Google and HTTP

43 points by michaelpinto 7 years ago | 58 comments
  • helthanatos 7 years ago
    Let me tell you why this is very dishonest: 1. The internet was built without trust in mind because it was a simple connection between universities and government. There wasn't much need for security. Now that the internet exists, there is a great need for security. 2. Https is better than http. It's an evolution. It's not impossible to get a certificate. To verify who you are and to protect your users. 3. If you don't care about your users' privacy, perhaps you shouldn't be hosting sites. To be completely honest, Google is a bit slow with this. I know the difficulty it posses, but it's worth it. We need to stop passing unencrypted data. We need the internet to finally care about security and privacy. The internet has evolved, ipv4 has been used up (in terms of devices). It's time.
    • twtw 7 years ago
      None of these statements convince me that http sites should be default flagged as insecure. Take this site, for instance: http://wilsonminesco.com/6502primer/65tutor_intro.html. It is a great resource, but is not available over https. yeah, it's possible that someone could MITM it to provide me with incorrect info on the 6502, but I don't see the disregard for my privacy. I'm never going to put in any of my own information, even if someone uses MITM to ask for my credit card or something.

      Could you explain why browsers should flag sites like this? It's possible that I'm too naive to realize the issue, and I would appreciate some education on it.

      EDIT: changed "blocked" to "flagged"

      • chias 7 years ago
        It's not just about modifying the data, but also about anyone on your network or between you and the end-host being able to determine that you visited that site, and what pages you visited, and when.

        The common refrain is to think about repressive governments and what they can (and do) do with this information, but even here in the States think about your ISPs selling your browsing history to advertisers. Or think about ISPs being required to report to the US Government whenever you visit some informative but http-only page about terrorism / chemistry that happens to also be used in explosives / infosec topics / etc. Consider being put on a watchlist simply for having viewed StackOverflow questions relating to XSS or SQLi vulnerabilities.

        If you determine the word "insecure" to mean that security or privacy expectations held by the average user are being violated, then all HTTP-only pages are insecure -- not because you may be viewing modified information or because you may be submitting sensitive information, but because the fact that you visited that page while alone is something that the average user likely suspects is secret and/or private, but isn't. To put it bluntly: would you browse an HTTP-only porn site? I wouldn't.

        • libeclipse 7 years ago
          Blocking HTTP sites is a bit too far, but an insecure warning is perfectly reasonable as, let's be honest, it is not secure.
          • Brian_K_White 7 years ago
            Saying a site like that is not secure, is like the famous old advertizing campaign where one of two competeing food products claimed, perfectly truthfully, that there bread or milk or whatever it was, didn't contain any bleach. It's a technically true, yet grossly disingenuous statement. No one's milk had any bleach in it, and that site has no obligation to be secure.
            • twtw 7 years ago
              I edited my post before your response to change it to "flagged," but failed to call out the change initially. Sorry, it's fixed now.

              For a lot of people, a big scary warning page that says that a page is insecure is essentially a block. Yeah, you can still access it, but a lot fewer people will.

              > let's be honest, it is not secure.

              My original post is asking for an explanation of how it isn't secure. I would totally understand a browser warning if a user tries to submit a form over http, but for a page like the one I linked I don't see how it can adversely affect the user.

        • cocktailpeanuts 7 years ago
          There really is no absolute right or wrong to this issue.

          HTTPS is indeed more secure for users, but it does have some cost, and I think OP has a sensible argument.

          If you really think HTTPS is the best thing ever and is absolutely better than HTTP in every sense, you're just looking at it superficially.

          When you start looking into how the entire Internet works and what role each party plays in the ecosystem, and how much "real" power each party has, you'll find that HTTPS is THE biggest centralization force of the web. If you think centralization and oligopoly by big tech companies is awesome, fine.

          But there are people who don't like that direction for a good reason.

          • tylerhou 7 years ago
            How is HTTPS a centralization force? Just because large, centralized tech companies like Google are pushing for HTTPS doesn't make HTTPS itself inherently centralized -- apart from certificate authorities, but that's because DNS and the domain name system itself are already inherently centralized. And Let's Encrypt does exist, an organization which has published an open protocol for certificate negotiation (ACME) as well as an open implementation whose root certificate is accepted by all major browser vendors.

