Re: They can only do that if...
Actually, the complete, accurate statement is "you really can't trust HTTPS".
Probably true. OTOH I personally don't much care except when money is involved. And I try to do as little as possible involving money on-line. I find that face to face, paper, and/or telephones work better and are less inconvenient than online with proper security and are less scary than online without proper security.
For me, most of the time, https mostly means I can't view a constantly changing array of sites in one browser or other (I have at least six installed) because their certificates have some subtle or not so subtle flaw this week.
My guess is that most users will have no idea what Google is about with this HTTPS thing. Depending on implementation details, they will either click through any annoying error messages or will whinge until someone shows them how to switch to a different search engine.
No, I don't know what to do about all this until folks are ready to accept that online security is a very tough problem, the toolkit we are approaching it with is entirely inadequate, and we may have to stop doing some things (e.g. Javascript) that are surely incompatible with secure computing.
Biting the hand that feeds IT
