back to article Beware the looming Google Chrome HTTPS certificate apocalypse!

Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months. Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the …

  1. Anonymous Coward
    Anonymous Coward

    Class Libel Suit anyone ?

    If such a thing exists ?

  2. Lee D Silver badge

    Re: Class Libel Suit anyone ?

    Given that the inclusion of a certain CA into a certain browser is almost entirely voluntary on the part of the browser itself, there's not much you can really do about it. They could decide not to include a CA "because they're a bit smelly" and there's little to no legal recourse. Stating an opinion on the security of a CA that issues mega-wildcard-certificates is something that anyone is quite able to do... and is ALWAYS going to be negative as they simply shouldn't be doing that if they want to be a respected and trusted CA.

    The industry is about trust, not legal agreements. You don't want to use a CA that just has "a special deal" with Chrome to be included in their browser by default, I assure you. Lose the trust and you lose business. Because I bet a ton of people now won't touch Symantec or subsidiaries for a long time to come for their certificates.

    If you don't like that, don't abuse the certificate processes. It's like a baker who's been snotting into the bread complaining that someone told on him and now nobody buys his bread.

  3. John Lilburne Silver badge

    Re: Class Libel Suit anyone ?

    Nah! They've just broken the internet.

    There will be so many warnings that people aren't going to take any notice and either move away from chrome or click straight through and add an exception. The same is going to happen with sites that don't have or need a SSL cert. Probably about 95% of all sites.

    Why should people install or pay for something they don't need? If Google want all sites to have SSL then Google should pay for it.

  4. Lee D Silver badge

    Re: Class Libel Suit anyone ?

    I've yet to see anyone even know how to add a certificate exception to Chrome... pretty much you can't do it as a limited user, and people don't know how. We have (finally) reached the point where people can't just click "Accept All" and then carry on spewing their details.

    Hell... try replacing Google's certificate with anything else, most browsers will throw a fit because of certificate pinning, HSTS, etc. So, no, a broken cert is a broken website nowadays and people won't be putting their cards into it because it'll come up with dire warnings in any vaguely modern browser.

    And nobody needs pay anything. LetsEncrypt lets you have free certificates accepted by any browser. But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

    It's not Google that enforces this... it's any browser.

  5. Nick Ryan Silver badge

    Re: Class Libel Suit anyone ?

    But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

    But a certificate does not secure customer data. In web browser terms it generally does nothing more than encrypt the traffic between a user's web browser and the server itself. The server could, and often does, have an application written by abject morons who put in hard coded administrator accounts, don't perform even cursory data validation on user input and leve bypasses when they can't be bothered to type in passwords. So the data is no less or more secure than it was, the https website is no less or more trusted than an http website, just that the transport of data packets between the client and the server should be reasonably secure.

    However, there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate, but in the end the presence of a certificate means nothing.

  6. John Lilburne Silver badge

    Re: Class Libel Suit anyone ?

    But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

    Most websites aren't businesses, and don't store customer data. Fuck Google.

  7. Lee D Silver badge

    Re: Class Libel Suit anyone ?

    "Most websites aren't businesses, and don't store customer data. Fuck Google."

    What's that got to do with Chrome revoking Symantec certs?

    If you had a cert, you were securing something.

    If you didn't, you weren't.

    Nobody is (yet) outlawing plain HTTP websites.

    But with LetsEncrypt and things like auto-support in Apache, it'll only be a few years before HTTPS is the only accepted communication - which is no bad thing even for a personal website that most people have no idea of the hosting details of anyway. It means your website content can't be subverted by ISPs fiddling with your content/ads mid-transmission, as some have been caught doing.

    With HTTP, literally any idiot along the route can slip some nasty Javascript or tracking code in that your visitors will be exposed to without your knowledge. With HTTPS, it takes something actually on their computer to do the same.

  8. Jason Bloomberg Silver badge

    Re: Class Libel Suit anyone ?

    there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate

    Not necessarily. Many will only have a certificate because they were told they needed one; to look more legit, to stop browsers blocking their sites, to avoid users phoning up or complaining, or even because others have them.

    No thought about security there.

  9. J. Cook Bronze badge
    Go

    Re: Class Libel Suit anyone ?

