Oh no, someone's going to MITM my shitty blog posts. "Secure" is a word that only makes sense with context, and without that context it only serves to cause irrational panic. I wonder why Google's really doing this.
You don't have to wonder all that hard given how publicly Google has discussed their stance on this. They have been using their leverage to try to force SSL usage for some time, including adversely affecting search rankings for sites that don't use it. They have clearly articulated many times they think SSL everywhere is important for the web, and they have the leverage in search/browser marketshare to try to make this a reality.
For what its worth, most metrics show a significant jump in SSL usage in 2016/17 following the announcement that it could adversely affect search rankings, although who knows if the two are related.
Boxing out ISPs is probably a large part of why they're doing it. Google believes traffic should be able to go directly from your computer to the server in question and then load up Adsense without any interference from your ISP injecting ads. They can do things for more than one reason, it's a good thing, but it also nullifies one of the few channels they don't have access to.
You'd be amazed at the amount of web sites which are not secured. E-commerce sites, corporate sites, classified sites, you name it. How unlikely would be to visit a news site through some "free" vpn service only to have most of the ads replaced with shady ones. I mean let's get realistic here, https while inconvenient will make the web a better place. And even if your site isn't secure most users won't even notice because they rarely ever watch the address bar. If they did there wouldn't be a bazillion of phising attacks out there.
It's not irrational. Remember the Great Cannon of China attack in 2015? That attack tool works by modifying the responses to insert code to attack the victim. If your shitty blog posts aren't over https, then they can be used to attack other people.
In a way, it's a little like a public health argument. You might not be worried about measles but you should still be vaccinated for the sake of the herd.
giobox|7 years ago
You don't have to wonder all that hard given how publicly Google has discussed their stance on this. They have been using their leverage to try to force SSL usage for some time, including adversely affecting search rankings for sites that don't use it. They have clearly articulated many times they think SSL everywhere is important for the web, and they have the leverage in search/browser marketshare to try to make this a reality.
> https://security.googleblog.com/2014/08/https-as-ranking-sig...
The Google IO talk for Google's desire for "HTTPS everywhere"
> https://www.youtube.com/watch?v=cBhZ6S0PFCY&utm_source=wmx_b...
For what its worth, most metrics show a significant jump in SSL usage in 2016/17 following the announcement that it could adversely affect search rankings, although who knows if the two are related.
UncleMeat|7 years ago
patmcguire|7 years ago
LeoPanthera|7 years ago
This is not a theoretical vulnerability. Comcast routinely adds stuff to unencrypted web pages.
elorant|7 years ago
criddell|7 years ago
In a way, it's a little like a public health argument. You might not be worried about measles but you should still be vaccinated for the sake of the herd.