×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Google Will Give a Search Edge To Websites That Use Encryption

timothy posted about 4 months ago | from the bit-of-an-incentive dept.

Encryption 148

As TechCrunch reports, Google will begin using website encryption, or HTTPS, as a ranking signal – a move which should prompt website developers who have dragged their heels on increased security measures, or who debated whether their website was “important” enough to require encryption, to make a change. Initially, HTTPS will only be a lightweight signal, affecting fewer than 1% of global queries, says Google. ... Over time, however, encryption’s effect on search ranking [may] strengthen, as the company places more importance on website security. ... While HTTPS and site encryption have been a best practice in the security community for years, the revelation that the NSA has been tapping the cables, so to speak, to mine user information directly has prompted many technology companies to consider increasing their own security measures, too. Yahoo, for example, also announced in November its plans to encrypt its data center traffic.

Sorry! There are no comments related to the filter you selected.

Great step! (5, Interesting)

satuon (1822492) | about 4 months ago | (#47623339)

That's a really great step from Google, I had never thought that it can be done in such a neat way. What's next? Can they also do it for IPv6?

Re:Great step! (1)

thieh (3654731) | about 4 months ago | (#47623357)

IPv6 would be a bit problematic because not every ISP has IPv6 and it can mount to being discriminatory based on who you choose as ISP or simply where you live.

Re: Great step! (0)

Anonymous Coward | about 4 months ago | (#47623405)

Wouldn't be monetary descrimination for those of us who cannot afford valid certificates? Will they further separate it by how much your cert costs (more $ = better ranking)? Google ca services incoming.

Re: Great step! (1)

Anonymous Coward | about 4 months ago | (#47623431)

StartSSL still give out free certificates to individuals right?

Re: Great step! (1)

grim4593 (947789) | about 4 months ago | (#47623545)

Yes. I use StartSSL for my personal server and it works great. You would need to pay for a Class 2 cert to register it for an organization.
https://www.startssl.com/?app=25#2 [startssl.com]
https://www.startssl.com/?app=25#90 [startssl.com]

Re: Great step! (1)

Rich0 (548339) | about 4 months ago | (#47624071)

What did you do about Heartbleed. Did you pony up the $25 to change your key? I understand that they won't let you give them a new CSR without revoking the old one, and they won't revoke it for free.

Re: Great step! (4, Informative)

petermgreen (876956) | about 4 months ago | (#47623933)

They do BUT

1: their rules on who can get the free certs seem to be varied and arbitary. I've seen reports of an opensource developer being given a free cert initially but then come renewal time told that merely having a donation button makes their site count as "ecommerce" and therefore ineligable
2: they make the expiry artifically short (the CA industry as a whole does this but startSSLs free certs are epecially bad),
3: they refuse to renew certs until just before they expire and refuse to reissue certs without revoking the old one.
4: each free cert only covers a domain and one hostname under that domain (e.g. bar.com and foo.bar.com). This effectively means you end up needing one IP per hostname you want SSL on (until IE on XP becomes insignificant anyway).

It's nice that there is a free (as in beer) option for some people but it's also clearly got a number of artificial restrictions on it to push people towards their paid options.

Re: Great step! (3, Informative)

heypete (60671) | about 4 months ago | (#47625537)

2: they make the expiry artifically short (the CA industry as a whole does this but startSSLs free certs are epecially bad),

A validity time of one year is pretty standard for SSL certs (paid certs often charge per year). Could they issue them for 20 years? Sure, but a one year validity is not unusual. Class 2 certs are good for two years.

3: they refuse to renew certs until just before they expire and refuse to reissue certs without revoking the old one.

I get renewal notices two weeks prior to expiration. That's pretty reasonable. If I recall correctly, I can generate a new cert for my site any time in that two-week period, so I don't need to wait for the cert to expire before replacing it.

While I wish they allowed free reissuance of certs at any time, I don't really see why requiring revocation is a showstopper.

4: each free cert only covers a domain and one hostname under that domain (e.g. bar.com and foo.bar.com). This effectively means you end up needing one IP per hostname you want SSL on (until IE on XP becomes insignificant anyway).

That's also the case for pretty much any of the inexpensive paid certs too. You can always get a wildcard cert but most CAs charge at least $100/year for a single wildcard cert. StartSSL charges $60 for Class 2 validation, and you can issue unlimited certs (wildcard or not). Organizations can get Class 2 certified for $120 ($60 for identity verification, $60 for organization verification) and can issue unlimited certs. For a company needing more than one cert, StartSSL is still cheaper.

It's nice that there is a free (as in beer) option for some people but it's also clearly got a number of artificial restrictions on it to push people towards their paid options.

Considering their paid certs are often cheaper than comparable offerings from other CAs, it doesn't really seem unreasonable to me. Doubly so because they're run by competent people who respond promptly to inquiries, even from free users. I've been a StartSSL customer for years (and also used other CAs like GoDaddy, Comodo, Thawte, etc.) and the customer service from StartSSL has always been excellent.

If you don't want to get a StartSSL cert or they don't meet your needs, that's fine. NameCheap and others sell single-domain Comodo certs for $9/year. RapidSSL certs are a buck or two more per year. That costs less than a single beer at the local bar. Hardly a massive expense.

