In recent years, Google has embarked on a project to strengthen security on the web by promoting the adoption of the HTTPS protocol by websites. For this, the company announced that it would mark websites that use the HTTP protocol and collect passwords and banking information as unsecured. However, as switching to HTTPS is not as easy for all sites, the Mountain View firm has established an action plan in which it began by pointing to insecure web pages with a neutral indicator.
It should be remembered that as disadvantages, Google argues that when users send queries for the display of pages, they can be intercepted and modified before the pages of the site are displayed on the client side. Thus if a user uses these insecure pages to send confidential data such as credit card information, this information can easily be stolen by a malicious actor in contrast to data that passes through the HTTPS protocol.
In addition, beyond the fact that the HTTPS protocol protects user data on websites, Google also explains that this protocol is a requirement for many modern browsers and especially for those running progressive web applications. To facilitate the adoption of secure protocols, the Certificate Authority, Let's Encrypt, grants free certificates since 2015 for the implementation of TLS on websites.
After drawing users' attention to insecure pages with a neutral flag, Google announced that it would mark HTTP pages running in Incognito mode as unsafe in the address bar. Moreover, since July 1st of this year, Google has decided to mark pages in HTTP format as insecure. Eventually, the company plans to change the security indicator by displaying a red triangle with the word "unsecure".
However, since the changes are not generally unchallenged, Dave Winer, a well-known developer and owner of the scripting.com site, disapproves of Google's initiative to promote massive adoption of HTTPS over HTTP and makes several arguments for defend his position.
Dave Winer presents the benefits of sites using the HTTP protocol
For Winer, the adoption of HTTPS may make inaccessible archives available on the web for several years. For better understanding, he explains that in most cases, these archives are available on the web to the delight of some users, but are no longer maintained. This implies that no one will be able to migrate the current protocol of these web pages to secure protocols. Thus, marking this type of site as unsafe would cause users to flee from it. For the developer, the reason there is so much diversity is that the web is an open thing, it has never belonged to anyone. Also, would it be appropriate that Google does not require websites to adopt HTTPS by reporting them as unsafe.
As another argument, Winer argues that "Google has gone to great lengths to convince you that HTTP is not good," but for him, "HTTP is the best thing." According to him, it is "his simplicity that made the web work" and favored its explosion, where the previous protocols were difficult to build. In defending the adoption of HTTP, Winer wants "that people can use their own web servers more easily." For him, "Google is doing what the priesthood of programming always does, by building the barrier higher up the entrance, making things more complicated, giving themselves exclusivity." "That means only super nerds will be able to set up sites."
And as a result, Winer points out that "we are going to lose a lot of sites that were quickly posted on a whim, over the 25 years of the web, by people who did not quite understand what they were doing. were doing. It's also the glory of the web. " He goes on to argue that "all views on the web are important, especially those that big companies do not understand or respect. That's how progress is made in technology. " Finally, he writes, "the web is a social agreement not to break things. It has served us for 25 years. I do not want to give up because a group of nerds at Google think they know the best.
Dave Winer defeats Google's arguments for HTTPS
In addition to presenting the benefits of HTTP, Winver also tackles Google and the benefits of HTTPS supported by the firm. He argues that "most sites they call" insecure "do not require any information from the user," but are marked unsecured. By doing so, says Winer, the simple user having no idea why this alert is displayed may press the back button while the site does not contain any threat. For Winer, "this is the kind of unpleasant political tactics we expect of corrupt political leaders, not leading technology companies."
He also argues that Google's argument that HTTP would easily lead a man-in-the-middle attack would not hold water because even if you use a secure protocol, these same attacks can still be carried out by malicious third parties. . Finally, Winer puts a point of honor on the fact that although Google argues that many of the websites are now switched to HTTPS, for him, the company neglects the fact that many sites that are still HTTP abound valuable information that needs to be kept.
After exposing his views on Google's practice of having everyone adopt HTTPS, Winer, owner of the scripting.com site, says he has received an email from Google asking him to "migrate to HTTPS to avoid trigger the new warning on [his] site and to help protect users' data. "
