Posted on Twitter this morning:
Tech journalists: Have you questioned the wisdom of Google/EFF/Mozilla push to shrink the web to only sites that support HTTPS?
I don't understand why Google et al are doing this, and I think we should all be involved in this decision, esp journalists. I expect the tech press to be leading here. But so far no one has been willing to look. I've been more or less alone in questioning the idea.
To think that people who set up blogging servers can jump through this hoop, no one can be so naive to think that won't hurt the open web. For what benefit? Please don't recite the standard talking points, I've heard them all before many times.
There's no doubt it will serve to crush the independent web, to the extent that it still exists. It will only serve to drive bloggers into the silos. Perhaps that's the real motive for Google et al.
Google did this before, with RSS, the loop is closed on that. So to assume their motives are good, or that they're competent to make these choices for us, is not true. They are a company. A very large one, and they behave like one.
A former exec at one of Google's competitors explained what is possibly their real motive. Google doesn't want its competitors to write bots that scrape their search engine.
So why not just encrypt all access to google.com? I asked.
Because bits of Google code are embedded in other people's pages. Google Analytics, YouTube, maps. I immediately understood. The way HTTPS works, if any component of a page is not secure then all other accesses are not.
I guess that means that google.com still has to be ready to handle unsecure requests, because some pages include references to it.
What about Let's Encrypt or the dozen extensions you can install to gpg verify web pages?
A concern I have is of emergency handling: if your need is to host quick and dirty static pages for fast information sharing to anyone may need them, like when a city gets flooded, SSL is a waste of data and may ddos your server.
Does that make it just a perception issue, then? To the extent that they are forcing HTTPS, couldn't they say, "If you want to embed our components you need to be using HTTPS." No reason they shouldn't be able to set the rules for their own servers.
Only downside (for them) I can see is that people who don't understand what's going on will think, "Google is broken, this other tool is still working." But if they can make <em>everyone</em> go HTTPS then it doesn't look like just them that broke.
Sorry for the dupe, trying to figure out how to delete a comment.