Re: Great step! (1)

FatLittleMonkey (1341387) | about 4 months ago | (#47626045)

1: their rules on who can get the free certs seem to be varied and arbitary. I've seen reports of an opensource developer being given a free cert initially but then come renewal time told that merely having a donation button makes their site count as "ecommerce" and therefore ineligable

OTOH, at $60/yr for an unlimited C2, if you're running a project with public donations, you should be paying. Even if you're still not-for-profit, you're no longer an "individual". Surely that's a little different than my personal email server?

Re: Great step! (4, Informative)

Rich0 (548339) | about 4 months ago | (#47623993)

StartSSL still give out free certificates to individuals right?

Yes, as long as you don't change your certificate after the key is lost as a result of HeartBleed. [startssl.com] If you want your users to be secure, then you need to pony up $25. How that isn't a violation of the Mozilla policies is beyond me. I can give StartSSL clear proof that a private key has been disclosed, and they won't revoke it unless somebody pays them to do it.

Re: Great step! (0)

Anonymous Coward | about 4 months ago | (#47624159)

On the bright side... if your site isn't actually important and you only want improved ranking or stop most attempts at snooping in on the traffic then it really doesn't matter if the key MAY be compromised by some individuals. You're still getting some security benefit by increasing the barrier of sniffing the traffic.

And if it is important you should probably pay for a cert anyway, or at least pay the 25$ for a revocation..

Matt

Re: Great step! (3, Informative)

Nexus Unplugged (2495076) | about 4 months ago | (#47623483)

CloudFlare has also announced [cloudflare.com] that they're planning to roll out free SSL to customers in the coming months.

Re: Great step! (4, Insightful)

Darinbob (1142669) | about 4 months ago | (#47624795)

It's already monetary discrimination, since well design sights with interesting products will show up higher in the rankings than the local mom&pop web site where they could only afford to hire a high schooler to do the design.

The whole point of ranking is not to make sure everybody is perfectly equal, but to help the customer find the most relevant results. If I'm searching for a bank then I most certainly want a bank with security to be ranked higher than one without. However, I can see the issue that it's only Google who gets to decide what's relevant. Perhaps there should be some user specified criteria, such as letting me decide to show only IPv6 capable sites.

Re:Great step! (2)

satuon (1822492) | about 4 months ago | (#47623419)

It could create an incentive to switch to a different ISP that supports it (where possible), which could in turn create an incentive for ISPs themselves to switch to IPv6.

Re:Great step! (1)

Nexus Unplugged (2495076) | about 4 months ago | (#47623515)

ISP like to cite the fact that so few sites support IPv6 as a reason to not bother rolling it out themselves [citation needed]. If Google can encourage sites to support IPv6, ISPs have one less reason to not give it to their customers.

Re:Great step! (1)

petermgreen (876956) | about 4 months ago | (#47623823)

We are talking about websites here not end user connections. Unlike with "broadband" ISPs there is plenty of competition in hosting providers.

An incentive to website operators to tell their hosting providers "either you give me IPv6 or I go elsewhere" sounds find to me.

Re:Great step! (1)

FatdogHaiku (978357) | about 4 months ago | (#47624969)

Down in the boondocks
Down in the boondocks
People put me down 'cause that's the side of town I was born in

I love games, love to stream HD.
But I crap for an ISP!
Lord have mercy on a boy from down in the boondocks

Every night I will watch the light from the house upon the hill
They got 40megs a second in the whole damn place and it gives me such a thrill
But I don't dare knock on their door,
'cause I hacked their Master Card last year
So I'll just have to be content
To leach whenever I get near
...
Apologies to Joe South.

Re:Great step! (1)

FatdogHaiku (978357) | about 4 months ago | (#47625455)

EDIT:
But I've GOT crap for an ISP!

Re:Great step! (2)

defaria (741527) | about 4 months ago | (#47623683)

Add to this that sometimes the reputable companies still don't do the right thing. As a large financial institution you'd think that Wells Fargo of all companies would at least be sporting an extended validation certificate! But they don't. And that's not their only fumbling in security (http://defaria.com/WF). I have my reasons for still dealing with them but I watch them like a hawk!

Re:Great step! (1)

WaffleMonster (969671) | about 4 months ago | (#47624367)

That's a really great step from Google, I had never thought that it can be done in such a neat way. What's next? Can they also do it for IPv6?

I have previously publically advocated for Google to do exactly this as a way to promote the adoption of IPv6 however I was wrong to go there.

The bottom line is Google a defacto monopoly is using force to effect change in ways mostly unrelated to the mission (Linkage between quality and SSL is both domain dependent and strenuous at best).

Just because I happen to think IPv6 adoption will benefit everyone or that wholesale spying on wires should yield as little fruit as possible does not mean the ends should justify the means.

So now Google establishes Internet standards (4, Insightful)

neilo_1701D (2765337) | about 4 months ago | (#47623371)

I'm not convinced that this is a good precedent. Sure, they're encouraging sites to use HTTPS today... but what about tomorrow?

Speculation: Websites that block competing search engines from indexing their content may rank higher in Google searches? Websites that process payments using Google rank higher in Google search?

I'm not saying that HTTPS is a bad thing... but once they open the door once to arbitrary ranking changes done on a whim, that door can be opened again.

Re:So now Google establishes Internet standards (3, Insightful)

Anonymous Coward | about 4 months ago | (#47623437)

As opposed to the currently non-arbitrary ranking algorithm? What the hell are you talking about.

Re:So now Google establishes Internet standards (2, Insightful)

Anonymous Coward | about 4 months ago | (#47623455)

Don't like it, use Bing!

Re:So now Google establishes Internet standards (0)

Anonymous Coward | about 4 months ago | (#47623511)

If their search results start sucking because of them changing their ranking algorithm, people will use a different search engine.

Re:So now Google establishes Internet standards (5, Funny)

Agent ME (1411269) | about 4 months ago | (#47623533)

They've already been using their ranking system to encourage HTTP and HTML. Think of all the poor BBSs and gopher servers they've been discriminating against!

Re:So now Google establishes Internet standards (2)

satuon (1822492) | about 4 months ago | (#47623609)

I wish they would index real FTP servers, not just those with an HTTP interface.

FTP authentication (1)

tepples (727027) | about 4 months ago | (#47623663)

Googlebot doesn't know the username and password to your real FTP server. What e-mail address should it be using for anonymous FTP?

Re:FTP authentication (1)

satuon (1822492) | about 4 months ago | (#47623819)

I meant those FTP servers that allow anonymous login, of course.

Re:FTP authentication (0)

tepples (727027) | about 4 months ago | (#47624003)

What e-mail address should it be using for anonymous FTP?

I meant those FTP servers that allow anonymous login, of course.

Again, what's the password that Googlebot should be using for user "anonymous"? And since when was the format of the output of the LIST verb standardized?

Re:FTP authentication (1)

Richy_T (111409) | about 4 months ago | (#47624275)

The standard is your email address but I typically just use ftp@

Re:FTP authentication (2)

satuon (1822492) | about 4 months ago | (#47625473)

Anonymous login accepts any password, just put a random string. As for the LIST command, if FileZilla can read it, so can Google, they're not morons. You just handle all the possible variations of all the popular FTP servers. Yes, you actually have to write some code, but last I heard Google has programmers on staff.

Re:FTP authentication (1)

SuricouRaven (1897204) | about 4 months ago | (#47624217)

asdf@ghj.com, of course. Just like everyone else.

Re:FTP authentication (1)

nblender (741424) | about 4 months ago | (#47626301)

root@ like everyone else?

Re:So now Google establishes Internet standards (1)

Zeromous (668365) | about 4 months ago | (#47625249)

Speak for yourself! I do most of my human interaction over FIDO. It's quite a bit slower (I only receive replies after a few weeks to months), but the fidelity is better than this Slashdot fad.

It's not a "standard" (0)

Anonymous Coward | about 4 months ago | (#47623571)

No, Google is saying, "If You want Our help, do ABC." Not an unreasonable request, given the nature of said "ABC". Right now, no prominent organization is setting a standard for when to use HTTPS. Google is merely taking the lead to encourage it.

Re:It's not a "standard" (1)

Richy_T (111409) | about 4 months ago | (#47624287)

I want my search engine to return the most relevant results, not engage in activism.

Re:It's not a "standard" (0)

Anonymous Coward | about 4 months ago | (#47626085)

"Your" search engine?

Re:So now Google establishes Internet standards (3, Interesting)

bill_mcgonigle (4333) | about 4 months ago | (#47623581)

Google has been using dozens of quality metrics for years to adjust its rankings. This isn't a new concept.

It's not clear to me which HTTPS configurations it's favoring, though. Is Strict Transport Security a requirement? People with high-longevity system needs are going to need to upgrade to EL7 to make good HTTPS feasible, so there will be a transition period.

As far as standards - look, W3C, IETF, et. al. have completely failed to keep up. From 1993 to 1997 we went from HTTP 0.9 to to HTTP 1.1, which is where we are today. HTTP 2.0 will have been languishing for two decades by time there's a standard and any significant adoption. That's not Internet-time.

Google has made some mistakes with SPDY and QIC but at least they're actually trying to move the ball down the field instead of just arguing on the sidelines. It used to be that lots of players would do the same thing and fairly quickly a concensus would emerge. We have a serious breakage problem in the current community process. Google is doing it right - it's everybody else that's not.

Re:So now Google establishes Internet standards (3, Insightful)

Anonymous Brave Guy (457657) | about 4 months ago | (#47623837)

While your points about the snail's pace of web "standards" development are fair, it's also important not to go too far the other way. Not so long ago, another browser became dominant in market share through pushing new but not widely supported features its own way, and people started making web sites that were written specifically to work with that browser rather than any common standard.

That browser was Internet Explorer in the late 1990s, and the result was IE6.

Re:So now Google establishes Internet standards (0)

Anonymous Coward | about 4 months ago | (#47626025)

Google is the developer of its own web server and its own browser, they have published new standards (like SPDY), they are a massive and rich company – why punish the little guy?

For example - this will promote big sites like Amazon and discriminate against small sellers who don’t have a certificate but use a bureau service or PayPal to take payment.

If the problem we are trying to solve is that all communications are in the clear and therefore wide-open then let’s obfuscate them. AES256 with snake-oil certificates sounds good to me but I bet ROT13 looks pretty similar at first glance – and if you are trying to spy on everything then first glance is the only one you are going to get.

