney · · Score: 4, Insightful

      If you can't afford a real, signed certificate, you can't get your message out

      Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.

  2. Re:Not a risk? by Anonymous Coward · · Score: 5, Insightful

    ... HTTPS does not prevent malware.

    It securly transmits the malware.

  3. Re: Not a risk? by Bing+Tsher+E · · Score: 5, Insightful

    Google wants content transferred 'securely' because they have their agents spread widely (googleanalytics, etc.) and don't want middlemen competing with them. They have control of the scripts, why should any other entity?

  4. Re: I'm sympathetic by Bing+Tsher+E · · Score: 4, Insightful

    Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.

  5. LE isn't easy for devices on home LAN by tepples · · Score: 4, Insightful

    LetsCrypt is an easy method to get a cert and use it.

    Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?

  6. Re:It's about securing the web, not changing it by Actually,+I+do+RTFA · · Score: 4, Insightful

    What would Google have to gain from pushing the web to https?

    1) It reduces the number of trackers, which since they still track most sites through their analytics, raises the value of their data.

    2) It gets people used to Google dictating how their websites look and function.

    --
    Your ad here. Ask me how!