Slashdot Mirror
Is Google's Promotion of HTTPS Misguided? (this.how)
Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes:
A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
- The web is an open platform, not a corporate platform.
- It is defined by its stability. 25-plus years and it's still going strong.
- Google is a guest on the web, as we all are. Guests don't make the rules.
"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."
Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.
This space intentionally left blank
Downloading executable files, downloading risky file extensions (doc, pdf), and downloading any document where integrity matters means that http is a risk. If someone downloads some old games from an HTTP archive, malware could be added. If someone downloads some PDFs with an outdated reader, there could be malware. If someone downloads some forms they're going to fill out later, changing the location they're supposed to be emailed/faxed/whatever means someone could give out PII or financial information. If someone is reading old news stories, changing the content of those stories to suit an attackers narrative could be very valuable. Just because the author can't imagine the security implications, doesn't mean organized crime, bored hackers, or nation state actors aren't thinking about it.
It's meant to secure the web. Two reasons:
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you
What would Google have to gain from pushing the web to https?
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
Except that the rules for HTTPS have changed at least 3 or 4 times, and recently. First keys weren't long enough. Then SSL wasn't good enough. Then TLS 1.0 is broken.
Managing ssl.conf across a few dozen servers has taken a fair amount of man hours at my organization in the last couple years-- and we have configuration management tools.
And all of this is to protect the transmission of unrestricted, publicly accessible information.
Do we really need https to display wikipedia? To see today's headlines on CNN? To read slashdot? Does the wayback machine of publicly viewable web pages need to be encrypted during transmission?
A large percentage of the web doesn't need to be encrypted during transmission.
In order to save the village, we had to destroy it.
A lot of what is being said doesn't make any sense.
If the web is an open platform, then anyone is free to make any rules they want. And you are free not to follow them.
Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.
To answer your questions: yes. It needs to be default. Users, civilians, need to know when a web page is sending info across a network that's unencrypted, e.g. as plain text. They don't know the implications.
It would be a wonderful world if key management was simple, and it can be. CASB apps make it simple.
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.
Yes it changes. Anything valuable still requires paying attention to it. Civilians are clueless, and it's up to the responsible ones to do the job. So we do it. LetsCrypt is an easy method to get a cert and use it. I'm still unsatisfied that WPA3 is worth it, but I like how it works at a glance. In the real world, much stuff is broken and vendors are stupid and in it for this quarter's model, and this quarter's report to Wall Street and little else. Raising the standard from plain text to encrypted is an important step.
---- Teach Peace. It's Cheaper Than War.
It's fine to prefer https when available, but there should be a way to say: this site really is intentionally https, and not have it flagged as having cooties.
"HTTPS doesn't require much at all"
But it is not without cost. It takes more power if nothing else.
I think the issue is why punish sites that do not use HTTPS if they have no reason to use HTTPS?
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
LetsCrypt is an easy method to get a cert and use it.
Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?
I shouldn't have to get a cert to pop up a website, period. The fact that people like you think we should is foolish, stupid and a road to hell.
Good-bye
" Civilians are clueless, and it's up to the responsible ones to do the job. So we do it."
You are a fucking fool.
Good-bye
If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.
As for public servers, I agree.
As for servers accessible only within a home LAN, it's a bit more complicated. Let's Encrypt won't issue certificates for IP addresses within IP address blocks reserved for private internets (10/8, 172.16/12, or 192.168/16) or for DNS names within private TLDs (such as .local or .internal). Nor will any other CA that follows the CAB Forum's Baseline Requirements. A fully-qualified domain name is required, and a lot of householders with home networking appliances haven't already bought a domain name within which to assign names for devices on the home LAN. DynDNS? They ended free service years ago.
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
Without a cert, how can your subscribers be certain that their ISP isn't tampering with the connection? Comcast has been caught injecting advertisement display scripts.
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
Just think of the lost opportunities!!
Why, with just 2 months and $200,000 we could start modernizing these "books" so that they use a proper 1px razor-thin font, a 20% contrast ratio, and nice 30% transparent pages. Another 4 months and $400k and we can upgrade them to require batteries and use AI to replace all those long paragraphs with summaries. And lastly, in just 1 year and a million dollars, we can add encryption, fingerprint readers, dynamic advertising, and pay-per-chapter so that only people with an active subscription or make use of the freemium model can read them!
Books-as-a-Service with nice modern UX, targeted advertising based on book genre, and microtransactions. Let's get started! Now, who will fund us?
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.
Add your organization (home) certificate signer to your root CA store.
I was under the impression that smartphone and smartphone-derived tablet operating systems made it difficult and/or annoying to add a root CA. How would you get the CA's root certificate onto a device in the first place if it can't read a flash drive? In addition, which graphical frontend to OpenSSL would less-technical users be using to operate this root CA, such as to issue a certificate before uploading it to the router or printer?
