Wednesday, July 25, 2018 [Tweets] [Favorites]

Google’s HTTP “Not Secure” Warning

Dave Winer:

Apparently tomorrow is the day Google will start flagging sites that use HTTP, the standard web protocol, as “not secure.” Curious to see how people react. BTW, this link has auto-playing video. It may be “secure” but it’s also obnoxious. This blog and all my other sites use HTTP. I don’t see that changing. I expect this will make writing for the web more of a chore. That’s life I guess. I don’t want Google to be able to mold the web to its needs. I never signed on to being a Google developer, and never would. Basic rule: Google is a guest on the web, as we all are, and guests don’t make the rules.

Brent Simmons:

I am not looking forward to all the work I have to do make my blog http://inessential.com use https.

I’ve got 19 years of posts to go through. I don’t know how much this is going to suck yet.

Troy Hunt (via Peter N Lewis):

In one of many robust internet debates (as is prone to happen on Twitter), the discussion turned to the value proposition of HTTPS on a static website. Is it needed? Does it do any good? What’s it actually protecting? I’d been looking for an opportunity to put together some material on precisely this topic so when a discussion eventually led to just such an offer, it seemed like the perfect time to write this post[…]

[…]

So that’s precisely what I’ve done - intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here’s the video and there’s references and code samples for all the demos used immediately after that[…]

Why No HTTPS? (via Hacker News):

Following is a list of the world’s top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones.

Previously: Google and HTTP.

Update (2018-08-01): Troy Hunt:

In the launch blog post, I wrote about the nuances of assessing whether a site redirects insecure requests appropriately. The tl;dr of it was that there’s a bunch of factors that can lead to pretty inconsistent behaviour. Just read the comments there and you’ll see a heap of them along the lines of “Hey Troy, site X is redirecting to HTTPS and shouldn’t be on there”, followed by me saying “No they’re not, here’s the evidence”.

[…]

I want to touch on a question that came up quite a few times and indeed I showed this behaviour earlier on with Roblox. What happens if a website doesn’t respond with a redirect in the HTTP response header? Is an HTTP 200 and a meta refresh tag or some funky JS sufficient?

3 Comments

Another thing that worries me about all this is how can a browser that refuses to connect over HTTP access a web server on an IoT/Mac/Windows device that can only create self-signed (and therefore untrusted) certificates. I get that HTTPS is better, but how can it handle this situation? How does it handle the lighting control system that wants to run its own little web server without having to go via a remote server in the cloud with all the inherent insecurity that brings? How does an app like Keyboard Maestro support local control between Macs? Maybe you just stop doing this and have to write client apps, but then you are stuck writing a client app for each platform, and so what happens to the platform that isn't popular enough (Mac for example)? I haven't seen any solution to this issue, but I'd definitely like to hear one.

Thankfully, I do not use chrome except when I encounter a website that refuses to work with firefox.

Adrian Petrescu

Why would the number of posts on your blog have anything at all to do with the amount of work necessary to HTTPS-ify it? Surely Brent Simmons doesn't think he needs to go through each post manually changing http:// links to https://?

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment