Actually, iOS developers: DON'T!!!
We need to give them an incentive to pull their finger out! Use an alternate ad network or charge a fee if you have to.
Google has told iOS 9 app developers to disable Apple's enforcement of HTTPS-only connections – or their in-app Google ads won't show up on up-to-date iPhones and iPads. Apple has added what it calls App Transport Security (ATS) to iOS 9 and OS X 10.11, which ensures software only uses encrypted connections when talking to …
Dear developers: if you decide to degrade to HTTP, kindly mention this in the app description so I can avoid it.
Dear Apple: this is worth screening apps for. It would be EXTREMELY good if the App Store could flag apps that use this degradation of security as mandated by Google. While you're at it, I would appreciate a generic requirement for Apps to mention that they are ad-supported in the first place. I understand the desire for developers to create revenue that way, but as a user I should be able to see this "feature" before I download an app.
Now, I'm the first to admit that I'm no fan of ads on apps because they eat bandwidth and screen real estate, both precious resources on a handheld device (and I deem it offensive that I should pay for that), I tend to pay for apps instead. However, there are people who have no problem with that, but I think someone ought to be able to make that decision upfront.
As for Google: FY. Really, FY. This is another example where a company has no problem with degrading your rights because it suits them, and Google has been pretty much carrying that banner from the day it started doing more than the search engine.
The real 'sufferers' are the developers who rely on rubbish adverts for their bread and butter. Google have noticed the issue and brought a quick solution to the table, arguably it is not the best solution, though it should only affect those too tight to buy the games they play. It would be useful for those developers who rely on ads to put some pressure on the advert slingers to get their acts together and 'upgrade' to HTTPS in the interests of most parties.
I said most parties since ad supported apps do appeal to some though frankly if I cannot afford the app then I would rather suffer the silence.
Come to think of it I do. I have zero interest in apps and zero apps on my phone, ad supported or ad free.
Join the club. I have a grand total of two third-party apps on my 4S: Twitter, and an ad-supported free flashlight app which I rarely use except to read menus in dimly-lit restaurants. That's it -- no games, no bullshit. I do fine with the apps that came with the phone.
My wife's 4S, on the other hand -- don't get me started...
Nope, sorry.
It means that any man in the middle attack can change the resource you are sending to the browser. I can replace your ad with mine and you will still be the one to get the bill. I can redirect the URLs you embed to my dodgy phishing version of your site. I can inject some malicious JavaScript and you will be fingered and blacklisted very quickly but the major ad networks.
At least with https, unsavoury folk need to pwn your server to emulate you. Https everywhere. Google, stop being dicks. You understand the risks. Most app developers don't. I will happily criticise Apple on many things, but what they are doing here is completely right. (Although no doubt they enjoy the collateral damage to their competitor)
MITM is only really relevant if you control at least one of the end points. In the case of ads, the end user is not choosing which URL to visit - that's being determined by someone else paying money to yet another someone who controls the platform, possibly through a series of intermediaries. An an end user, I have no idea what site the advertising platform will make my device visit and the fact that TLS gives some third party the assurance that my device is fully in their control does not make a material difference to my security as far as I'm concerned...
I'm more than suspicious. Apple doesn't push ads so I would mostly trust their encryption. Google does and they also want your info for more ad pushing. I'd have to assume that they can break their encryption for whenever they want? For whatever reason they want? I smell a fox in the henhouse...
> Apple doesn't push ads
Of course they do. It's just not their main source of revenue, unlike Google.
Apple's new content blocking tech is a gun pointed directly at Google. Meanwhile, Google are busy shooting themselves in the foot by doing nothing to prevent malvertising pushed over their infrastructure.
"While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems," blogged Googler Tristan Emrich.
Sorry, Tristan, but you clearly don't know what "committed" means.
Here's a hint: it doesn't mean you'll do it only if it doesn't cost you money. It doesn't mean you'll take the easy way out. It doesn't mean you'll recommend that people compromise security so you can continue to make money.