When using HTTP (not HTTPS) my browser still manages to optimise connections – connection:keep-alive. If it sees “connection: close” it doesn’t display a red alert and tell me to “Run Away!” So why can’t my browser quietly and unobtrusively try and obfuscate my data if both ends of the connection support it?

It seems to me that the man-in-the-middle thing is probably an advantage as corporate proxies and CloudFlare will still work. I mean none of us are against targeted surveillance against real baddies are we? Installing a tap on a deep ocean cable is one thing but I bet that running a proxy-to-everything in the middle of the Atlantic would be quite another thing.

I won't believe that Google are trying until I see Chrome and Google-Web-Server both do something like this...

User requests "http://example.com/home"
Client requests "http://example.com/_obfusticated-content"
Possible results are YES, NO, NOT-NOW (reason)

For NO and NOT-NOW the browser requests "/home" in-the-clear
For NO the browser remembers the results and doesn’t try “/_obfusticated-content” again
For YES the client and server do a key exchange and the conversation disappears down a deep, dark hole.

Re:So now Google establishes Internet standards (2)

WaffleMonster (969671) | about 4 months ago | (#47624107)

As far as standards - look, W3C, IETF, et. al. have completely failed to keep up. From 1993 to 1997 we went from HTTP 0.9 to to HTTP 1.1, which is where we are today.

Most HTTP 1.1 features are useless. If it disappeared tomorrow nobody would care or even be able to tell it has gone missing.

HTTP 2.0 will have been languishing for two decades by time there's a standard and any significant adoption. That's not Internet-time.

The pace of standards development is driven by commercial need rather than abstract notions of staleness, "the future", "progress"..etc.

The only reason for delay is nobody cares. The incremental benefit is so trivial as to not be worth the effort unless you happen to be Google. When people care shit gets done even if it means draft implementations making their way into production.

Google has made some mistakes with SPDY and QIC but at least they're actually trying to move the ball down the field instead of just arguing on the sidelines.

My personal opinion we are much better off working TCP and TLS extensions to reduce round trip delays. You can for example in best case get a secure HTTPS request to server without completing a single round trip leveraging TCP and SSL features (fast open, session tickets) neither of which requires maintaining server state, as would keeping TCP sessions open longer than absolutely necessary or
having to suffer HOL penalties or get weighed down by pointless politics and scope creep (opportunistic encryption)

Finally working transport and security layers has added benefit of being instantly useful to all protocols not just TCP.

We have a serious breakage problem in the current community process. Google is doing it right - it's everybody else that's not.

The "community" is like the UN. It is simply a forum for those with power (e.g. commercial interest) to negotiate... nothing more nothing less.

Re:So now Google establishes Internet standards (1)

ShanghaiBill (739463) | about 4 months ago | (#47624049)

Speculation: Websites that block competing search engines from indexing their content may rank higher in Google searches? Websites that process payments using Google rank higher in Google search?

Either of these actions would likely be illegal under federal anti-trust laws.

Re:So now Google establishes Internet standards (4, Insightful)

just_another_sean (919159) | about 4 months ago | (#47624143)

but once they open the door once to arbitrary ranking changes done on a whim, that door can be opened again.

Was that door ever closed? They're ranking algorithm has been arbitrary since the beginning and has changed very frequently over the years in an effort to reduce gaming the system and to generally improve results. If anything I'd say it's nice that they're at least telling people about this change vs. just quietly adjusting things and leaving site owners to wonder what happened to their page rank.

Re:So now Google establishes Internet standards (1)

mlts (1038732) | about 4 months ago | (#47624875)

The EU would pound Google into component quarks if Google paired search weight to what sites used their services.

Bumping search weights on HTTPS is a good thing for everyone. It locks out Phorm-like ad sites, lessens the damage that bogus Wi-Fi access points can do, and ensures that an attack on DNS doesn't take a site completely out... although DNS + a bogus CA can do the job.

on advice of counsel.... (2)

turkeydance (1266624) | about 4 months ago | (#47623379)

i, Google, (corporations are legal individuals in USA) refuse to rank my response due to it's incriminating nature.

Lo! (0)

Anonymous Coward | about 4 months ago | (#47623415)

Men have become the tool of their tools.

HTTPS equals a cheap cookie replacement ? (0)

Anonymous Coward | about 4 months ago | (#47623433)

Isn't part of a HTTPS handshake a "are you who I think you are ?" exchange ? In other words: doesn't it uniquely identify a computer, in an even better way than a cookie could/would do ?

No, I don't think Google cares a single bit (sic) about encryption. Just follow the money.

Client certificates (1)

tepples (727027) | about 4 months ago | (#47623539)

HTTPS supports client certificates [wikipedia.org] , but very few sites require them because popular browsers still make them more difficult for a less-trained user to manage than passwords.

Re:HTTPS equals a cheap cookie replacement ? (1)

Agent ME (1411269) | about 4 months ago | (#47623549)

You're thinking of client certificates. You're able to remove them just like you can remove cookies, though getting a client certificate requires agreeing and clicking through a dialog, so they're strictly worse than cookies for tracking people who don't want to be tracked.

Re:HTTPS equals a cheap cookie replacement ? (-1)

Anonymous Coward | about 4 months ago | (#47624517)

You're thinking of client certificates.

Yes, I did think of something like that, and assumed some kind of identification was always given.

But when no such "Are you who you say you are" handshake is done than a HTTPS connection is actually worse than one without the "S": we get a "connection is secure" lock-icon on our screen while it would still be trivial to do a man-in-the-middle attack ...

With this in mind and assuming that ID-ing isn't the reason, why than is Google nudging the world to use it ? Not for our security, that much might be clear.

Re:HTTPS equals a cheap cookie replacement ? (0)

Anonymous Coward | about 4 months ago | (#47623573)

Isn't part of a HTTPS handshake a "are you who I think you are ?" exchange ? In other words: doesn't it uniquely identify a computer, in an even better way than a cookie could/would do ?

No. Client certificates are mostly used on corporate intranets. I've never seen one used on an Internet site intended for the general public.

Re:HTTPS equals a cheap cookie replacement ? (1)

tepples (727027) | about 4 months ago | (#47623597)

StartSSL uses client certificates to identify subscribers.

Re:HTTPS equals a cheap cookie replacement ? (1)

SuricouRaven (1897204) | about 4 months ago | (#47624237)

And is the one and only time I've ever needed to use a client certificate in the browser.

It's about time! (4, Interesting)

mcrbids (148650) | about 4 months ago | (#47623453)

Expensive advertising campaigns engender trust because it shows that the advertiser has the resources to carry out the campaign. It's why online ads are so commonly ignored - people want to do business with "reputable" companies and expensive advertising is a way of establishing repute.

Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

SSL should be a basic signal of trustworthiness.

Android Browser 2.x and IE/XP lack SNI (4, Informative)

tepples (727027) | about 4 months ago | (#47623579)

I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

It's not only the cost of a certificate, which StartSSL provides without charge to individuals. It's also a dedicated IPv4 address if you want to reach people still using Android 2 or Windows XP. A lot of entry-level hosting packages use name-based virtual hosting, and doing this over name-based virtual hosting requires the TLS stack to support Server Name Indication (SNI). Android Browser didn't gain support for SNI until Honeycomb (3.x) on tablets and ICS (4.0) on phones, and Internet Explorer didn't gain support for SNI until Windows Vista.

Re:Android Browser 2.x and IE/XP lack SNI (0)

Anonymous Coward | about 4 months ago | (#47624535)

Honestly, you always come up with the darndest problems. It's funny :-)

Re:Android Browser 2.x and IE/XP lack SNI (1)

tepples (727027) | about 4 months ago | (#47626015)

Honestly, you always come up with the darndest problems.

Thank you. The tendency comes from my philosophy of quality assurance. It's better to fix the edge cases in a design early than to let them become defects in the shipping product.

Re:Android Browser 2.x and IE/XP lack SNI (1)

CronoCloud (590650) | about 4 months ago | (#47626063)

Tepples is seriously hyper-focused on edge cases, because essentially he is one.

Re:It's about time! (1)

Anonymous Coward | about 4 months ago | (#47623697)

I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

I have no trouble saying that commercial sites should use SSL, and treat it as a cost of doing business. I wouldn't use SSL as a measure of trust for non-commercial sites. Unless and until Google can tell the difference, I don't think SSL should affect search rankings.

Re:It's about time! (3, Interesting)

WaffleMonster (969671) | about 4 months ago | (#47624553)

Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

LOL and here I thought all this time the Internet was supposed to reduce costs and barriers to competition... yet here we go "the higher the fewer".

When your making the big bucks off Google by operating industrial scale link farms $50/year is a small price to pay for success.

Someone please remind me again why we are even contemplating enriching the clusterfuck that is the CA industry which sees no problem with use of completely automated systems and non-existent documentation requirements prior to issuing certificates?

Re:It's about time! (1)

ThatsMyNick (2004126) | about 4 months ago | (#47624629)

Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?

If you are relying on an SSL certificate to determine the trustworthiness of a site, you are doing it wrong. SSL certificates are cheap, and provide no additional trust worthiness to the site (unless they are an ecommerce site, which is a small part of the web). I would prefer sites that accept a username and password to use SSL, but I am okay with them not having it too. I would be a little bit worried about my password leaking when I am a public wifi. So those sites get a random password and a throw away email. I dont gauge the site's trustworthiness by this though (slashdot is a good example of this).

Re:It's about time! (1)

Ichijo (607641) | about 4 months ago | (#47624919)

Or if you can't be bothered to write compliant HTML. Oops, Google fails [w3.org] .

Sites with accessibility issues such as content that can only be accessed with JavaScript enabled, should also be deprioritized.

Thanks to Google and the NSA ! (2, Interesting)

Anonymous Coward | about 4 months ago | (#47623471)

Thanks to Google for making the web a little bit more secure by promoting secure websites!
Thanks to the NSA for tapping the web so blindly and boldly than we should react!

If the NSA was not so bold and had tapped only these who were under suspicion of bad behavior, the status-quo would have been kept. Now the privacy of everyone is a little bit more secure and the NSA will have a little bit harder times managing MITM attacks on every netizens.

An EU Citizen who like its privacy.

