Is Google's Promotion of HTTPS Misguided? (this.how) 435
Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes:
A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
- The web is an open platform, not a corporate platform.
- It is defined by its stability. 25-plus years and it's still going strong.
- Google is a guest on the web, as we all are. Guests don't make the rules.
"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."
Pointless worry (Score:5, Insightful)
Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.
Re:Pointless worry (Score:5, Insightful)
And you missed the point. It's not that chrome won't load HTTP sites-- it's that you won't be able to find them on google search. Instead you'll get redirected to 30 different versions of the same site promising a weird trick to fix your problem, all behind paywalls.
It's a nice way to divide the internet into "have" and "have nots". If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).
Re:Pointless worry (Score:5, Insightful)
If you can't afford a real, signed certificate, you can't get your message out
Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.
Re:Pointless worry (Score:4, Insightful)
It costs more than $0 for the fully qualified domain name, and I imagine that most people who put an appliance with a web-based administration interface on a home LAN don't already own a domain.
Or to put it another way: What is the fully qualified domain name of your router? Your printer?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
$0 for the certificate, plus the hours you have to pay a technically skilled person to update your websites. But fortunately website admins all work for free, so it's still $0. Oh no wait, they don't, those skills are expensive [salary.com]. Or, it's free if system administrator time is valued at nothing.
Not all hosts support installing LetsEncrypt certificates for free, either.
Re:Pointless worry (Score:5, Informative)
)$0.00
Re: (Score:2)
Let's Encrypt deliberately does not integrate with mDNS.
Re: (Score:3)
Re: (Score:2)
If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).
If you can't handle managing a web server with a free let's encrypt certificate, you probably can't really handle hosting your own content period (with or without a certificate.) For these folks (there are a lot and it's no shame), there are hosting companies and services that host stuff for you. Search engines will index blog hosting services just fine. The message will get out.
Re: (Score:2)
Close but you missed. Why does Google want https to dominate over http, simply because it get's in first. It knows what is at the https site and it knows you and it knows you have accessed that site and it can track subsequent interactions. So https disadvantages many of it's competitors, cuts them off from that information , so not about digging further into your privacy they have already dug as deeply as they can and we are filling that hole back up again as quickly as we can taking into account high leve
Re: (Score:2)
Because it's much more difficult to set up a proxy to "manage" interaction with https sites. They don't want people using proxies to block ads.
Re: (Score:3)
Actually Bing by default, add a !g and it uses Google.
Somethings it works fine for, others such as my old '91 truck, I have to add the !g generally to get good results.
Re:Pointless worry (Score:4, Funny)
Sometimes when I look for stuff that's less common I even resort to Yandex and Baidu.
Re: (Score:2)
I'll have to test those.
Re: (Score:2, Interesting)
Screw'em!
Not a risk? (Score:3, Insightful)
Re:Not a risk? (Score:5, Insightful)
... HTTPS does not prevent malware.
It securly transmits the malware.
Re: Not a risk? (Score:5, Insightful)
Google wants content transferred 'securely' because they have their agents spread widely (googleanalytics, etc.) and don't want middlemen competing with them. They have control of the scripts, why should any other entity?
Re:Not a risk? (Score:4, Insightful)
... HTTPS does not prevent malware.
It securly transmits the malware.
HTTPS does prevent malware from being inserted by people who control one of the hops between the server and the browser. It obviously cannot prevent malware that is being served by the server.
Re: (Score:2)
How would moving the transport of altered files over to https address any of the issues you list?
Re:Not a risk? (Score:4, Insightful)
Re: (Score:2)
HTTP allows a MITM to run a virus scan and block malicious content. Arguments against HTTP assume ISPs are less trustworthy than random website owners. Which may be true in general, but that doesn't mean it needs to be fixed at the protocol level.
If we're talking protocols, though, secure content that's visible to a MITM but authenticated client-side (signed but not encrypted) is certainly possible. It would allow ISPs to run virus checkers (so viruses can't hide behind a Google certificate, by coming fr
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
It's about securing the web, not changing it (Score:3, Insightful)
It's meant to secure the web. Two reasons:
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you
What would Google have to gain from pushing the web to https?
Re:It's about securing the web, not changing it (Score:5, Insightful)
1) It reduces the number of trackers, which since they still track most sites through their analytics, raises the value of their data.
2) It gets people used to Google dictating how their websites look and function.
Re:It's about securing the web, not changing it (Score:5, Informative)
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
This is bullshit. It's been proven to be bullshit. Creeps in the wires know where you are going. They see IP headers, SNI indications, public key identities and TLS session keys. They know size, timing and length of transfers.
