Is Google's Promotion of HTTPS Misguided?

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.

• The web is an open platform, not a corporate platform.

• It is defined by its stability. 25-plus years and it's still going strong.

• Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."

Pointless worry

[Gavagai80]

Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.

Re:Pointless worry

And you missed the point. It's not that chrome won't load HTTP sites-- it's that you won't be able to find them on google search. Instead you'll get redirected to 30 different versions of the same site promising a weird trick to fix your problem, all behind paywalls.

It's a nice way to divide the internet into "have" and "have nots". If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).

Re:Pointless worry

[jrumney]

If you can't afford a real, signed certificate, you can't get your message out

Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.

Re:Pointless worry

[Known+Nutter]

https://letsencrypt.org/

)$0.00

Re:Not a risk?

... HTTPS does not prevent malware.

It securly transmits the malware.

Re:Legacy shouldn't hold us back

[DutchUncle]

You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.

Re: Not a risk?

[Bing+Tsher+E]

Google wants content transferred 'securely' because they have their agents spread widely (googleanalytics, etc.) and don't want middlemen competing with them. They have control of the scripts, why should any other entity?

Re:Misguided Like A Japanese Rocket Launch

Except that the rules for HTTPS have changed at least 3 or 4 times, and recently. First keys weren't long enough. Then SSL wasn't good enough. Then TLS 1.0 is broken.

Managing ssl.conf across a few dozen servers has taken a fair amount of man hours at my organization in the last couple years-- and we have configuration management tools.

And all of this is to protect the transmission of unrestricted, publicly accessible information.

Do we really need https to display wikipedia? To see today's headlines on CNN? To read slashdot? Does the wayback machine of publicly viewable web pages need to be encrypted during transmission?

A large percentage of the web doesn't need to be encrypted during transmission.

Re: I'm sympathetic

[Bing+Tsher+E]

Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.

LE isn't easy for devices on home LAN

[tepples]

LetsCrypt is an easy method to get a cert and use it.

Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?

Re:LE isn't easy for devices on home LAN

[Octorian]

This use case seems to be often ignored by the "HTTPS Everywhere" folks, yet we all constantly have to deal with it. While HTTPS probably is a good thing for all of these devices, someone needs to seriously take a step back, and actually give two shits about the certificate management problem presented here, before forging ahead and making our lives more difficult.

Re: LE isn't easy for devices on home LAN

[PrimaryConsult]

That's what a trusted internal root certificate is for. Add your organization (home) certificate signer to your root CA store.

Re:Misguided Like A Japanese Rocket Launch

[spire3661]

I shouldn't have to get a cert to pop up a website, period. The fact that people like you think we should is foolish, stupid and a road to hell.

Re:Misguided Like A Japanese Rocket Launch

[tepples]

Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?

Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").

Re:Legacy shouldn't hold us back

[nmb3000]

You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.

Just think of the lost opportunities!!

Why, with just 2 months and $200,000 we could start modernizing these "books" so that they use a proper 1px razor-thin font, a 20% contrast ratio, and nice 30% transparent pages. Another 4 months and $400k and we can upgrade them to require batteries and use AI to replace all those long paragraphs with summaries. And lastly, in just 1 year and a million dollars, we can add encryption, fingerprint readers, dynamic advertising, and pay-per-chapter so that only people with an active subscription or make use of the freemium model can read them!

Books-as-a-Service with nice modern UX, targeted advertising based on book genre, and microtransactions. Let's get started! Now, who will fund us?

Anti-competive

[BradMajors]

It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.

Re:It's about securing the web, not changing it

[Actually,+I+do+RTFA]

What would Google have to gain from pushing the web to https?

1) It reduces the number of trackers, which since they still track most sites through their analytics, raises the value of their data.

2) It gets people used to Google dictating how their websites look and function.

Re:What graphical OpenSSL frontend?

[dgatwood]

Let me turn that around for you. You use somebody's public Wi-Fi, and it asks you to click on something that installs a new root cert. If it is easy, the average person will do it without hesitation, at which point HTTPS is completely broken.

Sometimes, there are good reasons to make unusual things hard.

No, the right answer is for somebody to come up with a sensible standard for .local certificates in which they are accepted with SSH-like behavior — ask once, and never ask again (with no expiration), but accepted only for that specific hostname, never allowed to be treated as any sort of root cert, etc.

Re:It's about securing the web, not changing it

[WaffleMonster]

1. Privacy, so that ISP's and other companies don't get to record which old files you access and when

This is bullshit. It's been proven to be bullshit. Creeps in the wires know where you are going. They see IP headers, SNI indications, public key identities and TLS session keys. They know size, timing and length of transfers.

This is sufficient information to deduce exactly what you are doing on a publically accessible website with high degree of accuracy regardless of encryption.

Thanks, I was wondering why google cared so much

[rsilvergun]

about HTTPS. You just answered my question. They don't want the ISPs to have the detailed data google has (they still have URLs but no page content) and they can't replace google's ads with their own. Now it makes sense.