1. 11
  1.  

  2. 6

    The word secure is somewhat meaningless without enough context. Also, HTTPS doesn’t immediately translate to secure and adding “not secure” to the url bar doesn’t achieve much either. AFAIR chrome still mistreats the “target = _blank” property…

    1. 15

      This is a common argument that I never understood the utility of. HTTPS is table stakes of online security, as there’s no security to be had if anyone on the network path can modify the origin contents.

      There’s plenty of actual research and roadmaps on indicators like Not Secure, and the eventual goal is indeed to mark the insecure option Not Secure instead of marking HTTPS as Secure. The web is a complex slow moving beast, but this is exactly a step in that direction!

      Anyway, if there’s one thing experience showed us is that trying to convey “context” on the security status of a TLS connection to users is a losing proposition.

      1. 4

        There’s plenty of actual research and roadmaps on indicators like Not Secure, and the eventual goal is indeed to mark the insecure option Not Secure instead of marking HTTPS as Secure. The web is a complex slow moving beast, but this is exactly a step in that direction!

        Not that I don’t believe you, but mind pointing me at this research?

        Anyway, if there’s one thing experience showed us is that trying to convey “context” on the security status of a TLS connection to users is a losing proposition.

        This is exactly my concern, it seems that sprinkling “security” hints to non-technical users usually leads to them making the wrong assumptions.

        1. 1

          I am focusing on a specific point in your post

          there’s no security to be had if anyone on the network path can modify the origin contents.

          This can be addressed by adding signatures rather than encrypting the whole page. There are useful applications such as page caching especially in low bandwidth situations which are defeated by encryption everywhere.

      2. 3

        Interesting to see some backlash over this, Dave Winer’s objections have caught my eye in particular.

        On the one hand I’m not sure google should be punishing sites for being http only.

        On the other hand, what is the open web if your ISP can inject ads into a page where there are none?

        1. 2

          I didn’t see a link to Winer’s objection in the linked article. Do you have a reference?

            1. 4

              He sounds a bit, well

              HTTPS is going to burn huge portions of the open web

              His entire shtick seems to be that he thinks HTTPS is a conspiracy by Google to control the web, somehow.

              1. 3

                He seems to be confounding Google’s motives, which in fairness are probably not altruistic, with the technology itself which is obviously pretty sound.

                1. 2

                  I’ve literally never seen so much FUD in my life. He must have some fundamental misconception about how HTTPS works. I just don’t see how he could be arguing these points otherwise.

                  I mean, I would be mad if Google really was doing what he thinks they’re doing. But they’re not. He’s also totally missing (ignoring?) the fact that Mozilla is also taking steps matching Google’s.

                  1. 4

                    I hate to say it because I have a lot of respect for his work, but I think basically he’s got a lot of domains and can’t be bothered converting them. I totally get the objections against the way Google are approaching this, but going after https itself is dumb.

                    Why would you think it’s a bad thing that you can guarantee that the site you are viewing has not been tampered with?

                    I’ve seen him call out Mozilla too in fairness.

                    1. 1

                      Meh. Honestly I have no issues with the way Google is approaching this. They (and Mozilla) give plenty of time before making even the tiniest changes, and in the end really all they’re doing is changing the UI to reflect reality.

                      And without them doing that, people exactly like Winer just wouldn’t care.

                    2. 3

                      I’m skimming through, trying to understand it, and he never really states an objection anywhere that I can see. I am familiar with several reasonable objections to the concentration of power created by the CA system and to the burden it imposes on content creators; I just don’t see Winer actually expressing any of them.

                2. 1

                  On the other hand, what is the open web if your ISP can inject ads into a page where there are none?

                  May be this is better served by adding signatures to the basic HTTP rather than forcing HTTPS everywhere?

                  1. 2

                    Wouldn’t that involve the same trust infrastructure but without actually encrypting the traffic?

                    1. 4

                      Not completely. The benefit is that intermediaries can cache it if required, and clients can verify the signature only when needed. With the forcing of HTTPS everywhere, a lot of caching infrastructure that existed previously has become useless without any alternatives. These are especially important in low bandwidth countries or communities relying on low bandwidth gateways.