This is sufficient information to deduce exactly what you are doing on a publically accessible website with high degree of accuracy regardless of encryption.
Legacy shouldn't hold us back (Score:2, Insightful)
Legacy shouldn't hold us back. That's a sure way to make sure you stop progressing. Old sites not working anymore because they're not really maintained is not a good reason to try and stop progress.
We should instead just make sure we move forward in a way that makes sense from a technological and convenience point of view.
Re:Legacy shouldn't hold us back (Score:5, Interesting)
Re:Legacy shouldn't hold us back (Score:5, Funny)
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
Just think of the lost opportunities!!
Why, with just 2 months and $200,000 we could start modernizing these "books" so that they use a proper 1px razor-thin font, a 20% contrast ratio, and nice 30% transparent pages. Another 4 months and $400k and we can upgrade them to require batteries and use AI to replace all those long paragraphs with summaries. And lastly, in just 1 year and a million dollars, we can add encryption, fingerprint readers, dynamic advertising, and pay-per-chapter so that only people with an active subscription or make use of the freemium model can read them!
Books-as-a-Service with nice modern UX, targeted advertising based on book genre, and microtransactions. Let's get started! Now, who will fund us?
Re: (Score:2)
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
That's fine, but not against what I was saying. Those books can exist without us holding back in our technology. And I'd argue they're still maintained, considering they're being kept in a building that's there for that very purpose. The building is surely not abandoned or kept clean on its own, to name a few things. The same goes for websites actually.
But you're missing the point, I'm not saying those things are bad. I'm saying we shouldn't hold progress back due to them. Books haven't stopped us fro
Re: (Score:3)
A browser will run whatever code it gets from the website.Or any code picket up on the way from the server to your browser if it's not encrypted.
If you access unencrypted wikipedia from your local Starbucks or library, pretty much anyone can play man-in-the-middle and inject javascript into your site. Good frameworks exists (ex. BeeF) that makes it really easy to do phishing (facebook login, work login, etc) and many other creative a
Re: (Score:3)
I'm sympathetic (Score:2)
But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.
These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.
The age where you could just set up a box in the closet, use it to serv
Re: (Score:3, Insightful)
In order to save the village, we had to destroy it.
Re: I'm sympathetic (Score:4, Insightful)
Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.
Re: (Score:3)
If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.
As for public servers, I agree.
As for servers accessible only within a home LAN, it's a bit more complicated. Let's Encrypt won't issue certificates for IP addresses within IP address blocks reserved for private internets (10/8, 172.16/12, or 192.168/16) or for DNS names within private TLDs (such as .local or .internal). Nor will any other CA that follows the CAB Forum's Baseline Requirements. A fully-qualified domain name is required, and a lot of householders with home networking appliances haven't alread
Re: (Score:3)
But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.
These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.
Actually using wordpress at all is irresponsible.
The age where you could just set up a box in the closet, use it to serve a page about your cat, and then forget about it is sadly long over. These days if you're not paying attention, installing updates and keeping up with what's going on with it you'll end up serving trojans, sending spam, or being a member of a botnet, if not something worse.
I bet if you serve static html pages and only allow http access from the net that box in the closet will never get hacked.
What has changed for the worse is proliferation of complex systems designed by idiots for idiots. Wordpress is a great example of this. CVE databases littered with SQLi and XSS bug as far as the eye can see year after agonizing year since turn of the century. There are exactly zero excuses for the presence of these classes of vulnerabil
"social agreement not to break things"? (Score:2)
If a government doesnâ(TM)t want you to have (Score:2)
Your voice isnâ(TM)t worthy for Google to surface it in search results. Or if a corporation wonâ(TM)t advertize. With Google if it accepts selected dis-approved certificate Authorities then all we need is anyone with cash to buy a certicate Authority and Google will give them a veto power over Internet content? QED!
No, but promotion != scare mongering (Score:3)
It's fine to prefer https when available, but there should be a way to say: this site really is intentionally https, and not have it flagged as having cooties.
Re: (Score:2)
If you have a web site that has only public data and a very wide audience, then you want people downstream to be able to share downloading using proxy caches
How can users of these caches be certain that these caches are not tampering with the documents that they store and retrieve?
Re: (Score:2)
I've seen that implemented in one project.
Re: (Score:2)
What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google? The mere fact of being able to be found on a search engine essentially means that the data is at least to someone important enough to look it up, so it is certainly worth being manipulated.
