Is Google's Promotion of HTTPS Misguided?

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.

• The web is an open platform, not a corporate platform.

• It is defined by its stability. 25-plus years and it's still going strong.

• Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."

Re:Misguided Like A Japanese Rocket Launch

[postbigbang]

HTTPS doesn't require much at all. This writer's observations aren't very good. The https everywhere movement is a bare-minimum. We once were foolish enough to trust others on the web; the concept of zero-trust is where we are today, and for good, even outstanding reasons. That Google champions it is fine, even though Google is a corral of skunks, in my opinion, perhaps the worst robbers of privacy on the net.

In this case, however, https is absolutely the right direction, and twenty-five years of ostensible trust is more than naive, it's freaking treacherous out there, even for hackers with half a brain.

Re:Legacy shouldn't hold us back

[DutchUncle]

You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.

Re:Misguided Like A Japanese Rocket Launch

[postbigbang]

To answer your questions: yes. It needs to be default. Users, civilians, need to know when a web page is sending info across a network that's unencrypted, e.g. as plain text. They don't know the implications.

It would be a wonderful world if key management was simple, and it can be. CASB apps make it simple.

Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.

Yes it changes. Anything valuable still requires paying attention to it. Civilians are clueless, and it's up to the responsible ones to do the job. So we do it. LetsCrypt is an easy method to get a cert and use it. I'm still unsatisfied that WPA3 is worth it, but I like how it works at a glance. In the real world, much stuff is broken and vendors are stupid and in it for this quarter's model, and this quarter's report to Wall Street and little else. Raising the standard from plain text to encrypted is an important step.

Re:Pointless worry

[methano]

For me, this is about GoDaddy calling up every 6 months and trying to get me to double my hosting budget by buying some kind of goofy certificate. "If you don't buy the $120 dollar certificate from us, Google will tell everybody you're a bad person".

Screw'em!

Anti-competive

[BradMajors]

It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.

You Must Register

HTTPS Everywhere is 100% about ending unregistered user of the internet. It is censorship at its most beautiful. Without it, anyone with s public facing IP, hell anyone with as public facing socket can publish on the internet. HTTPS Everywhere is about fixing that freedom, about making sure googled knows exactly who is publishing what.

Re:What graphical OpenSSL frontend?

[dgatwood]

Let me turn that around for you. You use somebody's public Wi-Fi, and it asks you to click on something that installs a new root cert. If it is easy, the average person will do it without hesitation, at which point HTTPS is completely broken.

Sometimes, there are good reasons to make unusual things hard.

No, the right answer is for somebody to come up with a sensible standard for .local certificates in which they are accepted with SSH-like behavior — ask once, and never ask again (with no expiration), but accepted only for that specific hostname, never allowed to be treated as any sort of root cert, etc.

Thanks, I was wondering why google cared so much

[rsilvergun]

about HTTPS. You just answered my question. They don't want the ISPs to have the detailed data google has (they still have URLs but no page content) and they can't replace google's ads with their own. Now it makes sense.