SoylentNews is people
SoylentNews
posted by
cmn32480
on Sunday September 11 2016, @05:48PM
from the there's-gotta-be-a-downside-to-this dept.
from the there's-gotta-be-a-downside-to-this dept.
According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.
This discussion has been archived.
No new comments can be posted.
Google to Start Punishing HTTP-Only Sites
|
Log In/Create an Account
| Top
| 63 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Life is to you a dashing and bold adventure.
(Score: 5, Insightful) by Anonymous Coward on Sunday September 11 2016, @05:52PM
Remember when google was the cool search engine that helped you find things? Instead of trying to hide things from you?
(Score: 1) by Francis on Sunday September 11 2016, @06:00PM
Hide things from you? Unless you are an employee of a spy organization, then how are they hiding things from you?
These days the overhead for HTTPS is relatively easily provided as opposed to when the standard was first created. There's security problems that come from sites that use HTTPS for a couple things, but don't secure the whole visit. At bare minimum it can make it challenging for users to know if their log in details are being handled securely or not. I know some sites I've been to hide the HTTPS by just using it for the log in details and nothing else on the page.
(Score: 5, Insightful) by GungnirSniper on Sunday September 11 2016, @06:03PM
Google is using its massive power to push and punish sites based not on the information relevant to the user's query but according to Google's concept of what's a good site or bad site. Mostly this has been good, but could easily lead to framing of information and events. They are the largest gatekeeper now, and with that comes scrutiny.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 3, Insightful) by Francis on Sunday September 11 2016, @06:07PM
If you're still using Google, then this isn't likely to be a problem. I stopped using their search engine years ago because the results are crap, they spy excessively on the users and they keep trying to forcefeed things they think I want rather than what I ask for.
(Score: 5, Informative) by Immerman on Sunday September 11 2016, @06:36PM
Their results are crap? What search engine are you using then? Everything else I've tried makes Google look positively psychic in comparison.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @07:23PM
I've discovered that if I know what I am looking for, but not where it is, Bing tends to do better than Google. When I don't know what I am looking for Google is better.
For example, looking for docs for projects and libraries or HOWTOs vs. finding a library to do something.
(Score: 1) by Francis on Sunday September 11 2016, @08:26PM
I've found Bing to be similar to Google in terms of quality. But, I personally use duckduckgo most of the time. Results are generally better and they don't try to guess what I'm wanting to find, they give what I ask for.
Google was never a good search engine it was fast and had a larger index, but mainly because it didn't try to understand what it was looking for. To this day it's still a crude search engine that has problems with things like finding terms that are near each other, but not next to each other and There's a ton of crap links for link farm sites on the first couple pages whenever I use it.
(Score: 4, Informative) by isostatic on Sunday September 11 2016, @11:31PM
DuckDuckGo is terrible. I use it as a default, and if guess 40% of the time I end up going to google instead after ddg fails.
(Score: 1) by Francis on Monday September 12 2016, @12:25AM
It depends what you're looking for. I find that even just typing in error messages into the major search engines tends to be rather inconsistent. And god help you if you're looking for something more complicated or where there's multiple ways of phrasing it.
For all the efforts at making the search engines smarter, they're even dumber than they were 15 years ago.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:26AM
For a proper judgement/comparison you should then switch to using Google by default and seeing what percentage it fails and switch to ddg if Google fails to see if ddg does better.
(Score: 2) by isostatic on Monday September 12 2016, @02:39PM
I used to use google, and never felt the need to go elsewhere
However in a vain attempt to reclaim some control over my online presence I moved to DDG. It works half the time, maybe even most of the time.
Here's a query I just used though
tuc conference 2016
As I wanted to know when it's finished.
https://www.tuc.org.uk/events/congress-2016 [tuc.org.uk]
Would be a page I expect to come up with - which is the page for the TUC conference 2016.
DDG comes up with
https://www.tuc.org.uk/equality-issues/gender-equality/tuc-womens-conference [tuc.org.uk]
Which is a conference from 2015. Second result was the TUC homepage, and it's not until about result 8 that the TUC 2016 conference is mentioned, and it's a copy of the program.