            Saying HTTPS is centralized is like saying PGP is centralized. If it is, it's only because the underlying technologies (HTTP itself and DNS) are centralized, not an encryption and document-signing protocol layered on top of it.

            Even if you can argue that HTTPS is a centralization force, it's almost certainly hyperbole to argue that it's the biggest centralization force on the web today. Surely network effects (Facebook, Amazon), huge amounts of capital, and control over a huge amount of information (Google) are far bigger factors?

            • anfilt 7 years ago
              I can agree that CA are a point of centralization. A web of trust in my opinion is better such as used in PGP.

              However, the whole dns system is centralized. Any alertanative dns root is kinda ignored as well. Its kinda sad.

              Also there only a handful of browsers. Even less browser engines. This is also sad, and partly to blame is how complicated the standards are these days.

              • userbinator 7 years ago
                you'll find that HTTPS is THE biggest centralization force of the web

                This, very much this. Plaintext doesn't require what is essentially authorisation from a central authority in order to communicate.

                • Spivak 7 years ago
                  I think you'll find that even without the CA system that you need the blessing of at least a few people to get your content on the internet.

                  - Your address needs to be given to you by your ISP or ARIN.

                  - Major ISPs need route to your address and/or accept your BGP announcements.

                  - You probably need a name which is bought from a few large DNS management companies or their resellers.

                  - You're required to have an email address to field abuse complaints which means you most likely will be paying an email provider.

                  - If you're not running your own hardware you will have to pay a hosting company.

                  - If your site is large you'll probably need a CDN to handle the traffic of which there are only a few major players.

                  - Although it's a blacklist you effectively need Google's blessing to not appear on the SafeBrowsing list.

                  Is the CA system really that much more of a hurdle? No question it's a little scummy at times but it's cheap and relatively low maintenance.

                  • tyler_larson 7 years ago
                    You misunderstand what CAs are. Or, indeed, what their certificates imply.

                    CAs don't provide permission, they vouch for an identity.

                    Saying that CAs give you permission to communicate is like saying notaries give you permission to sign a contract. You can assert your identity without verification as long as the other party in the relationship is fine with the increased risk of fraud.

                    Similarly, you can use HTTPS without a signed certificate (precisely as you can use HTTP without HTTPS) as long as you and the other party is happy with the risk that Verizon could be "sanitizing" your speech or injecting your real-world identity into all your HTTP requests without your knowledge.

                    But both the site operator and visitor stand to lose from someone tampering your traffic. And increasingly, it's the users that are getting burned in this relationship.

                • ejcx 7 years ago
                  Just weird and a bad blog post. The author also wrote this: http://scripting.com/2018/02/23.html

                  The owner is a domain parker and is upset that he has to update hundreds of sites in order to be marked as insecure, is what I can gather

                  In the last few weeks he's also wrote:

                  - http://scripting.com/2018/02/21.html

                  - http://this.how/googleAndHttp/

                  - http://scripting.com/2018/02/08.html

                  • tylerhou 7 years ago
                    His arguments are also legitimately absurd. He says "if Google succeeds, it will make a lot of the web's history inaccessible", which is patently false given the fact you can always still access HTTP websites, not to mention that services like archive.org and Google's own cache exist.

                    He then makes the argument that HTTPS will make it such that only "super nerds" will be able to create websites. But right now I can host my own blog on services like Netlify and get an HTTPS certificate for multiple domains with one click. If I want my own server it literally takes two seconds for me to set up certbot and get certificates for free. Then he makes a odd and somewhat rambling comparison to the Grand Canyon.

                    He then argues that Google labeling HTTP as not secure is the first step down a path which leads to "blocking the pages outright", which is a prime example of the slippery slope fallacy.

                    In another blog post he argues that by applying Occam's razor, it's clear that Google just wants to protect their ad revenue (because HTTPS would allow ISPs to replace Google's ads with their own). Which honestly sounds insane.

                    I'm really surprised that this person is a software developer. I'm even more surprised that he still believes this stuff after working for 24 years.

                    • userbinator 7 years ago
                      I'm really surprised that this person is a software developer. I'm even more surprised that he still believes this stuff after working for 24 years.

                      I'm really surprised that you think everyone has/should have(?) the same beliefs about such things.

                      He then argues that Google labeling HTTP as not secure is the first step down a path which leads to "blocking the pages outright", which is a prime example of the slippery slope fallacy.