I was on the side that agreed with your statement.. But then I thought about it for a while... non HTTPS traffic (plain HTTP) can be modified in-stream. I think it was Comcast that was caught injecting ads into HTTP traffic a few years ago. You cannot do that with HTTPS. Do you want your ISP injecting or modifing the webpages you are trying to read? Besides, nothing prevents anyone from having two or three browsers.. If chrome isn't cutting it for you, there's always alternatives.
So.. maybe a position reevaluation is in order?
On the other hand, it will put the power of censorship in the hands of domain name registrars, TLS certificate providers, and whomever has the power to decide which certificates are "not trusted" (Google).
But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.
These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.
Actually using wordpress at all is irresponsible.
The age where you could just set up a box in the closet, use it to serve a page about your cat, and then forget about it is sadly long over. These days if you're not paying attention, installing updates and keeping up with what's going on with it you'll end up serving trojans, sending spam, or being a member of a botnet, if not something worse.
I bet if you serve static html pages and only allow http access from the net that box in the closet will never get hacked.
What has changed for the worse is proliferation of complex systems designed by idiots for idiots. Wordpress is a great example of this. CVE databases littered with SQLi and XSS bug as far as the eye can see year after agonizing year since turn of the century. There are exactly zero excuses for the presence of these classes of vulnerabilities.
If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.
Yea bullshit. The reality is closer to if you are using Wordpress you shouldn't have a website.
Wait ... so ... nobody being able to intercept, alter and manipulate data between sender and recipient except sender and recipient (who can easily use ad filters instead of relying on his ISP to filter what the ISP doesn't get paid to let pass, for example) is a BAD thing now?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes. But the book doesn't run code on your end. It's actually just text.
A browser will run whatever code it gets from the website.Or any code picket up on the way from the server to your browser if it's not encrypted.
If you access unencrypted wikipedia from your local Starbucks or library, pretty much anyone can play man-in-the-middle and inject javascript into your site. Good frameworks exists (ex. BeeF) that makes it really easy to do phishing (facebook login, work login, etc) and many other creative attacks. If you are then running on a vulnerable browser it will be easily hacked.
You can do this with a phone and a few clicks (ex. the app dSploit).
So yes. Even if the information itself is not worth protecting, the Web 2.0/3.0/NextGen certainly needs transport encryption.
Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?
about HTTPS. You just answered my question. They don't want the ISPs to have the detailed data google has (they still have URLs but no page content) and they can't replace google's ads with their own. Now it makes sense.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Malware no, employers yes.
227-3517
So where are your fucking papers, dude? You're standing in the road, after all. Don't move to the sidewalk. We want to see your papers if you're gonna stand there, too.
It's necessary for the security of the community. You don't want to be branded unmutual, do you?
It was a nice slippery move to stick the word 'sane' in there about the 'car inspections' bullshit. My car hasn't been inspected since I bought it at the dealership. Fuck your 'sane' bullshit, It sounds like if I don't belong to your party I am 'insane.'
That's how they shuffled people off to the gulags, you know. Declare them insane and anti-social. Who but a crazy person wouldn't be for the People's Revolutionary Government?
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.
Then you are already fucked. Period. There is nothing stopping the attacker from doing the exact same thing, but easier on your computer, all while being able to read the information in the decrypted form. That means the attacker is already in your network and can chain exploits until they own everything.
Not to mention - why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore? There's no reason for encryption for these older pages. Ever. There is no login information, user credentials, or even scripts being executed. It's fucking HTML, if the browser manage to fuck it up enough to be an exploit maybe, just maybe we should be looking at securing the browser instead of the transfer at that point.
To err is human; effective mayhem requires the root password!
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
Though the author is right in that the public information itself requires no hiding, the information about my am accessing a particular piece of information may be important...
And then there is the integrity aspect — without something like HTTPS, how do I know,the data has not been tampered with in-flight?
In Soviet Washington the swamp drains you.
Think of the children's...energy prices. All that unnecessary encrypting costs electricity, times billions of pages per day.
A public library has a budget. My bookcase at home does not, yet I can still read 20-year-old books from it. The fact that web software cannot be kept running without frequent intervention is not a feature, but a major failing of the entire ecosystem.
This is really an argument about externalities, costs shoved off to society, instead of being paid for up front. There are costs to HTTPS, and a great deal of technical debt would be incurred in forcing older sites to deploy it. HTTPS is a set of trade offs, one of which involves centralizing trust (and thus the ability to censor) in the top level certification sites. Using HTTPS also prohibits the development of other options, any of which may actually be far superior, in other words, premature optimization.
There's no really good reason to force old web sites to change everything for your latest version of security kool-aid, and again in 6 months, and again in 6 months, ad hoc, ad nauseum. It won't actually do much good, and as stated above, does much harm by potentially removing history.
Grow up, kids.... HTTPS is like beta software... it's not done yet. Get back to me in when it hasn't undergone a revision in at least 5 years.