Let me tell you why this is very dishonest:
1. The internet was built without trust in mind because it was a simple connection between universities and government. There wasn't much need for security. Now that the internet exists, there is a great need for security.
2. Https is better than http. It's an evolution. It's not impossible to get a certificate. To verify who you are and to protect your users.
3. If you don't care about your users' privacy, perhaps you shouldn't be hosting sites. To be completely honest, Google is a bit slow with this. I know the difficulty it posses, but it's worth it.
We need to stop passing unencrypted data. We need the internet to finally care about security and privacy.
The internet has evolved, ipv4 has been used up (in terms of devices). It's time.
There really is no absolute right or wrong to this issue.<p>HTTPS is indeed more secure for users, but it does have some cost, and I think OP has a sensible argument.<p>If you really think HTTPS is the best thing ever and is absolutely better than HTTP in every sense, you're just looking at it superficially.<p>When you start looking into how the entire Internet works and what role each party plays in the ecosystem, and how much "real" power each party has, you'll find that HTTPS is THE biggest centralization force of the web. If you think centralization and oligopoly by big tech companies is awesome, fine.<p>But there are people who don't like that direction for a good reason.
Just weird and a bad blog post. The author also wrote this:
<a href="http://scripting.com/2018/02/23.html" rel="nofollow">http://scripting.com/2018/02/23.html</a><p>The owner is a domain parker and is upset that he has to update hundreds of sites in order to be marked as insecure, is what I can gather<p>In the last few weeks he's also wrote:<p>- <a href="http://scripting.com/2018/02/21.html" rel="nofollow">http://scripting.com/2018/02/21.html</a><p>- <a href="http://this.how/googleAndHttp/" rel="nofollow">http://this.how/googleAndHttp/</a><p>- <a href="http://scripting.com/2018/02/08.html" rel="nofollow">http://scripting.com/2018/02/08.html</a>
Did he really dismiss the huge benefit of https that my browser is guaranteed to receive the exact content that the site owner sent me, with an idiotic argument that while it prevents Starbucks or Comcast from pwning me, it doesn't prevent the browser. Really?
> Also, if Google succeeds, it will make a lot of the web's history inaccessible.<p>> It's like a massive book burning, at a much bigger scale than ever done before.<p>How on earth did the author reach these conclusions?
Maybe everyone should use HTTPS, or maybe it's a bad idea. But Google shouldn't unilaterally decide what is good for the rest of us. I'm with the author on that.<p>This also applies to AMP. Its bad enough they have so much control of the web based on how the rank pages in search results, but there is not much we can do about that.
"It may be hard to believe that there was a time when Amazon, Netflix, Facebook, Gmail, Twitter etc didn't exist.<p>Not really.. I dream all the time of a land where decentralized exchanges exist for these services, and that a clunky web browser is not required for accessing information online.
Why is there no proliferation of letsencrypt authorities? If we're all about making https easy and not about central authority, why not have 100+ letsencrypt authorities run by different groups?<p>The truth is the new decentralised web does not suit the old https signing-AUTHORITY model. it's time for a decentralised system with no authority other than key-holding. The same goes for DNS.
https <i>is</i> http (over ssl) so I was expecting something else.<p>For those who do not know, the author Dave Winer is pretty famous especially in the early web.<p><a href="https://en.wikipedia.org/wiki/Dave_Winer" rel="nofollow">https://en.wikipedia.org/wiki/Dave_Winer</a><p>But he does love a rant.
https is only as secure as who's holding your root signing keys (govt agencies). If you want security layer it ontop of https with pub/priv key crypto. https is just the new hoop, jump through it and move on, but lets not pretend https stops anyone important.
Why is this flagged?<p>The author is Dave Winer. Known for many things, among them RSS. HN users seem to like RSS and dislike what happened to Google Reader.<p>There is nothing unreasonable about supporting <i>both</i> HTTP and HTTPS.<p>There are decisions that should be left to users. Denying them meaningful options is something that should raise a red flag and spur some commentary.<p>For example, if users want to use RSS, then we should be wary of any company that effectively tries to dissuade them from using RSS.<p>Similarly, if users want to use HTTP for some content (and perhaps HTTPS for other content), then we should be wary of any company that effectively tries to dissuade them from ever using HTTP for any content.<p>Not all content needs to be encrypted. Moreover HTTPS via SSL/TLS is not the only way to distribute encrypted content. We should not pretend there is only one way to do it, let alone coerce people to do it only one way.<p>As a user, I would be just as satisfied with a page of HTML that is PGP-signed, encrypted and sent over HTTP as I would with HTML sent over a so-called "secure channel" via SSL/TLS, what with the third party reliances the commercial domain name and commercial x509 certificate schemes routinely entail.<p>Besides the issues of requisite third party involvement in encryption, TLS as implemented so far has some serious weaknesses and shortcomings, and is not the only solution to "secure content". If a company is going to issue warnings to users, then that should be among them. Promoting a false sense of "security" should be avoided.<p>When a company running the largest search engine on the www penalizes websites for not implmenting some feature, whether it is AMP or HTTPS or something else, this should raise red flags. Expect some commentary.
This is the worst thing I have read in weeks. The author lacks any understanding of the technology and appears to live in a "Google Bubble". tl;dr, don't waste your time.<p>He's probably trolling.
Whats the deal with letsencrypt? If anyone can get a certificate for the domains I own, it can't stop man in the middle attacks. How is this any better than a self signed cert which throws a hissy fit when you visit? Thats a browser issue to me not an inherant technical advantage. Anyone can get a cert from it including criminals. Google sometimes makes the news when they revoke a cert authority because of criminal activity (I think). How often do people check under those locks to see what it is? Google.com at a wifi hotspot could be something completely different and you'd not know. I'm sure I'll look like a fool when someone explains it to me.