                      20 years ago people thought buying computers on which you can't install software some central authority didn't approve of was preposterous, and yet here we are today with walled gardens and the like. This is a rise of authoritarianism, all in the name of "security". The frog boils slowly.

                      • tylerhou 7 years ago
                        > 20 years ago people thought buying computers on which you can't install software some central authority didn't approve of was preposterous, and yet here we are today with walled gardens and the like.

                        I can install whatever operating system and software I like on almost every single consumer-available computer today. The only prominent "walled garden" is the iPhone, which has < 15% market share. And frankly, I don't mind Apple's iOS. I certainly don't mind the fact that I know that any kernel space software that runs on my phone is cryptographically signed by a trusted party in a chain from the bootloader.

                      • somesayso 7 years ago
                        >His arguments are also legitimately absurd...

                        I think you arguments are absurd. May be give it somethought before lashing out? And what does "legitimately absurd" mean anyway?

                        >But right now I can host my own blog on services like Netlify...

                        Again, if you have given it somethought, you might have noticed that the author is talking about old, in-frequently maintained content that was created decades before, and the authors have moved on...

                        So again, next time, give it some thought before crying "LEGITIAMATLEY ABSURD!!!"

                      • cocktailpeanuts 7 years ago
                        The owner is the guy who invented RSS. I think he knows a thing or two about what he's talking about.

                        If you think it's weird and very bad, explain why you think so. I for one can sympathize with his point of view.

                      • namesbc 7 years ago
                        Did he really dismiss the huge benefit of https that my browser is guaranteed to receive the exact content that the site owner sent me, with an idiotic argument that while it prevents Starbucks or Comcast from pwning me, it doesn't prevent the browser. Really?
                        • twtw 7 years ago
                          No. What he said is that Google says that https prevents MITM, but never mentions that they will still be able to do it. I don't see a dismissal, just a criticism of Google.
                          • armitron 7 years ago
                            How many fiascos with CAs do you need, not to mention protocol issues, to stop believing in HTTPS guarantees?
                          • Aaron1011 7 years ago
                            > Also, if Google succeeds, it will make a lot of the web's history inaccessible.

                            > It's like a massive book burning, at a much bigger scale than ever done before.

                            How on earth did the author reach these conclusions?

                            • cocktailpeanuts 7 years ago
                              A lot of the web properties are HTTP based and they probably won't bother to switch either because the owner doesn't care enough to go through all the hassle, or because they hosted their site/pages on a server whose owner doesn't care enough to go through all the hassle.

                              Just because these owners don't care about their site, doesn't mean they are not valuable.

                              • Aaron1011 7 years ago
                                I was referring specifically to the author's claim that deprecating HTTP and displaying a warning to users is the equivalent of "rendering large parts of the web inaccessible" and "massive book burning".
                                • Spivak 7 years ago
                                  If you mark something as 'Not Secure' you're effectively telling users not to access it. It doesn't matter in practice if the content is still accessible when the browser tells people that accessing it is dangerous.

                                  A lot of content that exists on the unmaintained web is going to effectively be lost, and maybe that's okay because the benefits are worth it, but that's the argument that needs to be made.

                                  • cocktailpeanuts 7 years ago
                                    That's what I was referring to. I don't understand what you don't understand about the reference.
                              • gpsx 7 years ago
                                Maybe everyone should use HTTPS, or maybe it's a bad idea. But Google shouldn't unilaterally decide what is good for the rest of us. I'm with the author on that.

                                This also applies to AMP. Its bad enough they have so much control of the web based on how the rank pages in search results, but there is not much we can do about that.

                                • braderhart 7 years ago
                                  "It may be hard to believe that there was a time when Amazon, Netflix, Facebook, Gmail, Twitter etc didn't exist.

                                  Not really.. I dream all the time of a land where decentralized exchanges exist for these services, and that a clunky web browser is not required for accessing information online.

                                  • matte_black 7 years ago
                                    How else would the information be accessed? A separate dedicated app for each of those things? Those exist already.
                                    • braderhart 7 years ago
                                      Through a different markup format and set of tools that follows the unix philosophy.
                                  • g5095 7 years ago
                                    Why is there no proliferation of letsencrypt authorities? If we're all about making https easy and not about central authority, why not have 100+ letsencrypt authorities run by different groups?

                                    The truth is the new decentralised web does not suit the old https signing-AUTHORITY model. it's time for a decentralised system with no authority other than key-holding. The same goes for DNS.

                                    • emmelaich 7 years ago
                                      https is http (over ssl) so I was expecting something else.

                                      For those who do not know, the author Dave Winer is pretty famous especially in the early web.

                                      https://en.wikipedia.org/wiki/Dave_Winer

                                      But he does love a rant.

                                      • g5095 7 years ago
                                        https is only as secure as who's holding your root signing keys (govt agencies). If you want security layer it ontop of https with pub/priv key crypto. https is just the new hoop, jump through it and move on, but lets not pretend https stops anyone important.
                                        • feelin_googley 7 years ago
                                          Why is this flagged?

                                          The author is Dave Winer. Known for many things, among them RSS. HN users seem to like RSS and dislike what happened to Google Reader.

                                          There is nothing unreasonable about supporting both HTTP and HTTPS.

                                          There are decisions that should be left to users. Denying them meaningful options is something that should raise a red flag and spur some commentary.

                                          For example, if users want to use RSS, then we should be wary of any company that effectively tries to dissuade them from using RSS.

                                          Similarly, if users want to use HTTP for some content (and perhaps HTTPS for other content), then we should be wary of any company that effectively tries to dissuade them from ever using HTTP for any content.

                                          Not all content needs to be encrypted. Moreover HTTPS via SSL/TLS is not the only way to distribute encrypted content. We should not pretend there is only one way to do it, let alone coerce people to do it only one way.

                                          As a user, I would be just as satisfied with a page of HTML that is PGP-signed, encrypted and sent over HTTP as I would with HTML sent over a so-called "secure channel" via SSL/TLS, what with the third party reliances the commercial domain name and commercial x509 certificate schemes routinely entail.

                                          Besides the issues of requisite third party involvement in encryption, TLS as implemented so far has some serious weaknesses and shortcomings, and is not the only solution to "secure content". If a company is going to issue warnings to users, then that should be among them. Promoting a false sense of "security" should be avoided.

                                          When a company running the largest search engine on the www penalizes websites for not implmenting some feature, whether it is AMP or HTTPS or something else, this should raise red flags. Expect some commentary.

                                          • IshKebab 7 years ago
                                            Probably just because it's full of nonsense.
                                          • originalsimba 7 years ago
                                            This is the worst thing I have read in weeks. The author lacks any understanding of the technology and appears to live in a "Google Bubble". tl;dr, don't waste your time.

                                            He's probably trolling.

                                            • JeanMarcS 7 years ago
                                              He’s at the origin of RSS, put the base of podcasting, host one of the first blogging platform...

                                              But yeah, what does he knows...

                                              • originalsimba 7 years ago
                                                Assuming all of that were true, all that does is raise questions how he could be so completely wrong in this article.
                                            • myf01d 7 years ago
                                              goddammit HN, you always fall for the most obvious baits
                                              • ohiovr 7 years ago
                                                Whats the deal with letsencrypt? If anyone can get a certificate for the domains I own, it can't stop man in the middle attacks. How is this any better than a self signed cert which throws a hissy fit when you visit? Thats a browser issue to me not an inherant technical advantage. Anyone can get a cert from it including criminals. Google sometimes makes the news when they revoke a cert authority because of criminal activity (I think). How often do people check under those locks to see what it is? Google.com at a wifi hotspot could be something completely different and you'd not know. I'm sure I'll look like a fool when someone explains it to me.
                                                • lasdfas 7 years ago
                                                  Let's Encrypt just like every other certificate authority validates that you own the domain before giving you a cert. They do that by sending a request to the domain from their servers (via looking up the nameservers via domain registries) and validating the response matches a unique message generated.

                                                  You could impersonate google.com on wifi, but you couldn't get a valid cert for google.com because you don't own the nameservers or any of the servers that google.com points to.

                                                  • ohiovr 7 years ago
                                                    Thank you! So I'm using a cable modem with a dynamic IP. All someone needs are access to the updater program and credentials to impersonate my domain. So certs are fine and all, as long as those little numbers at the name server never change. I'm a just a hobbyist. Just asking questions, don't mean to offend anyone...
                                                • thristian 7 years ago
                                                  > If anyone can get a certificate for the domains I own, it can't stop man in the middle attacks.