Cat blog (3, Insightful)

ZipK (1051658) | about 4 months ago | (#47623501)

So my cat picture blog will rank lower than a competitor's SSL encrypted cat picture blog, even though neither of us require you to log in or even prove you are a cat?

Re:Cat blog (1)

tepples (727027) | about 4 months ago | (#47623615)

You need to log in to your cat picture blog to prove to the blog software that you have privileges to update your cat picture blog.

Re:Cat blog (1)

satuon (1822492) | about 4 months ago | (#47623647)

Yes, for news and such it doesn't make that much sense. Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

Re:Cat blog (4, Informative)

Cyberdyne (104305) | about 4 months ago | (#47623877)

Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

That's part of it - a valuable enough part in itself, IMO; at least one UK ISP, TalkTalk, has started duplicating HTTP requests made by their customers [fluidinfo.com] : so, if you request http://example.com/stuff [example.com] on one of their lines, 30 seconds later they'll go and request the same URL themselves for monitoring purposes. Obviously, enabling SSL prevents this kind of gratuitous stupidity - and the previous incarnation of such snooping, Phorm [wikipedia.org] . If enough websites enable SSL, ISPs will no longer have the ability to monitor customer behavior that closely, all they will see are SSL flows to and from IP addresses, and whatever DNS queries you make to their servers, if any. (Use encrypted connections to OpenDNS or similar, and your ISP will only ever see IP addresses and traffic volume - exactly as it should be IMO!)

Re:Cat blog (5, Informative)

IamTheRealMike (537420) | about 4 months ago | (#47624851)

Yes, for news and such it doesn't make that much sense. Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

It's actually a lot more than that. HTTPS isn't just about protecting passwords anymore, not post Snowden.

Let us recall one of the more interesting things we learned about SSL via the NSA leaks: the Five Eyes countries apparently have not broken SSL yet despite that the internet is still not capable of stopping them. The reason is a system they've built called QUANTUM [wired.com] .

QUANTUM is a series of systems that work together. Imagine it like being a giant set of guard towers on the internet backbone. QUANTUM is called that because it's based on deep packet inspection and insertion. The first part is a massive set of DPI devices that trawl unencrypted internet traffic passing through intercept points. These DPI devices can be configured by NSA/GCHQ analysts to look for selectors - personal identifiers like email addresses, IP addresses, cookies and so on. QUANTUM does not run on every internet link and cannot see through encrypted traffic, but that doesn't matter: it's like a searchlight crawling the grounds of a prison at night. It doesn't matter that it can't light up everywhere simultaneously - once tasked it will keep searching until it finds you. Given enough time and good selectors, it will always find you, simply because the average internet user makes many different unencrypted connections to many different websites.

Once QUANTUM locates an un-SSLd traffic stream that matches your selectors, the next step begins, this is called QUANTUM INSERT. You see these DPI devices are not only capable of reading traffic but also injecting packets directly onto the backbone as well. This allows them to race legitimate answers from the real servers, and redirect the victim to an entirely different server (this is probably based on racing DNS lookups although I think the leaked docs were fuzzy on this aspect). These races are called "shots" and interestingly, they don't always succeed - sometimes the NSA is slower than the real server. But QUANTUM keeps trying and eventually you end up connected to this new FOXACID server, which then proceeds to act as an HTTP proxy for the real request and injects an exploit kit. That then pwns your system such that the NSA can now see all your encrypted traffic, along with turning on your microphone and so on.

An observant reader will notice something very important about the above description. The longer you can stay in the SSLd web, the longer it will take for QUANTUM to hack you. That means you directly benefit from a website being SSLd even if all it contains is cat pictures and you don't even log in. Once QUANTUM has figured out your IP address, any non-SSLd HTTP connection is a useful foothold.

Re:Cat blog (1)

RobinH (124750) | about 4 months ago | (#47625351)

HTTPS isn't about logging in, it's about encrypting the data between the server and the client with a one-time key. So it isn't about proving you're a cat, it's about preventing an eavesdropper from knowing which cat pictures you looked at (they still know you went to a cat picture blog).

OK fine but give us a free CA (5, Insightful)

Cthefuture (665326) | about 4 months ago | (#47623569)

I have no technical problem switching every website/server I have to SSL but the actual problem is the price of all those SSL certs. Most of my sites are just hobby type sites that I run for my own enjoyment and to benefit others (quite a few "others" I should mention; some of my sites are very popular). However, I don't make any money off these, in fact it already costs me money to run them.

Now you want me to add SSL so that people can still find my relevant and useful information? Well, OK but how the hell am I suppose to pay for it? SSL server certs are expensive. The whole thing is a scam to make the few "official" CA's rich. How about some sort of official public service that can hand out server certs of every registered domain? Every domain should come with an unlimited supply of SSL certs or at least a wildcard cert and a renewal service, free of charge.

StartSSL or DANE (2, Informative)

tepples (727027) | about 4 months ago | (#47623631)

How about some sort of official public service that can hand out server certs of every registered domain?

You mean like StartSSL? Or what about DANE [wikipedia.org] , which stores TLS certificates in DNSSEC?

Re:StartSSL or DANE (1)

Cthefuture (665326) | about 4 months ago | (#47623903)

Yeah, none of those work in any popular browser out of the box.

