{"id":22253,"date":"2018-07-25T16:29:03","date_gmt":"2018-07-25T20:29:03","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=22253"},"modified":"2018-08-01T15:52:31","modified_gmt":"2018-08-01T19:52:31","slug":"googles-http-not-secure-warning","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/07\/25\/googles-http-not-secure-warning\/","title":{"rendered":"Google’s HTTP “Not Secure” Warning"},"content":{"rendered":"

Dave Winer<\/a>:<\/p>\n

Apparently tomorrow is the day Google will start flagging sites that use HTTP, the standard web protocol<\/a>, as “not secure.” Curious to see how people react. BTW, this link<\/a> has auto-playing video. It may be “secure” but it’s also obnoxious. This blog and all my other sites use HTTP. I don’t see that changing. I expect this will make writing for the web more of a chore. That’s life I guess. I don’t want Google to be able to mold the web to its needs. I never signed on to being a Google developer<\/a>, and never would. Basic rule: Google is a guest on the web, as we all are, and guests don’t make the rules.<\/p><\/blockquote>\n\n

Brent Simmons<\/a>:<\/p>\n

\n

I am not<\/em> looking forward to all the work I have to do make my blog http:\/\/inessential.com use https.<\/p>\n

I’ve got 19 years of posts to go through. I don’t know how much this is going to suck yet.<\/p>\n<\/blockquote>\n\n

Troy Hunt<\/a> (via Peter N Lewis<\/a>):<\/p>\n

In one of many robust internet debates (as is prone to happen on Twitter), the discussion turned to the value proposition of HTTPS on a static website. Is it needed? Does it do any good? What’s it actually protecting? I’d been looking for an opportunity to put together some material on precisely this topic so when a discussion eventually led to just such an offer, it seemed like the perfect time to write this post[…]<\/p>

[…]<\/p>

So that’s precisely what I’ve done - intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here’s the video and there’s references and code samples for all the demos used immediately after that[…]<\/p><\/blockquote>\n\n

Why No HTTPS?<\/a> (via Hacker News<\/a>):<\/p>\n

Following is a list of the world’s top 100 websites by Alexa rank<\/a> not automatically redirecting insecure requests to secure ones.<\/p><\/blockquote>\n\n

Previously: Google and HTTP<\/a>.<\/p>\n\n

Update (2018-08-01): Troy Hunt<\/a>:<\/p>\n

In the launch blog post<\/a>, I wrote about the nuances of assessing whether a site redirects insecure requests appropriately. The tl;dr of it was that there’s a bunch of factors that can lead to pretty inconsistent behaviour. Just read the comments there and you’ll see a heap of them along the lines of “Hey Troy, site X is redirecting to HTTPS and shouldn’t be on there”, followed by me saying “No they’re not, here’s the evidence”.<\/p>

[…]<\/p>

I want to touch on a question that came up quite a few times and indeed I showed this behaviour earlier on with Roblox. What happens if a website doesn’t respond with a redirect in the HTTP response header? Is an HTTP 200 and a meta refresh tag or some funky JS sufficient?<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Dave Winer: Apparently tomorrow is the day Google will start flagging sites that use HTTP, the standard web protocol, as “not secure.” Curious to see how people react. BTW, this link has auto-playing video. It may be “secure” but it’s also obnoxious. This blog and all my other sites use HTTP. I don’t see that […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-08-01T19:52:34Z","apple_news_api_id":"1de0ceeb-92f1-43e0-b9eb-45dad6a641bc","apple_news_api_modified_at":"2018-08-01T19:52:35Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/AHeDO65LxQ-C560Xa1qZBvA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[51,456,30,32,48,96],"class_list":["post-22253","post","type-post","status-publish","format-standard","hentry","tag-google","tag-googlechrome","tag-mac","tag-macapp","tag-security","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=22253"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22253\/revisions"}],"predecessor-version":[{"id":22331,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22253\/revisions\/22331"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=22253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=22253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=22253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}