    Certificates are typically used to secure the connection to the site, not the data the site stores.

    That's a different drum of bees entirely.

    And Certificate Authorities are entirely about trust, and reputation- I'll trust Let's Encrypt and Digicert (oddly enough) before I'd trust other companies like Comodo and the (soon to be dead) Symantec with trusting them to act responsibly.

    I lost faith in Verisign back when the internet was still young, because they made the (terrible) decision to sell their domain registrant lists to marketing companies. (This was before such services as domain registration privacy were even conceived!)

    Being a commercial CA means, to me at least, that your company behaves in a certain manner to the best of it's ability and does not, for example, intentionally issue wildcard certificates for domains you don't have any control over or a traceable request from the domain's actual owner to anything connected anywhere *near* the public internet. That's what killed Symantec's CA trust- they issued a wildcard certificate for google without google's permission, which got out on the public internet and them claimed that it was for a 'test lab' when google (quite rightfully) called them out on it.

  10. coolcity

    Re: Class Libel Suit anyone ?

    No, if you have a cert it is quite possibly because you were forced to have one by Google, not that you necessarily needed to be "securing something".

    We don't collect ANY customer data, there's nothing to order and no forms for anybody to fill in but we're now forced to have a certificate.

    I'm not against the idea in principle but it's ironic that it's Google who ultimately decide whether your site is trustworthy or not - from probably THE most untrustworthy data harvesting organisation on the planet.

    "The industry is about trust" - but it isn't. Here Google are telling you that you should not, or can't (I forget the exact wording of the warning) trust a site because they haven't obtained a certificate, NOT because they can't actually be trusted. A site might be entirely trustworthy but now they suddenly not because Google say they're not.

    What does enforcing your rules on everybody have to do with trust?

  11. The Sprocket

    Re: Class Libel Suit anyone ?

    "Nah! They've just broken the internet.

    There will be so many warnings that people aren't going to take any notice and either move away from chrome or click straight through and add an exception. The same is going to happen with sites that don't have or need a SSL cert. Probably about 95% of all sites.

    Why should people install or pay for something they don't need? If Google want all sites to have SSL then Google should pay for it."

    * * * *

    My sentiments exactly. I'm tired of Google using their half-baked browser and market-force muscle to bully people around. I hope there is a 'citizen revolt' against these knobs.

  12. The Sprocket

    Re: Class Libel Suit anyone ?

    "there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate

    Not necessarily. Many will only have a certificate because they were told they needed one; to look more legit, to stop browsers blocking their sites, to avoid users phoning up or complaining, or even because others have them.

    No thought about security there."

    * * * * * *

    Precisely. That's why to many others I speak with, this Google initiative looks like a form of extortion. It hasn't been properly thought out and presented with clarity. It just looks like a cash-grab based on fear-mongering. And now another deadline (April) is looming.

    Well, that's what I hear from some small business owner clients of mine.

  13. Michael Wojcik Silver badge

    Re: Class Libel Suit anyone ?

    LetsEncrypt lets you have free certificates accepted by any browser

    Free DV certificates. Some organizations need EV certificates, due to regulatory regimes (e.g. PCI-DSS); or if not required to, ought to use them because they deal in sensitive data.

    Like a number of security professionals, I am far from convinced that EV certificates are worth the extra cost - there isn't much evidence to believe that CAs are providing value for money. But the point is a free DV certificate from the likes of LE is not a universal solution.

    And for all the folks complaining about Google: While I'm no fan of the Gevil Gempire, someone needs to punish misbehaving CAs. There is a long and very sorry history of CA misfeasance (Ivan Ristic's Bulletproof TLS book has a good survey), and consequences are rare. Unfortunately in this case the impact on Symantec is slight because they simply offloaded a business unit that was at best marginally profitable, and not looking to improve.

  14. Rabbit of Caerbannog

    Re: Class Libel Suit anyone ?

    The technology ensures the encryption. They (Symantec and it's partners that it trusted to use it's CA) had one job, to ensure that people were who they said they were.That was the value of their CA and they through lack of control destroyed that value, and then acted like it was not their problem. The only reason you include a CA is because you trust the owner to do that one thing and Symantec failed in that one thing.

    There may be a class action by cert owners but my guess is it will be against Symantec. Symantec are about the only party that can sue Google and I wish them good luck with that.

    As any competent organisation should have a process for changing certs anything above the BAU expenses of the change are entirely self inflicted. If your crappy Symantec cert cost you billions in lost sales is that Semantics' fault down to your company's failure to change the cert.

  15. Rabbit of Caerbannog

    Re: Class Libel Suit anyone ?

    "I lost faith in Verisign back when the internet was still young, because they made the (terrible) decision to sell their domain registrant lists to marketing companies. (This was before such services as domain registration privacy were even conceived!)"

    Ever think that may be WHY such services as domain registration privacy were even conceived.

    You don't always assume people will behave like feckless pillocks so when they do all you can do is plug the gaps

  16. Orv Silver badge

    Re: Class Libel Suit anyone ?

    That's why to many others I speak with, this Google initiative looks like a form of extortion.

    Uh, except as far as I know Google doesn't sell SSL certificates. They don't stand to make a cent from this.

  17. Chronos Silver badge
    Coat

    Indeed.

    Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

    And that was just a plug for one of its own products...

    Mine's the one with the decrapifier USB stick in the pocket.

  18. Anonymous Coward
    FAIL

    Well done Google....

    ...now people will simply ignore any alerts and just carry on.

    Almost as dumb as saying they will demote non-https sites, but of course that only affects the smaller businesses who don't give them money, so who gives a toss eh?

  19. Chronos Silver badge

    Re: Well done Google....

    How exactly does promoting TLS connections for web traffic benefit Google, especially now letsencrypt is a thing? They're not a CA.

    What we really need is a DNS extension which tells the browser which CA root it can expect hosts in its domain to use. A simple TXT record with the fingerprint of the root CA certificate would do, or even the OpenSSL style hash, e.g.:

    $ORIGIN @

    _tlsca IN TXT "4042bcee,6187b673"

  20. katrinab Silver badge

    Re: Well done Google....

    Such a thing does exist, it is called a CAA record., and it was introduced last year. Righ now, most DNS services don't support it, but presumably it will get more popular.

  21. Anonymous Coward
    Anonymous Coward

    Re: Well done Google....

    How does it benefit?

    Most mom and pop shops will not have the money or expertise to install and maintain certs (and many hosts charge extra for hosting that "allows" this).

    These are also the ones that are less likely to pay Google any money for services. This is going to affect smaller site and yet again, game the system towards the bigger players, those with money.

  22. 2+2=5 Silver badge

    Re: Well done Google....

    Thanks chronos and katrinab - learnt something new today

  23. Steve Graham

    Re: Well done Google....

    "Most mom and pop shops will not have the money or expertise to install and maintain certs"

    With the hosting company I use, it literally amounted to clicking a tick box.

  24. vagabondo

    Re: Well done Google....

    If a web-site is only publishing information and not collecting secrets from the viewer, then the whole HTTPS, certificates and encrypted traffic is superfluous and an unnecessary overhead. Not everyone is involved in data slurping or transmitting private information across a public network.

  25. Santa from Exeter

    Re: Well done Google....

    And of course *everyone* uses the same hosting company as you.

  26. Chronos Silver badge

    Re: Well done Google....

    @katrinab many thanks for that heads-up. Seems I have my good ideas just after everyone else :)

    Edit gawd, I'm getting old. I must have come across the docs in the wee small hours one day because it seems I already have CAA records set up on my main domain. The master DNS is right in front of me, so nobody else did it. Is that a sign of imminent Alzheimer's or is it just one more example of JIT learning not sticking?

  27. John Lilburne Silver badge

    Re: Well done Google....

    With the hosting company I use, it literally amounted to clicking a tick box.

    Well good for you. But most people will have to pay, move their hosting site, or jump through hoops to get letsencypt to work.

    For why? The majority of sites are informational blogs and such. Due to spammers (mostly from gmail), they don't have people signing up and posting comments, and they don't sell shite. So why the fuck do they need to pay for and install crap?

    How are people in developing countries going to afford this shit?

  28. Anonymous Coward
    Anonymous Coward

    @John Lilburne Re: Well done Google....