StartSSL+SNI test case (1)

tepples (727027) | about 4 months ago | (#47623969)

StartSSL and SNI work out of the box for the majority. Or if this site [pineight.com] gives you certificate errors, which browser are you using?

Re:StartSSL+SNI test case (0)

Anonymous Coward | about 4 months ago | (#47625075)

Both FF and Chrome will load it up, but they both issue a warning that the site is not precisely secure.

Re:StartSSL+SNI test case (0)

Anonymous Coward | about 4 months ago | (#47625395)

That's actually because he linked to http content. The browser notifies you of this because you'd expect the whole site to be secure even though the requests made over http would not be. This is easily fixed in some cases... but not all.

Ex, My site uses a tsviewer plugin to display teamspeak stats. Tsviewer does not support https and thus I cannot link to https encrypted content. The rest of my site's traffic will be encrypted but your browser request to tsviewer will not be.

Matt

Re:StartSSL or DANE (1)

heypete (60671) | about 4 months ago | (#47625383)

Quite the contrary: StartSSL is accepted by every major browser and SSL/TLS library, and has been for years.

Well-known sites, like EFF.org [eff.org] , LibreOffice [libreoffice.org] , and others use StartSSL-issued certs and don't have any issues. Sure, they're not Google-sized sites, but they're fairly major.

Re:StartSSL or DANE (2)

petermgreen (876956) | about 4 months ago | (#47624139)

You mean like StartSSL?

Hardly an official service, just a commerical CA that hands out freebies to some but not all sites that ask for them and puts technical restritions on those freebies which push people to either buy the commercial products or spend more on hosting (do I pay for n extra n IPv4 addresses or do I pay for a wildcard cert).

Or what about DANE [wikipedia.org], which stores TLS certificates in DNSSEC?

Sadly not implemented anywhere near widely enough to be useful.

Re:OK fine but give us a free CA (1)

IamTheRealMike (537420) | about 4 months ago | (#47625193)

SSL DNS certs are not expensive. You can get them for free (as pointed out) or for perhaps $20 per year. Your hosting costs are almost certainly higher than that.

Re:OK fine but give us a free CA (3, Insightful)

RobinH (124750) | about 4 months ago | (#47625363)

Agreed, if Google wants to do this, maybe they should also become a free Certificate Authority. Wouldn't that tick off the Verisigns of the world...

Re:OK fine but give us a free CA (0)

Anonymous Coward | about 4 months ago | (#47625471)

I recently came across this site (https://www.startssl.com/?app=1) which provides an unlimited number (as far as I can tell) of free class 1 SSL certificates. I have come across a few places (mainly wget) that don't have the CA certificate, but for works for most web browsers. You do need a mail server though to prove you own the domain.

Ironic (1)

Charliemopps (1157495) | about 4 months ago | (#47623589)

It's ironic that I'm hearing about this story on Slashdot, a site that has so far refused any sort of security. Good luck on your page ranks Slashdot.

HTTP-only ad networks (3, Informative)

tepples (727027) | about 4 months ago | (#47623691)

Slashdot makes HTTPS available only to subscribers because historically, web ad networks haven't supported HTTPS. Only in September 2013 did Google AdSense roll out HTTPS support [blogspot.com] .

reasons I disagree with this. (0)

Anonymous Coward | about 4 months ago | (#47623713)

I'm not a big fan of this. SSL requires a dedicated IP and an extra charge - this sort of tilts the playing field away from small business and gives more voice to those with more resources.

Not to mention, there aren't enough IPs right now for every site to go with SSL since we haven't fully adopted IPv6 yet. Even then, good luck getting your data center to sell you all those extra IPs.

Is there really a privacy concern if my visit to a weather site, a dictionary, or other factual content site is not encrypted?

Then there's the bandwidth issue. Sites that go SSlL will use more bandwidth, further increasing their costs, and this is horrible for smart phone users who will not use more data on every website they visit and creep even closer to their already small monthly limits.

My hope is that Google applies this 'ranking boost' relative to the corpus of results for that query. E.G. - if it's a transactional query, a banking query, medial query, or other potential PII query, this should be a factor. If it's not more factual like a weather, zip code, spelling, etc then I'd hope it would be a less important factor.

Server Name Indication (2)

tepples (727027) | about 4 months ago | (#47623799)

SSL requires a dedicated IP

Only if your clients include Android 2.x or Internet Explorer on Windows XP. Every other browser that matters supports Server Name Indication (SNI) [wikipedia.org] , which allows name-based virtual hosting to work through TLS. As of today, if you can see my site [pineight.com] without certificate errors, your browser supports SNI.

and an extra charge

StartSSL issues certificates to individuals without charge.

Is there really a privacy concern if my visit to a weather site, a dictionary, or other factual content site is not encrypted?

Yes. Someone could copy and replay the session ID linked to your user account on the site and gain your privileges.

Then there's the bandwidth issue. Sites that go SSlL will use more bandwidth

What in TLS introduces this substantial extra overhead? And how much overhead is it, really? I do know of a common misconception that HTTPS isn't cacheable. In fact, a document delivered through HTTPS is cached on the client the same way anything else is cached on the client. It just isn't cached on an intermediate transparent proxy, which hurts if your ISP is using such a proxy to cut down on its own upstream.

