Google: Websites using HTTPS will get better search rankings

Discussion in 'other security issues & news' started by Minimalist, Aug 7, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  2. guest

    guest Guest

    Might be useful to prevent malicious MitM/eavesdropping. But what about governments and ad trackers?

    @Google Inc.
    You're an antagonist. Quit trying to look like a protagonist. You don't fit well with it and it will fail. I've tried.
     
    Last edited by a moderator: Aug 8, 2014
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    It is not a bad idea in itself, but it will mean some additional costs for site owners that care about search rankings (a certificate and a dedicated IP address).
     
  5. guest

    guest Guest

    Throwing everything into HTTPS is overkill anyway. Secure connection should only be used when there's sensitive information involved. I don't see a point to use secure connection when reading random blog articles.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Nonsense, communications should always be secured, it doesn't matter what you're doing. Hence why discussions to create standards around an encrypted only internet make sense.

    When you visit a website with encryption you are making a one-to-one transaction of data. If there's no encryption, it's a one-to-many transaction.

    It's the difference between talking to someone and yelling at someone. You don't go up to a shop owner and yell at them "CAN I HAVE THIS NEWSPAPER PLEASE" so why do it when you read news online?

    Another thing you could argue is data integrity. You wouldn't be too pleased if your magazine came through the post and the wrapping was broken/removed by someone. Encryption ensures that data is getting to you "wrapped" and untouched by intermediaries.
     
  7. guest

    guest Guest

    Sense.
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Only one problem I can see with a massive shift over to HTTPS ... many a-v and a-m scanners (like my avast) which monitor web traffic are unable to handle encryption, so ignore it. Admittedly, if it's a file you're downloading, protection will kick back in once it's unencrypted for use.

    One would assume that a preponderance of HTTPS on the web would generate considerable incentive for a-m and a-v operations to figure out how to add protection for the encrypted traffic.
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    There is no way to offer protection to the encrypted traffic other than perform a man-in-the-middle "attack" on your traffic in order to decrypt it. And that is not something I'm looking forward to...
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    There are a number of ways to approach the "inspect/block encrypted traffic" problem, such as:

    1) MITM the SSL/TLS connections via CA cert. Which, notably, moves destination site cert verification out of the application (browser) and into a proxy that may or may not perform verification as well as the application would.
    2) Application extension which can directly or indirectly perform antimalware checks on the cleartext
    3) Explicit invocation, where an application uses an API to initiate antimalware checks on cleartext
    4) Implicit invocation, where an application writes cleartext to disk and then reads it back before final processing in order to allow for antimalware checks.

    I suspect that most of us have run into these at one point or another.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Let's Encrypt better work!...
     
  15. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    It will work when Microsoft or Google will adopt it. Nobody will move a finger for Mozilla.
     
  16. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I hope this will never happen. HTTPS is pointless for a big part of web sites.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    If getting certificates would become cheaper, I don't see a reason why everything shouldn't be encrytped.
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Extra overhead for basically info that should be public in the first place. Also, the implementation is far from perfect atm.
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I can see some reasons:
    1. Cheaper is not free. Why would I pay for a certificate if I want the information I provide on my site to be public?
    2. Why would I give detailed personal information to a certificate authority in order to get a certificate I don't need?
    3. HTTPS makes traffic scanning harder (both manually with a tool like Wireshark/Fiddler or with specialized software like an AV), because it will require a MITM "attack" to decrypt it. In doing so, you lose the information provided by the original certificate, thus lowering your security.
    4. If you need to use a filtering proxy on HTTP, you also need the proxy to decrypt the traffic first, with the same consequences as (3).
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    @Nebulus
    That are some good reasons. I don't know though why public information shouldn't be encryted in transit? By enabling encryption you can protect your users from different kind of MITM attacks. Is it worth? I don't know, in my opinion it is.
     
    Last edited: May 5, 2015
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Agreed. Also, if they do succeed in making this a standard, I expect certificates will get more expensive, not cheaper.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    That's not how the market works. I assume you're trying to imply that an increased demand will mean an increase in price. Certificates are not physical goods, there's not going to be a shortage of them. The increased demand will increase the amount of companies trying to sell them which will drop prices to record lows.
     
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I understand that. However, and hoping not to get too far off topic, when the law started requiring me to buy car insurance, my rates quadrupled. When it required me to buy healthcare insurance, my rates tripled. Those are not physical goods either. When you are stuck in a situation where you have little to no choice but to buy something, people take advantage.
     
Loading...