    It's not about selling things - secure comms has moved on a lot since then and you do not have to pay for a cert - they are free as others have pointed out.

    A secure channel stops anyone injecting code into your website that is served to your readers. Therefore you informational blog doesn't have a MITM putting adverts or malware in it. It also stops the pages on the websites being tracked so that it creates less of a profile for you and your political affiliations. If you go to a news website and mainly read stories that are pro-opposition then your government might be concerned that you are an antagonist. You ISP can put their own adverts into each site you visit or a wifi hotspot could be set up that can intercept and change your traffic or load malware.

    Someone who can't work out how to install a free secure certificate probably isn't keeping their server security up to date either or running open relay servers etc. It is called nudge theory, nudging people in a direction for th egood of everyone.

  29. CarpeNoctem

    Re: Well done Google....

    Google never does anything that doesn't directly benefit Google.

    The entire anti-democratic AMP debacle is testimony to that.

  30. Anonymous Coward
    Anonymous Coward

    Re: HTTPS an unnecessary overhead

    I agree until Google stops listing in search results to anything that uses just 'http://'.

    Google rules the world only most people don't know it.

  31. Maty

    Re: Well done Google....

    'Google never does anything that doesn't directly benefit Google.'

    well, yes. I assumed from the start that's what this whole 'https:' thing was about. A year or two back some phone companies announced that they were going to be stripping out ads - including Google's adwords programme - and inserting their own.

    e.g. https://www.cnet.com/news/newspapers-to-brave-browser-dont-mess-with-our-ads-or-else/

    Google is basically an advertising company that also does search and some other stuff. Threaten their revenue stream and big G will - literally - change the web to stop you.

  32. Agamemnon

    Re: Well done Google....

    Ah, no. I have a "boutique" hosting company:

    * Lots of CMS.

    * Customers are all remote and travel (some are quite famous, most aren't).

    * They log in from cafes and airports and hotels to add and manage content, scheduling, check their mail and calendars.

    * Some do that "advertising" stuff.

    * I am currently sitting in a cafe in Redmond (you all know what's in Redmond...wankers) running a packet sniffer for my own personal entertainment.

    Add that up and where do you find yourself?

    * In need of *Basic Credential Security*.

    * Mitigation of MITM to some degree (waves, while sipping on a mocha).

    * Privacy of some personal or business information.

    HTTPS is a Requirement for All of my customers, period, no questions, no crying/whining/bitching/pissing/moaning because The Reality is that:

    Mobility Requires Security.

    If you log in to your CMS without HTTPS from this coffee shop right now, I Own It (and I'll link to dodgy sites just to teach you a lesson).

    Let's Encrypt allows me do this without sticker shock with the option to get Right Serious if my customer (I decide) Requires it for their use case, and we get a Heavy CA That is Trustworthy.

    I Almost partnered with Symantec and I assure you fellow Vultures, they were much more interested in sales of services and upselling their idiot "Green URL Bar" than they were about Security. They Brooke the trust, they lose the *privilege* of playing.

    Also on that list should be: Comodo, every major bank in the world, Uber (read ElReg headlines), Equifax, some hospital networks, intelligence communities, law enforcement. But, folk continue to show they have no grasp of the situation of "Trust". It seems all one needs is a boilerplate "We're sorry, we won't do it again." How many iterations of this before Regular Folk™ say, "Right, you're done?". In my experience, infinite.

    Just read the headlines.

  33. eldakka Silver badge

    Re: Well done Google....

    > Most mom and pop shops will not have the money or expertise to install and maintain certs

    What's that got to do with this?

    If you use a HTTPS cert, and if that has a Symantec authority in it's certificate chain, this will impact you.

    Only approximately 20% of HTTP sites in the entire world use HTTPS. Therefore this revocation will not affect 80% of the sites in the world - of which your "mom and pop" example most likely resides in.

    And of those 20% that are HTTPS, this will only effect a very small sub-set of those, as the cert-issuing market is quite large with much competition, and Symantec wasn't one of the bigger players in that market.

  34. eldakka Silver badge

    Re: Well done Google....

    > So why the fuck do they need to pay for and install crap?

    Who is enforcing anyone to pay and install crap?

    Google isn't requiring everyone to install HTTPS certificates.