Re: (Score:2)
Its about having the freedom to maintain your own cache.
The metered link will still get hit once for each user who exercises the freedom to maintain his or her own cache.
Why should I waste metered-bandwith to re-download the same content that I may have already previously downloaded last month, week, or 3 minutes ago?
You wouldn't, because a properly architected website would set an Expires: header in the far future when the URL is a permanent link (one including the document's revision ID). This causes the client not to make another HTTPS request for the same URL so long as the response is not evicted from the client's cache. And even if a website deliberately misuses HTTP/HTTPS cache control to force reload
Start a private CA for your proxy (Score:2)
Try this:
1. Create a private certificate authority (CA) for your caching proxy. (If you're technical enough to operate a substantial proxy, you're probably technical enough to learn to use OpenSSL.)
2. Distribute this CA's root certificate to the users of your proxy to add to the trusted certificate store in each browser on each operating system on each device that each user uses.
3. For each website that a user of your proxy visits, automatically issue a certificate signed by your proxy's CA, and use that to
Re: (Score:2)
Re: (Score:3)
Malware no, employers yes.
Re: (Score:2)
If I have a data archive, and I want people to share it, I also want people to share an unadulterated version of my data archive. How long do you think wikipedia would be considered a credible source if it suddenly started to spew bullshit, curiously the bullshit some people want to inject into teaching and curiously in the areas where such bullshit is being peddled as reality?
http and all the data it transports can easily be manipulated in transit without you having any chance of even detecting that you re
Anti-competive (Score:5, Interesting)
It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.
Re: (Score:3)
It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.
I'm as suspicious of google as the next guy but this is a huge pile of bullshit, frankly, because you're setting up one of the craziest oppositions I've seen which is:
Google want to monitor everything therefore we should let the government, the phone company and any other random yahoo do it.
Forcing HTTPs everywhere doesn't do anything to
The web is already broken (Score:2)
Plenty of people the world over cannot access large parts of the web because their governments censor it. That's the status quo. Creating technology that is privacy focused is key to making a web that really is open. In addition to thwarting less capable actors, it puts state actors in the awkward place of either having to embrace the tech, or be left vulnerable and outdated as the free world moves ahead.
Re: The web is already broken (Score:4, Insightful)
What browsers should do (Score:2)
Is allow the http site content to be displayed but not allow any scripts to run.
HTTPS makes for better ads (Score:2)
No other party can go looking at other ads to that secure user.
Ensures only approved ads get seen as approved ads are protected by HTTPS.
Ads sent by HTTPS are accepted by that user as they have to have HTTPS to see the site, use the service.
HTTPS is a secure lock but in the way ads are now locked into a site, service.
Trust a site for HTTPS and trust their HTTPS ads.
Security services and police, mil are not unhappy about VPN, HTTPS crypto use so thats not a ch
Re: (Score:3)
Wait ... so ... nobody being able to intercept, alter and manipulate data between sender and recipient except sender and recipient (who can easily use ad filters instead of relying on his ISP to filter what the ISP doesn't get paid to let pass, for example) is a BAD thing now?
Web is an open platform! Google must maintain it! (Score:2)
It's not like anyone else can code a web browser or a search engine right? Maybe even a special search engine just for old [archive.org] HTTP sites? As time goes by, old search results are likely to be less accurate and not be rendered properly in modern browsers. Might as well use a correct tool for the job, like you would use DOSBox instead of Windows 10 command prompt to run old games.
Misguided? In the time of fake news? (Score:2)
Quite frankly, there is more dangers to insecure connections than whether your data can be intercepted. How about you being fed false data? You connect to http://www.reputablenewssite.c... [reputablenewssite.com] only to get fed bogus information from your ISP that gets paid to "adjust" the news by someone.
Can't happen? 5 years ago I would've agreed. Today? I don't anymore.
Seriously, today more than ever, being able to actually verify that what you see is actually what you wanted to see is more important than ever.
HTTPS still useful (Score:3)
Though the author is right in that the public information itself requires no hiding, the information about my am accessing a particular piece of information may be important...
And then there is the integrity aspect — without something like HTTPS, how do I know,the data has not been tampered with in-flight?
Think Of The Children! (Score:3)
Externalities (Score:3)
This is really an argument about externalities, costs shoved off to society, instead of being paid for up front. There are costs to HTTPS, and a great deal of technical debt would be incurred in forcing older sites to deploy it. HTTPS is a set of trade offs, one of which involves centralizing trust (and thus the ability to censor) in the top level certification sites. Using HTTPS also prohibits the development of other options, any of which may actually be far superior, in other words, premature optimization.
