Last year, Google started giving websites that have an SSL cert a ranking boost. As part of that announcement they said it was done to push the web to be more secure. But they also wanted to go even further and push for “HTTPS everywhere”.
This week it was announced this measure is going to be taken a step further with a new feature in Chrome where it will show a big red “X” on unsecured sites. Firefox also has plans for this.
The EFF and security researchers are applauding the move. One example is it prevents governments from blocking specific pages. They instead have to block the whole domain which is much more noticeable. You can read about Russia’s WikiPedia ban for more context.
Dave Winer is one proponent against this and in a recent post he said:
I wonder if they’ve even tried to quantify the outages they’ll cause. So many sites are simply residing on a hard disk somewhere, served by an ancient version of some unknown and not maintained server software, chugging along as someone keeps paying the electric bill, and replaces a broken hardware component when needed. The people who created the site might not have understood HTTPS or how to deploy it, and many are long gone. Some of course are dead. We are certainly not all sitting around doing nothing waiting for a handful of programmers on a mail list to make us perform a ridiculous act of security theater for our blog posts written in 2002.
Most of these sites do not need HTTPS. It isn’t an issue for my ancient blog posts. Or yours.
I personally think the current proposal with a red “X” is not the right solution. Yes, users will notice it at first, but give it two weeks and that icon will be totally ignored. I like the proposal on the Firefox report where someone suggested the browser just alert when submitting a form on an unsecure site, but I think it’ll be ignored after a while as well.
Let’s Encrypt and AWS are two service now offering free SSL certs. As the market shifts toward free services I’m sure implementation will get easier and easier until all web hosts just have support by default.
Of course, this would be a lot of work and a lot of companies would need to make big architecture changes.
5 thoughts on “ The push to HTTPS ”
Bless you for posting about Let’s Encrypt & AWS. I had no idea there were places to get SSL certs.
Also, I must say this feels like super overkill on Google’s part. I agree that it will become ignored if its the default because the vast majority of sites won’t be encrypted and it’ll be years until they are, if ever (barring some change in tech that makes securing any site a one-click solution).
LikeLiked by 1 person
i knew about let’s encrypt but i didn’t realize amazon had a free one as well. well, kind of free. according to the article you linked, it only works with load balancers and cloudfront. so in my case where i only have a t2 micro ec2 instance and no load balancer, i’d have to create and pay for a load balancer server. i was hoping i can request it from amazon and just install it on my existing server. i’ve heard the let’s encrypt option is improving so i may take another look at it. i already have ssl on my main domains (single) but would love to try let’s encrypt on my sub domains.
I’ve setup Let’s Encrypt via Laravel Forge a few times and it’s a simple process because it basically handles everything for you. Here is another article by a friend that may help you get it installed and going:
I think the big thing with Let’s Encrypt is the cert has a short expiration. Like six months. So you have to setup a cron job to pull a new cert so it’s automated. Also, they do not support wildcards. At least not yet.
i was wrong with my assumption. i checked my aws stuff today and found i can get the certificate for free even for my s3 hosted static sites. this is great news. thanks for the heads up. i may even use it on my EC2 stuff when the certificates i currently have expire.
LikeLiked by 2 people
🙂 Its not that easy