Google comes up with the right page as the first result.
lib dem conference 2016
comes up with the right result on DDG, so no need to go to google for that.
(Score: 2) by TheRaven on Monday September 12 2016, @09:20AM
sudo mod me up
(Score: 0) by Anonymous Coward on Monday September 12 2016, @11:46AM
"just stick !bing or !google in the search box"
!g works as a shorthand for !google.
I also often use !gm (Google Maps), !gscholar, !gtranslate, !w (Wikipedia)...
(Just checked, !b works as !bing.)
(Score: 2) by TheRaven on Monday September 12 2016, @01:54PM
sudo mod me up
(Score: 2) by Immerman on Sunday September 11 2016, @11:37PM
Hmm, I haven't been terribly impressed with Bing - not as bad as most, but still seems to be 75% irrelevant results. Google seems to usually be the opposite, especially in response to a well-phrased natural language query.
>Google was never a good search engine...
Clearly you have forgotten Yahoo, Excite, etc. before Google came along - when you felt lucky to get a relevant search result on only the third page. I suppose on some absolute goodness scale it might not be great, but it completely blew the socks off everything else available.
Even today Firefox continuously pisses me off by switching the default search engine back to Yahoo, where I still feel lucky to find more than one or two relevant results on the first page.
(Score: 1) by Francis on Monday September 12 2016, @12:20AM
None of the engines were good, hence why Google was able to get a foothold. It was just as bad as the other search engines, but it was fast and had a larger database of sites that were cataloged more frequently. It used to be a bit of a rite of passage going from search engine to search engine and none of them were really any good.
I've found Bing to be about as good as Google. Most of the time when I'm on Google I find the first couple pages to be full of things that are irrelevant, or are full of largely worthless resources there to capture clicks for ad revenue like how to and expert sex change and what have you.
I find that unless I happen to know what I'm looking for and type in the exact correct phrase that I wind up spending a lot of time manually screening out shit matches. As often as not I find that unless I choose the exact correct set of synonyms for what I'm looking for that the site is expecting that I wind up going through a huge amount of irrelevant items. And God help you if you're searching for something and don't know consecutive words. Last time I checked Google didn't even have a keyword for near, which meant that if the words appeared anywhere in the page in any order, even if they were literally the first and last word in the document, it would still match.
But really, none of the search engines are particularly good. I give DDG a lot of credit for the basic things like not distorting the results trying to give me what I think I want rather than what I want.
Perhaps it's the stuff I'm looking for, but I've yet to find a search engine that really gets it right and I think that Google has been very bad for the search engine market as there's been very little forward progress in the last decade on search technology. Most of the improvements have been in dealing with SEO strategies that put garbage on the first place. And that wouldn't be a problem if there were more search engines available.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:54AM
You haven't used Google in the 1990'es.
Altavista had a large index. No matter what I searched for, it would give about a billion results. And the one I was looking for would be around result number 437,126,984.
Google would return maybe a hundred results for the same search words, and the one I was looking for was often number one and nearly always on the first page of results.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:49AM
Agreed on the results being crap[1]. The search quality has been going down for years. Which is why I don't understand how Microsoft manages to keep Bing even worse.
Unfortunately, I haven't been able to find a better search engine.
[1] It gets really "funny", when I get results with the text "words not found on the page:", followed by whatever I'm searching for. Hey Google, if you already know that what I'm searching for is not in the page, don't return that page.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @06:10PM
http://www.mirror.co.uk/tech/google-fighting-isis-changing-what-7331274 [mirror.co.uk]
That is *exactly* what they are doing.
Mark my words this will come back on them. Once the media companies figure it out. They are going to want major filtering of everything.
(Score: 2) by Immerman on Sunday September 11 2016, @11:41PM
How is it punishing you to flag your website as insecure for allowing the government (and anyone else who cares to) to record exactly what I'm browsing?
Now, if they use that as reason to push you down the search results, then yeah, I've got a problem. But I didn't notice any mention of that.
(Score: 3, Insightful) by GungnirSniper on Monday September 12 2016, @01:08AM
Mostly because my homepage is about as relevant to confidentiality as a newspaper article.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Monday September 12 2016, @06:30AM
Your ISP’s script injection with a 0-day exploit on the other hand...