                                                  You're right, if that were the case, it would be terrible!

                                                  Luckily, it's not: to get a certificate for your domain, I need to either control your domain, or control the computer that the domain points at. In either case, you have much bigger problems than certificate issuance.

                                                  • 7 years ago
                                                  • anfilt 7 years ago
                                                    Lets Encrypt only verifies that the entity requesting the cert basically has control of the domain.

                                                    I would agree that the biggest issue with TLS is the certificate authorities. All the trust lies in them. If they issue a bad certificate for google, microsoft, usbank ect... It can cause problems. This is part of the reason HTTP key pinning exists. Further, CAs have issued bad certs. It's happened and will happen again.

                                                    However, there are a lot websites that in theory do not need TLS. However, the browsers are preventing HTTP only sites from using newer features. For instance HTTP 2.0 does not require TLS, but none of the browsers support plain text HTTP 2.0. (So the browsers are ignoring the standard)

                                                    So why do the browsers push so hard for TLS. As this article mentions MITM. Considering how complicated the web standards for CSS, JS, and HTML are these days. There is a potential attack vector. So in theory an attacker could insert content on the page your viewing that uses a zero day exploit. However, I think people are forgetting it's probably easier to get people to just visit a website with the exploit via some click baity title.

                                                    The next reason is that it prevents people from snooping on other people. However, a website that displays the time for instance is not really that big of issue. However, there is content people view that they would not like someone else knowing. Although, the DNS system can give that away if the website is topical in nature. However, I would not call this insecure as the browsers do. Really it should be noted that the content your viewing may be observed. However, that is not a security issue unless the site is serving private information. At that point the server operator is screwing up.

                                                    Really, if the user can't verify (does not know how) and does not verify the certificate it's not secure. It's more likely to be secure. Even if the user verifies the certificate if the server or user's computer is compromised the encryption is good as non-existent. If your worried about the user loading any scripts with any possible exploits Java-script probably should be removed the web standards. As I mentioned it's not hard to get users to view a site with some payload taking advantage of an exploit.

                                                    Part of the problem is that we have everyday people using the web more and more these days. They don't know necessarily know when they should be worried about security. However, what is annoying me more for instance with HTTP 2.0. I can't go into Firefox's about:config and enable plain text HTTP 2.0. I can agree with sane defaults, but really I should be able to change those.

                                                    • tyler_larson 7 years ago
                                                      > For instance HTTP 2.0 does not require TLS, but none of the browsers support plain text HTTP 2.0. (So the browsers are ignoring the standard)

                                                      H2 requires TLS for practical reasons; without it, poorly-written transparent proxies mangle this protocol that they don't understand. Requiring SSL was the solution to this otherwise intractable problem during the initial SPDY work, and became a hard requirement for SPDY. But due to pressure from certain groups during the IETF standardization process (who didn't want the web to "go dark"), this requirement from SPDY was dropped in the official HTTP2 spec.

                                                      But dropping the requirement from the spec doesn't solve the problem that put it there in the first place. You still can't reliably use any protocol newer than HTTP/1.1 unencrypted with many ISPs. It's been demonstrated to fail in ways that are difficult to debug and which would otherwise make HTTP2 seem unreliable. So no consumer-facing implementation will let you try.

                                                    • dijit 7 years ago
                                                      Technically any CA can sign certificates from bad actors, letsencrypt is notable because they verify you own the domain automatically, and they do so for free.. I know of no issues in the ACME protocol.

                                                      That said, any CA can sign anything and your browser will trust it in most* cases.

                                                      * - Not under certificate pinning or CA pinning though.

                                                      • foo101 7 years ago
                                                        Consider the scenario where I own a domain example.com for a year. Just a day before its expiry or just a day before I sell the domain to someone else, I obtain a certificate for it from letsencrypt via ACME protocol.

                                                        A week or month from now, the new owner of the domain sets up a HTTPs website. With the old certificate I have, I can now launch an MITM attack on the new owner for about 2-3 months!

                                                        • teraflop 7 years ago
                                                          You can perform exactly the same attack with a 1-year certificate from any other CA.
                                                          • dastbe 7 years ago
                                                            The answer to this is ultimately ratcheting down cert validity duration. As more people automate renewals we can get to the point where certs are valid for maybe days at a time.