Slashdot Mirror
Is Google's Promotion of HTTPS Misguided? (this.how)
Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes:
A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
- The web is an open platform, not a corporate platform.
- It is defined by its stability. 25-plus years and it's still going strong.
- Google is a guest on the web, as we all are. Guests don't make the rules.
"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."
If you can't afford a real, signed certificate, you can't get your message out
Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.
You are wrong. Sure, you can self sign a certificate by running your own root CA, but people visiting the site over the Internet will get a prompt saying that the certificate is not trusted. In order to get a certificate that does not produce a security prompt you need to get that certificate from one of the established certificate providers (root CA is trusted by most browsers by default).
However, this brings up a good point. If Google is so set on HTTPS being a standard, why don't they offer web certs for a minimal fee (i.e. $1 a year)?