{"id":747,"date":"2018-05-10T14:44:17","date_gmt":"2018-05-10T14:44:17","guid":{"rendered":"https:\/\/securitycurve.com\/?p=747"},"modified":"2018-05-10T14:44:17","modified_gmt":"2018-05-10T14:44:17","slug":"is-google-forcing-you-to-use-https","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=747","title":{"rendered":"Is Google &#8220;forcing&#8221; you to use HTTPS?"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-large lazyload\" data-src=\"https:\/\/skylandgames.files.wordpress.com\/2017\/05\/731456769b61241d045b6d0193e2902e_large.jpg?w=595\" width=\"239\" height=\"179\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 239px; --smush-placeholder-aspect-ratio: 239\/179;\" \/>So I came across <a href=\"http:\/\/scripting.com\/2018\/05\/10\/133513.html\">this article<\/a> today through Twitter, about how &#8220;the Internet is going the wrong direction&#8221;.\u00a0 In general, I don&#8217;t disagree with what he&#8217;s saying&#8230; moreover, I&#8217;m in general alignment with the spirit of it.\u00a0\u00a0There was one part though that I felt was useful to clarify though.\u00a0 Specifically the part that says:<\/p>\n<blockquote><p>Google is forcing websites to change to support HTTPS. Sounds innocuous until your realize how many millions of historic domains won&#8217;t make the switch. It&#8217;s as if a library decided to burn all books written before 2000, say. The web has been used as an archival medium, it isn&#8217;t up to a company to decide to change that, after the fact.<\/p><\/blockquote>\n<p>So I have a bit of a beef with that.\u00a0 Specifically, the question of whether a website is &#8220;forced&#8221; to change to TLS because &#8220;Google says so.&#8221;\u00a0 I can see why someone would say that, but is it really the truth?\u00a0 Here&#8217;s what we know to be true right now:<\/p>\n<ul>\n<li>It&#8217;s no secret that Google would like to have HTTPS everywhere.\u00a0 They&#8217;ve <a href=\"https:\/\/www.blog.google\/topics\/safety-security\/say-yes-https-chrome-secures-web-one-site-time\/\">as much as said so<\/a>, and stuff like the <a href=\"https:\/\/www.cso.com.au\/article\/640686\/app-arrives-google-alternative-com-apps-mandatory-https\/\">.app domain proves it<\/a><\/li>\n<li>As of Chrome 56, HTTP pages that had form entries were <a href=\"https:\/\/security.googleblog.com\/2016\/09\/moving-towards-more-secure-web.html\">marked as &#8220;not secure&#8221;<\/a><\/li>\n<li>As of Chrome 68, <a href=\"https:\/\/blog.chromium.org\/2018\/02\/a-secure-web-is-here-to-stay.html\">they expanded that<\/a> to all websites<\/li>\n<li>They also explicitly <a href=\"https:\/\/security.googleblog.com\/2015\/12\/indexing-https-pages-by-default.html\">downrank HTTP and prioritize HTTPS\u00a0<\/a><\/li>\n<\/ul>\n<p>There&#8217;s a lot that I could say about these measures, but the short version of my reaction is that I don&#8217;t agree that this is the same thing as making TLS mandatory for web traffic.\u00a0 It&#8217;s certainly not the same as &#8220;&#8230;burning books written before 2000&#8230;&#8221;\u00a0 Especially given that enabling TLS is effectively <a href=\"https:\/\/letsencrypt.org\/\">as close to being free nowadays as you can get<\/a>.\u00a0 A webmaster of an active site could evaluate it and decide (for whatever reason) that they don&#8217;t care about these things.\u00a0 For example, if I was the current webmaster of <a href=\"http:\/\/www.hampsterdance.com\/classics\/originaldance.htm\">Hamster Dance<\/a>, I might decide to not do this (nor, in fact, have they as of this writing.)\u00a0 If a site is unmaintained (the scenario outlined earlier in reference to historic domains), they won&#8217;t change a thing and they&#8217;ll still be there&#8230; just with a tag that says &#8220;not secure.&#8221;\u00a0 Nothing&#8217;s going away here.<\/p>\n<p>Now, all that said, it is true that if I want my site to rank competitively against others, if I want to conduct commerce over it, or I want to collect information from users, they are disincentivized from doing that because of these measures.\u00a0 Which is, of course, exactly the point.<\/p>\n<p>This is actually a great thing that is being done here.\u00a0 Think about it this way: if you knew that someone could cause the &#8220;not secure&#8221; flag to go away with a 10 minute investment of their time, but yet they chose not to put in the effort, would you trust them with information about yourself or with payment information?\u00a0 I wouldn&#8217;t.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I came across this article today through Twitter, about how &#8220;the Internet is going the wrong direction&#8221;.\u00a0 In general, I don&#8217;t disagree with what he&#8217;s saying&#8230; moreover, I&#8217;m in general alignment with the spirit of it.\u00a0\u00a0There was one part though that I felt was useful to clarify though.\u00a0 Specifically the part that says: Google [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[25,60,67,119],"class_list":["post-747","post","type-post","status-publish","format-standard","hentry","category-security","tag-chrome","tag-google","tag-https","tag-tls"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=747"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/747\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}