The word secure is somewhat meaningless without enough context. Also, HTTPS doesn’t immediately translate to secure and adding “not secure” to the url bar doesn’t achieve much either. AFAIR chrome still mistreats the “target = _blank” property…
This is a common argument that I never understood the utility of. HTTPS is table stakes of online security, as there’s no security to be had if anyone on the network path can modify the origin contents.
There’s plenty of actual research and roadmaps on indicators like Not Secure, and the eventual goal is indeed to mark the insecure option Not Secure instead of marking HTTPS as Secure. The web is a complex slow moving beast, but this is exactly a step in that direction!
Anyway, if there’s one thing experience showed us is that trying to convey “context” on the security status of a TLS connection to users is a losing proposition.
There’s plenty of actual research and roadmaps on indicators like Not Secure, and the eventual goal is indeed to mark the insecure option Not Secure instead of marking HTTPS as Secure. The web is a complex slow moving beast, but this is exactly a step in that direction!
Not that I don’t believe you, but mind pointing me at this research?
Anyway, if there’s one thing experience showed us is that trying to convey “context” on the security status of a TLS connection to users is a losing proposition.
This is exactly my concern, it seems that sprinkling “security” hints to non-technical users usually leads to them making the wrong assumptions.
there’s no security to be had if anyone on the network path can modify the origin contents.
This can be addressed by adding signatures rather than encrypting the whole page.
There are useful applications such as page caching especially in low bandwidth situations which are defeated by encryption everywhere.
He seems to be confounding Google’s motives, which in fairness are probably not altruistic, with the technology itself which is obviously pretty sound.
I’ve literally never seen so much FUD in my life. He must have some fundamental misconception about how HTTPS works. I just don’t see how he could be arguing these points otherwise.
I mean, I would be mad if Google really was doing what he thinks they’re doing. But they’re not. He’s also totally missing (ignoring?) the fact that Mozilla is also taking steps matching Google’s.
I hate to say it because I have a lot of respect for his work, but I think basically he’s got a lot of domains and can’t be bothered converting them. I totally get the objections against the way Google are approaching this, but going after https itself is dumb.
Why would you think it’s a bad thing that you can guarantee that the site you are viewing has not been tampered with?
Meh. Honestly I have no issues with the way Google is approaching this. They (and Mozilla) give plenty of time before making even the tiniest changes, and in the end really all they’re doing is changing the UI to reflect reality.
And without them doing that, people exactly like Winer just wouldn’t care.
I’m skimming through, trying to understand it, and he never really states an objection anywhere that I can see. I am familiar with several reasonable objections to the concentration of power created by the CA system and to the burden it imposes on content creators; I just don’t see Winer actually expressing any of them.
Not completely. The benefit is that intermediaries can cache it if required, and clients can verify the signature only when needed. With the forcing of HTTPS everywhere, a lot of caching infrastructure that existed previously has become useless without any alternatives. These are especially important in low bandwidth countries or communities relying on low bandwidth gateways.
The word secure is somewhat meaningless without enough context. Also, HTTPS doesn’t immediately translate to secure and adding “not secure” to the url bar doesn’t achieve much either. AFAIR chrome still mistreats the “target = _blank” property…
This is a common argument that I never understood the utility of. HTTPS is table stakes of online security, as there’s no security to be had if anyone on the network path can modify the origin contents.
There’s plenty of actual research and roadmaps on indicators like Not Secure, and the eventual goal is indeed to mark the insecure option Not Secure instead of marking HTTPS as Secure. The web is a complex slow moving beast, but this is exactly a step in that direction!
Anyway, if there’s one thing experience showed us is that trying to convey “context” on the security status of a TLS connection to users is a losing proposition.
Not that I don’t believe you, but mind pointing me at this research?
This is exactly my concern, it seems that sprinkling “security” hints to non-technical users usually leads to them making the wrong assumptions.
I am focusing on a specific point in your post
This can be addressed by adding signatures rather than encrypting the whole page. There are useful applications such as page caching especially in low bandwidth situations which are defeated by encryption everywhere.
Interesting to see some backlash over this, Dave Winer’s objections have caught my eye in particular.
On the one hand I’m not sure google should be punishing sites for being http only.
On the other hand, what is the open web if your ISP can inject ads into a page where there are none?
I didn’t see a link to Winer’s objection in the linked article. Do you have a reference?
It’s all over his Twitter https://twitter.com/davewiner
This is quite recent http://scripting.com/2018/02/08.html
Somewhat older http://scripting.com/liveblog/users/davewiner/2015/12/18/0667.html
EDIT speak of the devil: http://scripting.com/2018/02/09/131842.html
He sounds a bit, well…
His entire shtick seems to be that he thinks HTTPS is a conspiracy by Google to control the web, somehow.
He seems to be confounding Google’s motives, which in fairness are probably not altruistic, with the technology itself which is obviously pretty sound.
I’ve literally never seen so much FUD in my life. He must have some fundamental misconception about how HTTPS works. I just don’t see how he could be arguing these points otherwise.
I mean, I would be mad if Google really was doing what he thinks they’re doing. But they’re not. He’s also totally missing (ignoring?) the fact that Mozilla is also taking steps matching Google’s.
I hate to say it because I have a lot of respect for his work, but I think basically he’s got a lot of domains and can’t be bothered converting them. I totally get the objections against the way Google are approaching this, but going after https itself is dumb.
Why would you think it’s a bad thing that you can guarantee that the site you are viewing has not been tampered with?
I’ve seen him call out Mozilla too in fairness.
Meh. Honestly I have no issues with the way Google is approaching this. They (and Mozilla) give plenty of time before making even the tiniest changes, and in the end really all they’re doing is changing the UI to reflect reality.
And without them doing that, people exactly like Winer just wouldn’t care.
I’m skimming through, trying to understand it, and he never really states an objection anywhere that I can see. I am familiar with several reasonable objections to the concentration of power created by the CA system and to the burden it imposes on content creators; I just don’t see Winer actually expressing any of them.
Huge pile o’ permalinks for those who find this story in the future, in rough reverse chronological order:
https://twitter.com/davewiner/status/961789184737456128
https://twitter.com/brettglass/status/961822736317235201
https://twitter.com/davewiner/status/961822405915164678
https://twitter.com/satxsam/status/961803767531364352
https://twitter.com/davewiner/status/961799576809345024
https://twitter.com/davewiner/status/961616717309992961
https://twitter.com/clintsharp/status/961677748031795201
https://twitter.com/davewiner/status/961599619074547717
https://twitter.com/davewiner/status/961546591852253184
https://twitter.com/davewiner/status/961943163672940545
Tweets not from @davewiner were retweeted by him.
May be this is better served by adding signatures to the basic HTTP rather than forcing HTTPS everywhere?
Wouldn’t that involve the same trust infrastructure but without actually encrypting the traffic?
Not completely. The benefit is that intermediaries can cache it if required, and clients can verify the signature only when needed. With the forcing of HTTPS everywhere, a lot of caching infrastructure that existed previously has become useless without any alternatives. These are especially important in low bandwidth countries or communities relying on low bandwidth gateways.