Google To Enforce HTTPS Connections For 45 TLDs

Status
Not open for further replies.
Well, that's just plain dumb (wanting EVERY website to use HTTPS). While certainly there are websites out there which should require encryption of data, like any site that routinely stores account information of any type*, wanting it for EVERY site is unnecessary.

My personal website? Not needed. My business website (which exists for basic information only)? Not needed. Why would I want to go through the extra expense to pay for security certificates which I don't need! Yes, I could self-sign, but then almost every browser would throw up flags.

If the browsers would scale that back and allow for a more relaxed handling of security certs, then I'd consider self-signing and going https. Until then? Nope.
 


The bad guys can leverage the fact that you use HTTP to make browsers use HTTP when it should be using HTTPS. The fact that HTTP exists means downgrade attacks exist. Get rid of HTTP and get rid of downgrade attacks.

There is no safe way to automatically detect when HTTPS should be used.
 
I don't know why browsers don't use https by default in the first place? And then downgrade if no response and try again on http?
 
Remember before Web 2.0 when many pages were just static collections of data. If there was some sort of read-only interface to a website that didn't need to be encrypted, that could be implemented along-side of https. Remember RSS? of course, RSS was just an additional data file retrieved via HTTP, not itself an actual protocol.

HTTP stands for "hyper text transport protocol". Somehow, this got turned into the default protocol for everything on the internet. So instead of visiting an HTTP site to retrieve static content, now you got to an HTTP site and it might ask you for your credit card information. Someone said "this is insecure" and added secure-socket-layer (SSL) to the protocol and gave us HTTPS. In restrospect, perhaps a different protocol for truly secure bi-directional communication should have been created? HTTPS should NEVER have been allowed to fall-back to HTTP, but because it was an addition to HTTP, not a different protocol, it was insecure from the start. Now we have an entire internet barely able to handle security.

And before LetsEncrypt, the process to even setup HTTPS was expensive and complex. Luckily that's been eliminated, but the HTTP:HTTPS cross-dependencies will basically mean a lot of insecurity until HTTP goes away or a viable successor just replaces the whole thing.
 


Waiting for the response takes upwards of 30 seconds. Most people don't want to wait 30 seconds. What if a "bad guy" is blocking port 443 between you and the site you're trying to connect to. Then when you can't connect and downgrade and now you're connecting to your bank over HTTP and now they have access to your account.

HTTP needs to die.
 
Status
Not open for further replies.