I'm very glad I don't touch web dev anymore. This piecemeal removal of features from one transport mode is exactly the sort of thing that causes clients (of the human, paying sort) to flip out when they misunderstand what is going on.
Don't get me wrong - I think this is a good thing. And I don't know that the answer is a big, publicized drop of all these changes at once, although that would have certain advantages. But a trickle of dropped features that non-technical folks will never see announced is going to be a lot of fun for web developers.
I don't really think the backlash is happening as you describe. There's quite a lot of public awareness about ongoing communications and privacy issues, and implementing SSL is extremely cheap in most cases. "We need to upgrade your security to keep things working, it will take a day" is a fairly straightforward sell in most cases.
Does this move really solve ANY privacy problem? Getting geolocation already prompts the user for approval. Any sinister party wouldn't bat an eye at setting up https. Odd.
The concern is that if the site is insecure you might send Geolocation which might be sensible information through unsecure channels allowing someone to snoop on the connection and read that data.
In other words they are trying to hide the geolocation data from proxies, Carriers, ISPs and someone possibly MitM attacks
Speaking of which, whatever happened to the COWL system? I know Google & Mozilla were involved in researching the tech. Will it ever come to Chrome and other browsers?
So now if someone who hosts/rents a small server for side projects/hosting small services like community forums or a simple game wants to make something experimenting with geolocation they'll have to buy an HTTPS cert, make an app (which requires paying for the ability to put apps on major app stores unless you want to only support Android, where the OS discourages users from installing 3rd party apps with messages about how they might harm your phone, or jailbroken iPhones), or only support non-Chrome browsers (as long as other browsers don't follow in this). Is it really a good thing to restrict web functionality even more from small players? How does it matter if someone sniffs your GPS location from an HTTP connection? Are there situations where that's feasible and your precise geographic location isn't something the attacker doesn't already know? The only major situation I'm aware of is wifi hotspots where the location is already known.
Edit: Apparently there are free certificate suppliers, but will those be sustainable if HTTP is eventually fully phased out? Browsers display errors with self-signed certificates, so it still seems problematic in the long run to have to depend on the good graces of other parties if you want to serve web content.
I have a side-project server. It took me about fifteen minutes to get a ssl cert with letsencrypt, and it was free. I even get use it on my mumble, smtp and imap servers.
Perhaps they are interested in defending against sniffing further along the line (ISP, backbone) or are just making the change as part of the general strategy to encourage HTTPS use? While I see your concern about inconveniencing smaller players, LetsEncrypt exists now, and there are definitely mid- and large-sized players that I would like to see pushed in the direction of HTTPS exclusivity.
This comment seems to imply that you're using a transport layer security mechanism < TLS 1.0, i.e. SSLv2 or SSLv3. I strongly encourage you to upgrade to TLS 1.1 or newer.
> So ad-supported sites have to choose between greatly reduced ad revenue or a broken app. Thanks Google.
Geolocation API is pretty powerful. It's one thing for a random website to know approximate location, but to be able to track location within 10m is something else.
To the people replying to this comment, he's not talking about the ads not being able to use the users location. Most don't. But plenty of ad networks don't work properly or the CPM is much lower for HTTPS enabled websites. I'm guessing r1ch is using a users' locations for his site, and it's ad supported. Hope everyone who is against ads is willing to pay for their content from now on!
Just embed an iframe for a secure subdomain and use window.postMessage to communicate with it.
Edit: never mind, that is apparently also "insecure", leading me to think they are doing this because they get a kickback from the SSL cert vampires somehow.
[+] [-] cpeterso|10 years ago|reply
[+] [-] TazeTSchnitzel|10 years ago|reply
[+] [-] AnkhMorporkian|10 years ago|reply
[+] [-] Klathmon|10 years ago|reply
[+] [-] asherkin|10 years ago|reply
[+] [-] __jal|10 years ago|reply
Don't get me wrong - I think this is a good thing. And I don't know that the answer is a big, publicized drop of all these changes at once, although that would have certain advantages. But a trickle of dropped features that non-technical folks will never see announced is going to be a lot of fun for web developers.
[+] [-] matthewmacleod|10 years ago|reply
[+] [-] 0x0|10 years ago|reply
[+] [-] dudus|10 years ago|reply
In other words they are trying to hide the geolocation data from proxies, Carriers, ISPs and someone possibly MitM attacks
[+] [-] swyman|10 years ago|reply
[+] [-] Etheryte|10 years ago|reply
[+] [-] mtgx|10 years ago|reply
http://cowl.ws/
https://www.ucl.ac.uk/news/news-articles/1014/061014_COWL
[+] [-] jimmaswell|10 years ago|reply
Edit: Apparently there are free certificate suppliers, but will those be sustainable if HTTP is eventually fully phased out? Browsers display errors with self-signed certificates, so it still seems problematic in the long run to have to depend on the good graces of other parties if you want to serve web content.
[+] [-] pfooti|10 years ago|reply
[+] [-] SpaceManiac|10 years ago|reply
[+] [-] bhhaskin|10 years ago|reply
[+] [-] jlhonora|10 years ago|reply
[+] [-] garrettr_|10 years ago|reply
[+] [-] newman314|10 years ago|reply
[+] [-] hughes|10 years ago|reply
Glad this was included. Is https even meaningful when on a local server?
[+] [-] _RPM|10 years ago|reply
Chrome version:
[+] [-] ry_ry|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] r1ch|10 years ago|reply
[+] [-] throwanem|10 years ago|reply
[+] [-] untog|10 years ago|reply
[+] [-] Brakenshire|10 years ago|reply
Geolocation API is pretty powerful. It's one thing for a random website to know approximate location, but to be able to track location within 10m is something else.
[+] [-] iLoch|10 years ago|reply
[+] [-] tomjen3|10 years ago|reply
Edit: never mind, that is apparently also "insecure", leading me to think they are doing this because they get a kickback from the SSL cert vampires somehow.