    This article is about them revoking the certificates - a relatively small number - of the relatively small number of websites that actually use certificates.

  35. coolcity

    Re: Well done Google....

    Everybody has the option to look for a host that doesn't charge extra for a cert. We were lucky enough to already be with one.

    I would expect this to be something that they all offer as part of the hosting package in the near future though as it becomes all but compulsory to have your site address begin with https.

  36. coolcity

    Re: @John Lilburne Well done Google....

    The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means.

    If this is what the industry (read Google) wants I can understand that but it's the way they are going about it that many of us object to. Why not insist that the hosts, those selling web space, include it a part of their product instead of forcing it on people who don't even have a clue what Google are asking them to do.

    It's the fact that Google have this much control over the web that I find disturbing, I mean its not as if they're the most trustworthy organisation out there.

  37. John Lilburne Silver badge

    Re: Well done Google....

    Who is enforcing anyone to pay and install crap?

    Google isn't requiring everyone to install HTTPS certificates.

    Perhaps not with this latest crap, but they are whining about rad markimg all non https sites, or at least that's the message I'm getting from my web host. Now I know that they are just trying to sell me shite, andI can probably use let's encrypt, but that is just something else taht needs installing, and maintaining.

  38. John Lilburne Silver badge

    Re: @John Lilburne Well done Google....

    A secure channel stops anyone injecting code into your website that is served to your readers.

    I think the rest of us will take cognisance of that when Google stops distributing malware, viruses, trojans, and other nasties from its app store.

    http://www.theregister.co.uk/2016/02/29/worlds_worst_android_play_store_attack_sends_millions_to_p0rn_sites/

    https://www.cnet.com/news/google-removes-android-malware-downloaded-up-to-5-9m-times/

    http://www.zdnet.com/article/phony-android-security-apps-in-google-play-store-found-distributing-malware-and-tracking-users/

    and stops people using gmail as spam signup portals. When I banned signups from gmail on the company user forum, the spam postings dropped by 80%.

  39. Anonymous Coward
    Anonymous Coward

    Re: @coolcity Well done Google....

    "The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means."

    Oh jesus, WHat are you talking about. Which middle aged lady has contacted a web host, ordered a virtual server (or dedicated/co-located), ordered a domain name and pointed it at their virtual server and is happily uploading regular baking blog posts, paying their yearly fee from their credit card? Even if they are and they can't get their provider to add a cert for them, are they really concerned that their website might show a warning saying "this site does not use security"? FFS

    If they just use a free blogging platform then the free blogging platform will arrange certs if they feel it is needed.

  40. John Lilburne Silver badge

    Re: @coolcity Well done Google....

    Which middle aged lady has contacted a web host ...

    There are a large number of people in that boat. It may be because something like blogger, or wordpress doesn't quite do what they want.

    It could be a local plumber, tradesman, or photographer wanting to showcase their services. A simple page or two that is just giving some basic information and a contact page. Or it might be something more sophisticated.

    Whatever the reason, they don't need a SSL cert and it is arrogant fuckwittedness, for Google and a bunch of Geek hangers on dictating to them that they need to rewrite their system for some bullshit fetish reason. What hosting platform they must use, etc

  41. elkster88

    Re: Well done Google....

    "If a web-site is only publishing information..."

    So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack, instead of what was intended?

    OK, then.

  42. mootpoint
    Joke

    Re: @John Lilburne Well done Google....

    When I banned signups from gmail on the company user forum, the spam postings dropped by 80%.

    Did the total postings also drop by 80%?

  43. Test Man

    Re: @John Lilburne Well done Google....

    >>The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means.

    That middle-aged lady you speak of is almost certainly not someone who has single-handidly set up their own site on a hosting service and so therefore doesn't need to worry beyond asking their third-party blogging platform company (Wordpress.com? Blogger?) whether they are checking their certs.

  44. Michael Wojcik Silver badge

    Re: Well done Google....

    Such a thing does exist, it is called a CAA record., and it was introduced last year.

    Actually in 2013 (RFC 6844). The CA/Browser Forum made it mandatory (for any CA that follows the diktats of the CABF, which is at least the major ones) last year.