There's no really good reason to force old web sites to change everything for your latest version of security kool-aid, and again in 6 months, and again in 6 months, ad hoc, ad nauseum. It won't actually do much good, and as stated above, does much harm by potentially removing history.
Grow up, kids.... HTTPS is like beta software... it's not done yet. Get back to me in when it hasn't undergone a revision in at least 5 years.
Re: (Score:2)
And why are they called rockets when they are guided?
What makes you think they should be called something else? A rocket is basically anything that is self-propelled using a rocket engine. Some sources claim that a missile is always guided. However, many other sources that state that missiles can be guided or unguided, and given the prevalence of the term "guided missile", I tend to agree with the latter. Note also that a missile does not necessarily have to be rocket-powered, and that there's plenty of examples of the payload launched from a catapult, trebuc
Re:Misguided Like A Japanese Rocket Launch (Score:5, Informative)
Except that the rules for HTTPS have changed at least 3 or 4 times, and recently. First keys weren't long enough. Then SSL wasn't good enough. Then TLS 1.0 is broken.
Managing ssl.conf across a few dozen servers has taken a fair amount of man hours at my organization in the last couple years-- and we have configuration management tools.
And all of this is to protect the transmission of unrestricted, publicly accessible information.
Do we really need https to display wikipedia? To see today's headlines on CNN? To read slashdot? Does the wayback machine of publicly viewable web pages need to be encrypted during transmission?
A large percentage of the web doesn't need to be encrypted during transmission.
Re: (Score:3, Interesting)
To answer your questions: yes. It needs to be default. Users, civilians, need to know when a web page is sending info across a network that's unencrypted, e.g. as plain text. They don't know the implications.
It would be a wonderful world if key management was simple, and it can be. CASB apps make it simple.
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of
LE isn't easy for devices on home LAN (Score:5, Insightful)
LetsCrypt is an easy method to get a cert and use it.
Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?
Re:LE isn't easy for devices on home LAN (Score:5, Informative)
This use case seems to be often ignored by the "HTTPS Everywhere" folks, yet we all constantly have to deal with it. While HTTPS probably is a good thing for all of these devices, someone needs to seriously take a step back, and actually give two shits about the certificate management problem presented here, before forging ahead and making our lives more difficult.
Re: LE isn't easy for devices on home LAN (Score:5, Informative)
That's what a trusted internal root certificate is for. Add your organization (home) certificate signer to your root CA store.
What graphical OpenSSL frontend? (Score:3)
Add your organization (home) certificate signer to your root CA store.
I was under the impression that smartphone and smartphone-derived tablet operating systems made it difficult and/or annoying to add a root CA. How would you get the CA's root certificate onto a device in the first place if it can't read a flash drive? In addition, which graphical frontend to OpenSSL would less-technical users be using to operate this root CA, such as to issue a certificate before uploading it to the router or printer?
Re: (Score:3)
Add your organization (home) certificate signer to your root CA store.
I was under the impression that smartphone and smartphone-derived tablet operating systems made it difficult and/or annoying to add a root CA. How would you get the CA's root certificate onto a device in the first place if it can't read a flash drive? In addition, which graphical frontend to OpenSSL would less-technical users be using to operate this root CA, such as to issue a certificate before uploading it to the router or printer?
This is exactly what I did, and no I would not expect a less technical user to be able to do the same.
And yes, its a pain to make this work with smartphone-type devices. While I can actually load the certs, the OS tends to throw up "your connection may be monitored" warnings when I do. Its also a process sufficiently involved that its not going to be done on every device, and I wouldn't expect a less technical user to figure out this part either.
Re: (Score:3)
This area is where I'm hoping Google's move helps fix these flaws. Using custom certificates shouldn't be so damn hard, in some cases borderline impossible. If the predominate browser starts forcing https, I am hoping hw mfgrs will make this easier (both server side such as routers and vendor-lockin software, as well as client side such as Android and iOS smartphones).
Re:What graphical OpenSSL frontend? (Score:5, Interesting)
Let me turn that around for you. You use somebody's public Wi-Fi, and it asks you to click on something that installs a new root cert. If it is easy, the average person will do it without hesitation, at which point HTTPS is completely broken.
Sometimes, there are good reasons to make unusual things hard.
No, the right answer is for somebody to come up with a sensible standard for .local certificates in which they are accepted with SSH-like behavior — ask once, and never ask again (with no expiration), but accepted only for that specific hostname, never allowed to be treated as any sort of root cert, etc.
