For the past several years, Google has been on this crusade to have all web traffic (every visit to every web page) go through https://, rather than plain old
http://
. The difference is that traffic over https:// is encrypted before being sent.
http://
is not.
They argue that, given all the personal, sensitive information people send via their web browser these days, making it all secure by default is a no-brainer. But they’re not going to get the entire internet to shift to
https://
any time soon.
And so they’ve decided, in the face of significant resistance, to ramp it up by getting Chrome, their browser, to declare any website that still asks for usernames and passwords, or for financial information via
http://
to be insecure, with all the attendant scary warning dialog boxes etc.
So isn’t security good? Why all the resistance? Well.
Setting up a secure website (ie one that serves everything over
https://
) is a non-trivial task, both in terms of time and money.
You have to acquire and pay for a security certificate. It costs more per year than what a lot of people pay for hosting their entire website. And many companies will also want more per month to host sites that use
https://
. So on top of paying for the certificate, you have to pay more for hosting as well.
https will not keep your site or your users safe
And you have to re-jig your site so that all the old URLs that people have bookmarked, that are indexed in search engines etc etc still work. That’s still more money.
So if you’re going to invest, you have to want to know what you’ll actually be getting. And the answer is, not much, or to continue with the above case, not enough to justify doubling your hosting costs.
I think most web security experts would say that, despite the ubiquity of unencrypted website traffic all these years, most cases of unauthorized access to websites, or data theft happens because of social engineering, brute force password guessing attacks or exploits of poorly-coded web applications.
And
https://
won’t prevent any of these.
Packet sniffing — the sort of espionage/cyber attack that https:// does prevent — is already very resource-intense. Too much so for your garden variety hacker.
I expect people that require logins won’t have a choice — they’ll have to buy the certificates and pay for the hosting. Anything else will be too disruptive and they probably won’t want to lose the trust of their Chrome using audience.
But it’s a regrettable move on the part of a company whose growth in size and influence appears to be rapidly outstripping its smarts.