    And deployment is growing, if slowly. There have been hiccups;[1] most notably, Comodo was found to be not checking CAA records, which is a bit embarrassing since they invented the damn things.

    But CAA does prune some branches of the attack tree for the public X.509 PKI, and at very low cost, so that's good. Along with Certificate Transparency it may actually make the PKI slightly less dismally broken.

    [1] Hiccoughs, for non-Websterized readers.

  45. Michael Wojcik Silver badge

    Re: Well done Google....

    "If a web-site is only publishing information..."

    So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack, instead of what was intended?

    Or malicious Javascript is inserted in the response by a MITM, when the user is on some open WiFi coffeeshop network.

    I have in the past been critical of HTTPS Everywhere, but MITM script injection in an open, untrusted wireless LAN is simply too easy. HTTPS Everywhere is an unwanted overhead when I'm on my own secure network, and of course I'm running NoScript, so even when I'm out and about an attacker would have to poison and spoof some domain that's on my whitelist. But most users are not even that well protected. And while the potential damage from a hostile script is relatively low (browser process running with reduced privileges, security patches applied, etc), I don't want to waste cycles mining Monero for some random gang of assholes.

    So, unfortunately, I suspect I'll have to become a reluctant advocate for HTTPS Everywhere. The HTTP environment is simply too hostile.

  46. Anonymousse

    Re: @John Lilburne Well done Google....

    Lotta sexism here, you know there are middle-aged ladies who are programmers, ex-programmers or just have a brain in general, and would have no trouble setting up+coding a personal website on a host? Why is this the example? "luddite" would be more appropriate.

    Setting up a website really isn't rocket-science, and even beginner users can go further than Wordpress/Blogger.

  47. Rabbit of Caerbannog

    Re: Well done Google....

    Big organisations that break SSL/TLS by deploying interceptors on their networks and push a crappy CA to their hapless users will just need to tamper with internal DNS relays.

  48. Rob D. Bronze badge
    Stop

    Re: @coolcity Well done Google....

    > Whatever the reason, they don't need a SSL cert and it is arrogant fuckwittedness, for Google and a bunch of Geek hangers on dictating to them that they need to rewrite their system for some bullshit fetish reason.

    Similarly there is a lack of good wits from folk asserting in thoroughly histrionic language that Google, through this action, is forcing people who currently do not use SSL certificates to start using SSL certificates.

    Google and Mozilla withdraw trust for a range of certificates in their browsers because they state, with some cause, the certificates are compromised. Anyone who is not currently using a certificate to provide HTTPS access to their web site can continue to not use a certificate for their web site without losing or gaining anything. Anyone who does and has one of the compromised range needs another one. This isn't rocket science and it isn't a good platform for the 'Everything Google Does Is The Work of Satan' speech.

  49. Anonymous Coward
    Anonymous Coward

    Well done Google, NOT

    Now Google stops trusting Symantec, GeoTrust, RapidSSL and Thawte certificats!? WTF

    And also show now a new big "NOT SECURE" for all HTTP websites. WTF^2

    source: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

    Screw the browser cartel (Goo, Moz, M$) for destroying the web.

    Mind you Amazon.com was HTTP-only (except for its login page) 1995-2017 and it was no problem at all. HTTP is completely fine for most websites. And if you are doing e-commerce, or banking, such sites have HTTPS support anyway. This is a war or HTTP for no good reason. The reason is with HTTPS you traffic is unique and you can be traced very easily. And of course Email is still sent in plain text, and there is no lobbing for S/MIME and GPG at all - because the browser cartel (who also is the email cartel) doesn't care about data privacy at all, it's all about spying the end user and tracking them. And HTTPS is a good vehicle to create a closed garden, and an ad-monopoly on top of it. Screw you. I want HTTP where ever I want. And don't forget about LAN and IoT where HTTP is irreplaceable, realistically. Getting users to install self-signed SSL certs on their LAN devices looks shady and simply doesn't work. People prefer HTTP. So stop this HTTPS-only bullshit Google!

  50. John Lilburne Silver badge

    Re: Well done Google....

    So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack,

    It doesn't need a MITM attack for that, wikipedia already serves that function on the web.

    https://www.google.co.uk/search?q=wikipedia+erroneous+facts

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018