Re: (Score:3)
The work-provided smartphones already have our internal CA. I completely agree that this is a fail for smartphones in general - fortunately chrome isn't the only browser on those, for now. I am hoping though that as the web moves more and more towards https, smartphones will improve their ability to add custom CAs to the root store.
As for less technical uses operating a root CA, this too is a problem. Router mfgrs shouldn't be so cavalier about providing shitty certs, though. You've spent x$ on the blas
Certificate expires with warranty (Score:3)
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
Re: (Score:3, Insightful)
You are a fucking fool.
Re:Misguided Like A Japanese Rocket Launch (Score:4, Insightful)
Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?
Re:Misguided Like A Japanese Rocket Launch (Score:4, Insightful)
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.
Then you are already fucked. Period. There is nothing stopping the attacker from doing the exact same thing, but easier on your computer, all while being able to read the information in the decrypted form. That means the attacker is already in your network and can chain exploits until they own everything.
Not to mention - why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore? There's no reason for encryption for these older pages. Ever. There is no login information, user credentials, or even scripts being executed. It's fucking HTML, if the browser manage to fuck it up enough to be an exploit maybe, just maybe we should be looking at securing the browser instead of the transfer at that point.
Re: (Score:3, Insightful)
Re: Misguided Like A Japanese Rocket Launch (Score:2)
Certainly are free through places like letsencrypt. Though they're only good for 3 months. If it takes your engineers more than an hour every 3 months to maintain the cers on all those domains, perhaps you need to find better engineers
If your engineers are manually renewing your certificates every 3 months then you also need to find better engineers. The whole reason let's encrypt uses short expiration dates is so that people will automate it. They could easily do a year or longer but then people get lazy and just manually do it.
Re: (Score:3)
"HTTPS doesn't require much at all"
But it is not without cost. It takes more power if nothing else.
I think the issue is why punish sites that do not use HTTPS if they have no reason to use HTTPS?
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
Re:Misguided Like A Japanese Rocket Launch (Score:5, Informative)
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
Re: Misguided Like A Japanese Rocket Launch (Score:2)
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
Those two reasons are really both part of the same real reason: So google can reduce competition. Google wants to hamper other companies ability to build interest profiles and sell advertising.
Thanks, I was wondering why google cared so much (Score:5, Interesting)
Re: (Score:2)
Out of curiosity in case what you say is true, is it possible for the ISP to receive an HTTPS request and return it within one piece of a frame with such a notification sitting in another piece of the frame?
Re:Misguided Like A Japanese Rocket Launch (Score:4, Informative)
Otherwise Comcast will insert JS into your site (Score:3, Informative)
Without a cert, how can your subscribers be certain that their ISP isn't tampering with the connection? Comcast has been caught injecting advertisement display scripts [gizmodo.com].
Re: (Score:3)
affecting all legit websites which don't actually need HTTPS
All web sites need HTTPS. Not to make sure the data transmitted is secret, but to make sure that the data that the web site transmits is the data the browser receives. Without that integrity assurance, someone with control of any node in the path between server and browser can modify the data stream to inject malware.
Re: (Score:2)
HTTPS doesn't require much at all.
Try running it on a $10 microcontroller.
Re: (Score:2)
Not different from how exposed you are anyway.
The end points are still known unless you go via a proxy, but that increases the latency.
Re: (Score:2)
Re: (Score:2)
I sort of forget that Google exists at all.
Last I checked, Microsoft didn't operate a video hosting service comparable to Google's YouTube. So what video hosting might a Google-free family use?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If the web is an open platform, then anyone is free to make any rules they want. And you are free not to follow them.
Re: (Score:2)
So, If some country is hellbent on injecting adverts into every http website; What would stop them from injecting adverts into every https session?
HTTPS?
I was at first going to (try to) be sarcastic and just post the above all on it's own, but maybe there are those out there that don't actually know that the function of the HTTPS protocol is to prevent exactly that. HTTPS ensures that that the browser can have confidence that it is talking to the correct web server on the other end, and that nothing on the network between the browser and the web server can see or alter the information as it goes across the network. In cases where someone tries to a
Re: (Score:2)
Umm... the way https works, probably?
But I'm pretty sure you can explain to us how to inject ads into an encrypted data stream. Better yet, save it and present it at the next Black Hat, I'm pretty sure you get a free ticket and a prime time speaker slot for only mentioning that you might have found a way.
Re: (Score:2)
Come again when you learned how https works. https verifies and authenticates the sender, not the recipient.