On HTTPs, and Google’s “Not Secure” Markings
Recent news about Google marking web pages that are not HTTPS as “Not Secure” had me returning a subject that has held my interest for some time. I have commented on the idea (I’m pro HTTPs), and have even switched my site to support it. Given that, you clearly know where I stand, but I also feel my view on this could be changed given a reasonable argument.
If those reasonable counter arguments would come from anywhere, they’d probably be from Dave Winer. I respect what he does immensely. While reading Winer’s blog post about this subject, You might think he’s suffering from a “Get off my lawn” grumpy phase. And yes, he is being grumpy, but he brings up many good points about why not to switch. His three perceived “challenges” as far as switching are:
1. Google is going to warn people about my site being “not secure.”
2. Something bad could happen to my pages in transit from a HTTP server to the user’s web browser.
3. It’s not hard to convert and it doesn’t cost a lot.
And, let’s face it, these are mostly weak. In the case of (1), who gives a shit what Google says. I’ll get into that more later. (2) Something bad can always happen. It is perhaps worthwhile to encrypt if you can, but if you don’t ok; and (3) It is hard. Let’s face it, in technology, not much is easy. It is getting easier, but Dave seems to have a high number of domains. That makes it hard enough for him.
Some other reasonable points might be a bump in SEO rankings, a perception from others that you’re playing nice, or even a sense that you’ve tamed something nebulous. None of these are really legitimate reasons for him to change to TLS. Dave then starts into his theories about bad Google.
While I think Dave tends to focus on the wrong things, there are some good reasons for him to switch. First, Google doesn’t make encryption, they’re just a search engine. Encryption may perhaps be seen as an evolution of the web, thus worthwhile. Clearly Google thinks that’s true, but encryption is why you change, not Google. Technology is all about change and thinking of this one as such is what we’ve all been doing for years in this industry. To think you can just stay the same and ‘Keep on truckin” is bonkers. Also, Encryption encrypts stuff, and that’s good for everyone. That is useful in some cases, perhaps less useful in others, and in select situations (such as logins), essential. You’re mileage may vary.
A little about the “Not Secure” marking of an HTTP site by Google. You can be guaranteed this will either be rolled back, changed or removed altogether sometimes in the near future. Google really does love to put out crap and change it later because it’s wrong, and this one is up there. Marking a site’s security status based on whether traffic is encrypted is perhaps like saying a auto shop with a debit card machine (that securely communicates with the bank) is safe and won’t rip you off. They can still just charge your card five times. The encrypted connection does nothing but ensure the transaction is secure, so the wording is far to general. Malicious sites that use encryption can, and will be VERY insecure even though the site traffic is encrypted. Stupid Google. Maybe, they’ll just walk it back to saying “Encrypted”.
The web is changing so rapidly and there are fights to be had. Just look at how Facebook and others are creating “walled gardens” of data we can’t easily get to. The fight over encrypting the web seems just like a waste of energy since it’s pretty clear that it’s good. Who cares what Google says?
If your support of encryption needs more background, subscribe to my newsletter.