Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Security

Is Google's Promotion of HTTPS Misguided? (this.how) 435

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.

"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
  • The web is an open platform, not a corporate platform.
  • It is defined by its stability. 25-plus years and it's still going strong.
  • Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."


This discussion has been archived. No new comments can be posted.

Is Google's Promotion of HTTPS Misguided?

Comments Filter:
  • Pointless worry (Score:5, Insightful)

    by Gavagai80 ( 1275204 ) on Saturday June 30, 2018 @08:41PM (#56872810) Homepage

    Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.

    • Re:Pointless worry (Score:5, Insightful)

      by Anonymous Coward on Saturday June 30, 2018 @09:08PM (#56872902)

      And you missed the point. It's not that chrome won't load HTTP sites-- it's that you won't be able to find them on google search. Instead you'll get redirected to 30 different versions of the same site promising a weird trick to fix your problem, all behind paywalls.

      It's a nice way to divide the internet into "have" and "have nots". If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).

      • Re:Pointless worry (Score:5, Insightful)

        by jrumney ( 197329 ) on Saturday June 30, 2018 @09:35PM (#56872984)

        If you can't afford a real, signed certificate, you can't get your message out

        Real signed certificates are affordable to anyone with $0 in their pocket. It isn't really a hurdle at all.

      • by Nkwe ( 604125 )

        If you can't afford a real, signed certificate, you can't get your message out-- because no one will ever find it (Yes, letsencrypt exists, but it requires a certain level of expertise the average blogger just doesn't have).

        If you can't handle managing a web server with a free let's encrypt certificate, you probably can't really handle hosting your own content period (with or without a certificate.) For these folks (there are a lot and it's no shame), there are hosting companies and services that host stuff for you. Search engines will index blog hosting services just fine. The message will get out.

      • by rtb61 ( 674572 )

        Close but you missed. Why does Google want https to dominate over http, simply because it get's in first. It knows what is at the https site and it knows you and it knows you have accessed that site and it can track subsequent interactions. So https disadvantages many of it's competitors, cuts them off from that information , so not about digging further into your privacy they have already dug as deeply as they can and we are filling that hole back up again as quickly as we can taking into account high leve

        • Why does Google want https to dominate over http,Why does Google want https to dominate over http,

          Because it's much more difficult to set up a proxy to "manage" interaction with https sites. They don't want people using proxies to block ads.

    • Re: (Score:2, Interesting)

      by methano ( 519830 )
      For me, this is about GoDaddy calling up every 6 months and trying to get me to double my hosting budget by buying some kind of goofy certificate. "If you don't buy the $120 dollar certificate from us, Google will tell everybody you're a bad person".

      Screw'em!
  • Not a risk? (Score:3, Insightful)

    by yarbo ( 626329 ) on Saturday June 30, 2018 @08:45PM (#56872820)
    Downloading executable files, downloading risky file extensions (doc, pdf), and downloading any document where integrity matters means that http is a risk. If someone downloads some old games from an HTTP archive, malware could be added. If someone downloads some PDFs with an outdated reader, there could be malware. If someone downloads some forms they're going to fill out later, changing the location they're supposed to be emailed/faxed/whatever means someone could give out PII or financial information. If someone is reading old news stories, changing the content of those stories to suit an attackers narrative could be very valuable. Just because the author can't imagine the security implications, doesn't mean organized crime, bored hackers, or nation state actors aren't thinking about it.
    • Re:Not a risk? (Score:5, Insightful)

      by Anonymous Coward on Saturday June 30, 2018 @08:50PM (#56872852)

      ... HTTPS does not prevent malware.

      It securly transmits the malware.

    • How would moving the transport of altered files over to https address any of the issues you list?

      • Re:Not a risk? (Score:4, Insightful)

        by Nemyst ( 1383049 ) on Saturday June 30, 2018 @09:18PM (#56872924) Homepage
        HTTP allows those changes to occur through MITM-type attacks, whereas HTTPS requires the client or server to be compromised. Considering the number of governments with the means and interests to perform MITM attacks, I'd say it's an absolutely valid concern.
        • by 31eq ( 29480 )

          HTTP allows a MITM to run a virus scan and block malicious content. Arguments against HTTP assume ISPs are less trustworthy than random website owners. Which may be true in general, but that doesn't mean it needs to be fixed at the protocol level.

          If we're talking protocols, though, secure content that's visible to a MITM but authenticated client-side (signed but not encrypted) is certainly possible. It would allow ISPs to run virus checkers (so viruses can't hide behind a Google certificate, by coming fr

    • by AHuxley ( 892839 )
      Man-in-the-middle is now the trusted HTTPS site. That HTTPS archive is the middle. Between malware creation and the trusting user.
    • MITM actors ordered by probability/posibility 1. Your employer 2. ISPs 2. Your cell phone administrators Google, Apple, etc 4. The state 5. Big business 6. Hax0rs for fun and profit
  • by misnohmer ( 1636461 ) on Saturday June 30, 2018 @08:47PM (#56872834)

    It's meant to secure the web. Two reasons:
    1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
    2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you

    What would Google have to gain from pushing the web to https?

