Google: Websites using HTTPS will get better search rankings

http://www.net-security.org/secworld.php?id=17220

 

Might be useful to prevent malicious MitM/eavesdropping. But what about governments and ad trackers?

@Google Inc.
You're an antagonist. Quit trying to look like a protagonist. You don't fit well with it and it will fail. I've tried.

 

But Google does read all of your Gmail content ?

http://www.theverge.com/2014/8/7/5979609/google-is-nudging-us-towards-a-more-encrypted-web

 

It is not a bad idea in itself, but it will mean some additional costs for site owners that care about search rankings (a certificate and a dedicated IP address).

 

Throwing everything into HTTPS is overkill anyway. Secure connection should only be used when there's sensitive information involved. I don't see a point to use secure connection when reading random blog articles.

 

Nonsense, communications should always be secured, it doesn't matter what you're doing. Hence why discussions to create standards around an encrypted only internet make sense.

When you visit a website with encryption you are making a one-to-one transaction of data. If there's no encryption, it's a one-to-many transaction.

It's the difference between talking to someone and yelling at someone. You don't go up to a shop owner and yell at them "CAN I HAVE THIS NEWSPAPER PLEASE" so why do it when you read news online?

Another thing you could argue is data integrity. You wouldn't be too pleased if your magazine came through the post and the wrapping was broken/removed by someone. Encryption ensures that data is getting to you "wrapped" and untouched by intermediaries.

 

Sense.

 

Only one problem I can see with a massive shift over to HTTPS ... many a-v and a-m scanners (like my avast) which monitor web traffic are unable to handle encryption, so ignore it. Admittedly, if it's a file you're downloading, protection will kick back in once it's unencrypted for use.

One would assume that a preponderance of HTTPS on the web would generate considerable incentive for a-m and a-v operations to figure out how to add protection for the encrypted traffic.

 

There is no way to offer protection to the encrypted traffic other than perform a man-in-the-middle "attack" on your traffic in order to decrypt it. And that is not something I'm looking forward to...

 

There are a number of ways to approach the "inspect/block encrypted traffic" problem, such as:

1) MITM the SSL/TLS connections via CA cert. Which, notably, moves destination site cert verification out of the application (browser) and into a proxy that may or may not perform verification as well as the application would.
2) Application extension which can directly or indirectly perform antimalware checks on the cleartext
3) Explicit invocation, where an application uses an API to initiate antimalware checks on cleartext
4) Implicit invocation, where an application writes cleartext to disk and then reads it back before final processing in order to allow for antimalware checks.

I suspect that most of us have run into these at one point or another.

 

Bing: no plans to offer search boost for encrypted websites

http://www.welivesecurity.com/2014/10/06/bing-plans-offer-search-boost-encrypted-websites/

 

Mozilla wants to deprecate HTTP sites to force move to secure web

http://www.zdnet.com/article/mozilla-wants-to-deprecate-http-sites-to-force-move-to-secure-web/

 

Let's Encrypt better work!...

 

It will work when Microsoft or Google will adopt it. Nobody will move a finger for Mozilla.

 

I hope this will never happen. HTTPS is pointless for a big part of web sites.

 

If getting certificates would become cheaper, I don't see a reason why everything shouldn't be encrytped.

 

Extra overhead for basically info that should be public in the first place. Also, the implementation is far from perfect atm.

 

According to EFF overhead is minimal: https://www.eff.org/https-everywher...te-to-support-HTTPS-compared-to-regular-HTTP?
Info that is public remains public even if delivered through https.

 

I can see some reasons:
1. Cheaper is not free. Why would I pay for a certificate if I want the information I provide on my site to be public?
2. Why would I give detailed personal information to a certificate authority in order to get a certificate I don't need?
3. HTTPS makes traffic scanning harder (both manually with a tool like Wireshark/Fiddler or with specialized software like an AV), because it will require a MITM "attack" to decrypt it. In doing so, you lose the information provided by the original certificate, thus lowering your security.
4. If you need to use a filtering proxy on HTTP, you also need the proxy to decrypt the traffic first, with the same consequences as (3).

 

@Nebulus
That are some good reasons. I don't know though why public information shouldn't be encryted in transit? By enabling encryption you can protect your users from different kind of MITM attacks. Is it worth? I don't know, in my opinion it is.

 

Increased encryption a double-edged sword

http://www.cio.com/article/2917586/encryption/increased-encryption-a-double-edged-sword.html

 

Agreed. Also, if they do succeed in making this a standard, I expect certificates will get more expensive, not cheaper.

 

That's not how the market works. I assume you're trying to imply that an increased demand will mean an increase in price. Certificates are not physical goods, there's not going to be a shortage of them. The increased demand will increase the amount of companies trying to sell them which will drop prices to record lows.

 

I understand that. However, and hoping not to get too far off topic, when the law started requiring me to buy car insurance, my rates quadrupled. When it required me to buy healthcare insurance, my rates tripled. Those are not physical goods either. When you are stuck in a situation where you have little to no choice but to buy something, people take advantage.