So I came across this article today through Twitter, about how “the Internet is going the wrong direction”. In general, I don’t disagree with what he’s saying… moreover, I’m in general alignment with the spirit of it. There was one part though that I felt was useful to clarify though. Specifically the part that says:
Google is forcing websites to change to support HTTPS. Sounds innocuous until your realize how many millions of historic domains won’t make the switch. It’s as if a library decided to burn all books written before 2000, say. The web has been used as an archival medium, it isn’t up to a company to decide to change that, after the fact.
So I have a bit of a beef with that. Specifically, the question of whether a website is “forced” to change to TLS because “Google says so.” I can see why someone would say that, but is it really the truth? Here’s what we know to be true right now:
- It’s no secret that Google would like to have HTTPS everywhere. They’ve as much as said so, and stuff like the .app domain proves it
- As of Chrome 56, HTTP pages that had form entries were marked as “not secure”
- As of Chrome 68, they expanded that to all websites
- They also explicitly downrank HTTP and prioritize HTTPS
There’s a lot that I could say about these measures, but the short version of my reaction is that I don’t agree that this is the same thing as making TLS mandatory for web traffic. It’s certainly not the same as “…burning books written before 2000…” Especially given that enabling TLS is effectively as close to being free nowadays as you can get. A webmaster of an active site could evaluate it and decide (for whatever reason) that they don’t care about these things. For example, if I was the current webmaster of Hamster Dance, I might decide to not do this (nor, in fact, have they as of this writing.) If a site is unmaintained (the scenario outlined earlier in reference to historic domains), they won’t change a thing and they’ll still be there… just with a tag that says “not secure.” Nothing’s going away here.
Now, all that said, it is true that if I want my site to rank competitively against others, if I want to conduct commerce over it, or I want to collect information from users, they are disincentivized from doing that because of these measures. Which is, of course, exactly the point.
This is actually a great thing that is being done here. Think about it this way: if you knew that someone could cause the “not secure” flag to go away with a 10 minute investment of their time, but yet they chose not to put in the effort, would you trust them with information about yourself or with payment information? I wouldn’t.