  • Legacy shouldn't hold us back. That's a sure way to make sure you stop progressing. Old sites not working anymore because they're not really maintained is not a good reason to try and stop progress.

    We should instead just make sure we move forward in a way that makes sense from a technological and convenience point of view.

    • by DutchUncle ( 826473 ) on Saturday June 30, 2018 @08:56PM (#56872860)
      You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
      • by nmb3000 ( 741169 ) on Saturday June 30, 2018 @10:22PM (#56873082) Journal

        You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.

        Just think of the lost opportunities!!

        Why, with just 2 months and $200,000 we could start modernizing these "books" so that they use a proper 1px razor-thin font, a 20% contrast ratio, and nice 30% transparent pages. Another 4 months and $400k and we can upgrade them to require batteries and use AI to replace all those long paragraphs with summaries. And lastly, in just 1 year and a million dollars, we can add encryption, fingerprint readers, dynamic advertising, and pay-per-chapter so that only people with an active subscription or make use of the freemium model can read them!

        Books-as-a-Service with nice modern UX, targeted advertising based on book genre, and microtransactions. Let's get started! Now, who will fund us?

      • You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.

        That's fine, but not against what I was saying. Those books can exist without us holding back in our technology. And I'd argue they're still maintained, considering they're being kept in a building that's there for that very purpose. The building is surely not abandoned or kept clean on its own, to name a few things. The same goes for websites actually.

        But you're missing the point, I'm not saying those things are bad. I'm saying we shouldn't hold progress back due to them. Books haven't stopped us fro

      • by fuzzyf ( 1129635 )
        Yes. But the book doesn't run code on your end. It's actually just text.
        A browser will run whatever code it gets from the website.Or any code picket up on the way from the server to your browser if it's not encrypted.

        If you access unencrypted wikipedia from your local Starbucks or library, pretty much anyone can play man-in-the-middle and inject javascript into your site. Good frameworks exists (ex. BeeF) that makes it really easy to do phishing (facebook login, work login, etc) and many other creative a
  • But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.

    These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.

    The age where you could just set up a box in the closet, use it to serv

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      In order to save the village, we had to destroy it.

    • by Bing Tsher E ( 943915 ) on Saturday June 30, 2018 @09:10PM (#56872910) Journal

      Your criticism of insecurity has little to do with security in an httpd. It can be easily expanded to demanding that all machines connected to the net 'have their papers in order.' China loves advocates like you.

    • by tepples ( 727027 )

      If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.

      As for public servers, I agree.

      As for servers accessible only within a home LAN, it's a bit more complicated. Let's Encrypt won't issue certificates for IP addresses within IP address blocks reserved for private internets (10/8, 172.16/12, or 192.168/16) or for DNS names within private TLDs (such as .local or .internal). Nor will any other CA that follows the CAB Forum's Baseline Requirements. A fully-qualified domain name is required, and a lot of householders with home networking appliances haven't alread

    • But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.

      These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.

      Actually using wordpress at all is irresponsible.

      The age where you could just set up a box in the closet, use it to serve a page about your cat, and then forget about it is sadly long over. These days if you're not paying attention, installing updates and keeping up with what's going on with it you'll end up serving trojans, sending spam, or being a member of a botnet, if not something worse.

      I bet if you serve static html pages and only allow http access from the net that box in the closet will never get hacked.

      What has changed for the worse is proliferation of complex systems designed by idiots for idiots. Wordpress is a great example of this. CVE databases littered with SQLi and XSS bug as far as the eye can see year after agonizing year since turn of the century. There are exactly zero excuses for the presence of these classes of vulnerabil

  • How's that been doing recently? Especially with the current US administration?
  • Your voice isnâ(TM)t worthy for Google to surface it in search results. Or if a corporation wonâ(TM)t advertize. With Google if it accepts selected dis-approved certificate Authorities then all we need is anyone with cash to buy a certicate Authority and Google will give them a veto power over Internet content? QED!

  • If you have a web site that has only public data and a very wide audience, then you want people downstream to be able to share downloading using proxy caches, which is good for everyone, the source servers and their networks, organizations where the data is popular save on bandwidth also. Labelling http as always bad is ... well villifying what in certain cases is the best option... well that sucks.

    It's fine to prefer https when available, but there should be a way to say: this site really is intentionally https, and not have it flagged as having cooties.

    • by tepples ( 727027 )

      If you have a web site that has only public data and a very wide audience, then you want people downstream to be able to share downloading using proxy caches

      How can users of these caches be certain that these caches are not tampering with the documents that they store and retrieve?