Sorry, Tristan, but you clearly don't know what "committed" means. Here's a hint: it doesn't mean...
No, it means "locked away due to mental issues." My overall impression is that Google truly wish to encourage use of HTTPS. Perhaps they might put a bit of effort into developing tools to vet 3rd party ads for security issues (assuming they don't already). They are in a great position to do so and can think of it as securing their revenue stream. Right now, they seem to be in a position of advocating one thing and being dependent on its opposite.
My overall impression is that Google truly wish to encourage use of HTTPS
.. when it suits THEM. The main reason Google started with https was to make it difficult for 3rd parties to analyse just what sort of traffic was heading for Google, it had NOTHING to do with protecting you (although, of course, that was their spin on it). If you want to have an indication of just how much Google cares for your safety, just look at how easy it is to search for exploits, how long it took before Gmail logons became https only and today's discussion.
When I see a hasty clawback by a Google dude of a serious issue, I know publicity must have struck a nerve. Otherwise such news would get the same treatment as any lawmaker in the world gets when they warn Google that they're breaking the law: total silence, unless legal proceedings are started.
Funny how Google themselves removed Chrome's ability to handle mixed HTTP/HTTPS content as of version 44, thus breaking a bunch of websites that most other browsers still handle just fine, and yet they have the audacity of not getting their own act together for this.
Sadly that won't happen. What *will* happen is that advertisers (not programmers) will make the switch because advertisers will notice that they aren't reaching the audience that kept HTTPS on and so they'll upgrade their content delivery.
This isn't Google's problem. This is the advertisers problem, and the fix is easy.
As an iOS developer: It's not a trick. Apple has a documented feature that allows an app to allow http connections anywhere, or to allow http connections to certain servers, or to allow https connections with known vulnerable https versions to certain servers.
However, I strongly believe that this is done to allow developers to continue working to get their apps working on iOS 9 while someone is sorting out the http problems. When you submit an app to the app store, this will flash up on the reviewers screen, and then they will ask you why you need that exception. "I connect to this third party server, and I can't make them fix their server" is a reasonable excuse. "I turned off all protection because Google said so" isn't. I would bet that any such app will be rejected.
Google is an advertising company. Advertising is how they make their money. If they can't deliver safe advertisements, then they should close down and let someone else provide advertisements and make money.
so the old 'do no evil'
should become 'Do everything possible to maximise our income no matter how many people we piss off'.
so Google is no different from any other company then.
There is an article on /. about Google offering you a job based upon your search history.
http://developers.slashdot.org/story/15/08/27/2140221/google-may-try-to-recruit-you-for-a-job-based-on-your-search-queries
So there are three simple questions to ask
1) So how much do they really know about you?
2) And how much of that would embarass you if the sold it to the wrong people?
3) Have you Google'd yourself recently?
That result set is only the tip of the iceberg of what they have on you.
Shits
This post has been deleted by its author
... Google would want to downgrade my website for being http (no login, no controversial information, no justifiable reason to require encryption) ...
The benefit that SSL would bring in your case is not so much that the site would be encrypted, but that the encryption key certificate needed to establsh an SSL connection would identity you as the site's owner, and this would enable users of your site to ensure that they were viewing the site they thought they were.
.... not that anyone ever checks ...
There's nothing "unsafe" about embedding HTTP content in an HTTPS page (at least compared to a pure HTTP page) but in another shining example of their stupidity, some browsers don't allow it. You hear that, Mozilla (and anyone else doing this crap)? Your silly decision is actually stopping websites from using encryption.
I don't agree at all about the "nothing unsafe".
The user likely expects the whole page to be crypted (indeed, he may well expect the whole page to be same-origined). Leaving half of it in a bizarro eavesdropper state (from where JavaScript may be injected to render the rest of the page a festering mass of unsecurity) is NOT a good idea.