top | item 46959661

(no title)

ralferoo | 19 days ago

Google didn't drag anyone anywhere without LE though.

Sure, they supported the nascent HTTPS very early on, but most of the web thought that certificates were "too expensive for the likes of us", and so only really banks and the like actually adopted HTTPS. Most of the internet was still HTTP only for years after HTTPS was available.

Only when LE came along and started offering free certificates and facilitated a massive uptake in HTTPS websites were Google ever in a position to default to marking HTTP as "insecure and dangerous".

I've got no figures, but I suspect that if LE were to kick their heels in, that Google wouldn't dare risk half the internet not working using their browser. I'm sure that would be some people who didn't want to be collateral damage if there was a standoff and would switch to a CA that complied with Google's will, but I suspect most people would be happy to see Google challenged on this. And end users would hopefully discover that every other browser still worked, just Chrome had broken, and Chrome would quite rapidly fall out of favour.

discuss

bawolff|19 days ago

While google did do a lot of work on making https by default be a thing, that is only a small part of what im refering to. Google did huge amount of work to make https high quality, so that sites using it were actually secure. They increased standards for CAs significantly, took a much tougher line on CAs who violated the rules, pushed certificate transparency hard (which is probably one of the most important developments for security of TLS ecosystem). Chrome was the first browser to support HSTS which is very important for https to work in practise. Google maintains the hsts preload list.

Google didn't just make TLS popular, they made it secure.