      • I agree, they can't so don't use it for anything where such tampering is likely to be valuable. but satellite imagery, weather radar scans, public domain movies, if there is little value in tampering with it, and it is available from other sources anyways, then there is little harm. Also, you could have a secondary channel, which is SSL secured, and pass data checksums over that other channel, while keeping the data channel in the clear.

        I've seen that implemented in one project.

        • What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google? The mere fact of being able to be found on a search engine essentially means that the data is at least to someone important enough to look it up, so it is certainly worth being manipulated.

    • Try this:

      1. Create a private certificate authority (CA) for your caching proxy. (If you're technical enough to operate a substantial proxy, you're probably technical enough to learn to use OpenSSL.)
      2. Distribute this CA's root certificate to the users of your proxy to add to the trusted certificate store in each browser on each operating system on each device that each user uses.
      3. For each website that a user of your proxy visits, automatically issue a certificate signed by your proxy's CA, and use that to

    • If I have a data archive, and I want people to share it, I also want people to share an unadulterated version of my data archive. How long do you think wikipedia would be considered a credible source if it suddenly started to spew bullshit, curiously the bullshit some people want to inject into teaching and curiously in the areas where such bullshit is being peddled as reality?

      http and all the data it transports can easily be manipulated in transit without you having any chance of even detecting that you re

  • Anti-competive (Score:5, Interesting)

    by BradMajors ( 995624 ) on Saturday June 30, 2018 @10:27PM (#56873094)

    It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.

    • It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.

      I'm as suspicious of google as the next guy but this is a huge pile of bullshit, frankly, because you're setting up one of the craziest oppositions I've seen which is:

      Google want to monitor everything therefore we should let the government, the phone company and any other random yahoo do it.

      Forcing HTTPs everywhere doesn't do anything to

  • Plenty of people the world over cannot access large parts of the web because their governments censor it. That's the status quo. Creating technology that is privacy focused is key to making a web that really is open. In addition to thwarting less capable actors, it puts state actors in the awkward place of either having to embrace the tech, or be left vulnerable and outdated as the free world moves ahead.

  • Is allow the http site content to be displayed but not allow any scripts to run.

  • Keeps the ads safe down to your computer.
    No other party can go looking at other ads to that secure user.
    Ensures only approved ads get seen as approved ads are protected by HTTPS.
    Ads sent by HTTPS are accepted by that user as they have to have HTTPS to see the site, use the service.
    HTTPS is a secure lock but in the way ads are now locked into a site, service.
    Trust a site for HTTPS and trust their HTTPS ads.
    Security services and police, mil are not unhappy about VPN, HTTPS crypto use so thats not a ch
    • Wait ... so ... nobody being able to intercept, alter and manipulate data between sender and recipient except sender and recipient (who can easily use ad filters instead of relying on his ISP to filter what the ISP doesn't get paid to let pass, for example) is a BAD thing now?

  • It's not like anyone else can code a web browser or a search engine right? Maybe even a special search engine just for old [archive.org] HTTP sites? As time goes by, old search results are likely to be less accurate and not be rendered properly in modern browsers. Might as well use a correct tool for the job, like you would use DOSBox instead of Windows 10 command prompt to run old games.

  • Quite frankly, there is more dangers to insecure connections than whether your data can be intercepted. How about you being fed false data? You connect to http://www.reputablenewssite.c... [reputablenewssite.com] only to get fed bogus information from your ISP that gets paid to "adjust" the news by someone.

    Can't happen? 5 years ago I would've agreed. Today? I don't anymore.

    Seriously, today more than ever, being able to actually verify that what you see is actually what you wanted to see is more important than ever.

  • "so the 'risks' of not using HTTPS are irrelevant."

    Though the author is right in that the public information itself requires no hiding, the information about my am accessing a particular piece of information may be important...

    And then there is the integrity aspect — without something like HTTPS, how do I know,the data has not been tampered with in-flight?

  • by kackle ( 910159 ) on Sunday July 01, 2018 @11:33AM (#56875050)
    Think of the children's...energy prices. All that unnecessary encrypting costs electricity, times billions of pages per day.
  • by ka9dgx ( 72702 ) on Sunday July 01, 2018 @03:10PM (#56875834) Homepage Journal

    This is really an argument about externalities, costs shoved off to society, instead of being paid for up front. There are costs to HTTPS, and a great deal of technical debt would be incurred in forcing older sites to deploy it. HTTPS is a set of trade offs, one of which involves centralizing trust (and thus the ability to censor) in the top level certification sites. Using HTTPS also prohibits the development of other options, any of which may actually be far superior, in other words, premature optimization.

    There's no really good reason to force old web sites to change everything for your latest version of security kool-aid, and again in 6 months, and again in 6 months, ad hoc, ad nauseum. It won't actually do much good, and as stated above, does much harm by potentially removing history.

    Grow up, kids.... HTTPS is like beta software... it's not done yet. Get back to me in when it hasn't undergone a revision in at least 5 years.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...