(Score: 3, Insightful) by TheRaven on Monday September 12 2016, @09:23AM
sudo mod me up
(Score: 2) by Immerman on Monday September 12 2016, @02:53PM
Agreed. There's a reason librarians have stood strong against government attempts to gain access the books people choose to read.
(Score: 2) by JNCF on Monday September 12 2016, @01:45AM
Now, if they use that as reason to push you down the search results, then yeah, I've got a problem. But I didn't notice any mention of that.
You're right that this is unrelated, but they've been using HTTPS as a factor in search rankings for a little over two years now. From The Eye of Sauron itself: [googleblog.com]
For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
(Score: 0) by Anonymous Coward on Monday September 12 2016, @07:58AM
So, that's how they keep making search worse...
Ranking irrelevant https sites above relevant howto and faq documents that only a moron would consider sensitive enough to encrypt.
(Score: 0) by Anonymous Coward on Sunday September 11 2016, @07:57PM
I guess you've got too much Google-sauce on the brain that you couldn't understand the issue, but the issue is that they are hiding non-HTTPS sites. Tons of websites don't collect user data and have no conceivable reason to use HTTPS. If Google deprioritizes them in search results they are basically shoving unnecessary changes on literally everyone, and yes, hiding stuff.
(Score: 3, Informative) by mcgrew on Monday September 12 2016, @05:48PM
I have two web sites. There is no login, no ads, no cookies, and the tiniest bit of javascript to send phones to a phone-friendly page. There is absolutely no need whatever for either site to have HTTPS, so why should I go to the trouble?
That's just nuts. Yes, if you need a password to get into a site it should be HTTPS, but a static HTML page doesn't need HTTPS.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 5, Informative) by theluggage on Sunday September 11 2016, @06:37PM
Remember when google was the cool search engine that helped you find things?
Remember at the top of the summary where it says Google Chrome - i.e. the web browser, not the search engine?
Also, I certainly remember the days when, by default, most browsers popped up a warning dialog when you submitted a form to a non-https page. Its deja-vu all over again.
Flagging all http sites as "Not secure" (even if they're just static pages with no forms) seems a bit tinfoil hat, however, and even though its "just a flag" it seems like a way to train people to ignore red triangles.
(Score: 2) by JNCF on Monday September 12 2016, @03:58AM
it seems like a way to train people to ignore red triangles.
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
(Score: 2) by theluggage on Monday September 12 2016, @12:11PM
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Does that mean they're actually going to take it into consideration (which would involve considering the possibility that flagging all HTTP pages would be a step to far), or is it the usual "taking into consideration" (we'll discuss it a bit in committee and then go ahead and do what we've already decided to do)?
Passwords and credit cards? Fine - frankly I'd rather not put credit card info into a site that doesn't have extended verification, let alone a HTTP one. However - how reliably can you detect this if the page is using AJAX or Javascript? False security is worse than no security.
Incognito mode? Fine: you've specifically asked the browser to get paranoid.
Any old HTTP page? Sorry, no, that's just crying wolf - if you're that concerned about being monitored or spoofed, turn on Incognito mode.
"Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently"
Really? Quick, call the Journal of Urso-Sylvanian Scatology (incorporating Pontifical Denomination Studies)!
(Score: 2) by JNCF on Monday September 12 2016, @08:56PM
Flagging all HTTP sites seems like a step too far right now. I don't think they've committed to a firm timetable. If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
(Score: 2) by theluggage on Tuesday September 13 2016, @04:13PM
If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
That last 20% of http sites is gonna take a long time to shift. - run by people in their copious free time, on zero budget, with hosting companies that aren't falling over themselves to add Lets Encrypt support to make it click & drool (no, that's not always essential, but it makes it much easier, especially with Let's Encrypt's short-lived certs).
(Score: 2) by SomeGuy on Sunday September 11 2016, @07:31PM
Heh, I remember when altavista.digital.com was the cool search engine (well, any search engine at all was cool) that helped you find things. And that little Google startup had to work extra hard finding and indexing content.