Re:Server Name Indication (0)

Anonymous Coward | about 4 months ago | (#47623989)

[blocked] The page at 'https://pineight.com/' was loaded over HTTPS, but ran insecure content from 'http://pagead2.googlesyndication.com/pagead/show_ads.js': this content should also be loaded over HTTPS.
  pineight.com/:1

The page at 'https://pineight.com/' was loaded over HTTPS, but displayed insecure content from 'http://theoatmeal.com/img/quizzes/generated/8_100_a.jpg': this content should also be loaded over HTTPS.
  pineight.com/:1

Re:Server Name Indication (1)

tepples (727027) | about 4 months ago | (#47624131)

Thank you for these error reports. The "insecure content" warnings refer to mixed content, which is a separate problem from the "dedicated IPv4 address" and "lack of HTTPS CA with a without charge tier" problems to which I was referring in #47623799. I plan to address the HTTPS issue this weekend, as AdSense recently* introduced HTTPS support. What would you recommend for a graphic syndicated from The Oatmeal, which doesn't support HTTPS at all?

* September of last year is "recent" compared to the ten years that AdSense operated prior to that with no HTTPS support at all.

Re:Server Name Indication (0)

Anonymous Coward | about 4 months ago | (#47625377)

Rehost instead of hotlinking? This isn't a hard problem to solve.

License to rehost (1)

tepples (727027) | about 4 months ago | (#47625979)

When I completed the survey, I was instructed to hotlink the image. My understanding of copyright and contract law is that permission to hotlink does not imply permission to rehost nor vice versa. And according to a page on the author's web site [theoatmeal.com] , there is no clear way to contact the author.

Re:Server Name Indication (1)

Coniptor (22220) | about 4 months ago | (#47625987)

Not positive this would resolve the issue but maybe a iframe with sandbox parameters as applicable. I think I've read you can do this. Not sure though.

Re:Server Name Indication (1)

Coniptor (22220) | about 4 months ago | (#47626293)

Not standardized from what I can see but work has been done to allow this:
https://encrypted.google.com/#... [google.com]

Will the NSA subvert certificate authorities now? (0)

Anonymous Coward | about 4 months ago | (#47624125)

I wonder which ones are already subverted. Google has only one way to know if a CA is trustworthy: running its own. Next thing I see is to limit this rank boost to sites using Google-issue certificates. Talk about a conflict of interest....

Re:Will the NSA subvert certificate authorities no (1)

IamTheRealMike (537420) | about 4 months ago | (#47625237)

I wonder which ones are already subverted.

None of the leaked documents from Snowden appear to mention compromised CA's, or at least no kind of compromise at scale. This is most likely because (1) CA's are not the weakest link, the browser security is and (2) they need to find their targets traffic streams before they can do the MITM attack, which would mean doing MITM on all SSL connections which would be detected almost immediately. A compromised CA would be useful only if they were unable to exploit the targets computer, and they needed to view SSLd traffic anyway, which does not appear to be a common situation for them circa 2013.

Google has only one way to know if a CA is trustworthy: running its own.

No. They can develop a system that involves every certificate produced by every CA being published in public audit logs, and then make Chrome verify that any given cert is in those public audit logs, thus allowing savvy site operators to find fake certs issued in their name (also useful for old fashioned phishing). And in fact that's exactly what they are doing [certificat...arency.org] .

And then only Google will know (1)

fasuin (532942) | about 4 months ago | (#47624215)

So now only Google/Facebook/twitter/... will know what you so on the Web... thanks to the omnipresent social buttons, to cookies, to google analytics, to google adwords, etc.etc. Smart move... clearly to protect MY privacy...

Unfair? (1)

jones_supa (887896) | about 4 months ago | (#47624303)

Isn't it unfair to rank content based on encryption rather than relevance? What do you say?

I myself would promote HTTPS sites with a golden lock symbol and a text "This site transmits your data confidentially".

HTTPS does not mean more relevant (0)

Anonymous Coward | about 4 months ago | (#47624353)

So it stands to reason promoting a site above another that is truly more relevant is stupid. Worse what if a malicious site near ranked uses HTTPS while what you were looking for doesn't?

SEO (1)

j127 (3658485) | about 4 months ago | (#47625369)

Page speed is also a ranking factor. Do Google mean that you get an actual ranking *boost* from your current state or just that the small drop that you would get from having a slower website speeds from HTTPS will be ignored if it's using HTTPS? The latter would make more sense, since from a user's perspective, HTTP or HTTPS isn't relevant to the content they are looking for. It's still a good direction, but it isn't clear whether HTTPS will necessarily rank better than the same site over HTTP.

Why? It's not always necessary (1)

bigsexyjoe (581721) | about 4 months ago | (#47625453)

If it 's just an info site or something and you don't submit any confidential information, why do you need https? If I own a pizza shop, my website is all get requests, and I'm not worried about third parties seeing what's on my menu, why should I have to buy an SSL certificate? This seems like overkill to me.

Re:Why? It's not always necessary (1)

smartr (1035324) | about 4 months ago | (#47626233)

hear hear! Sure, encryption is great and has its uses... But also comes at the cost of processing, configuration, maintenance, and low cost 3rd party providers. GoDaddy is about a to get a shitload of extra customers. When the products in the market are comprable, the well known low cost one is frequently the winner. Thanks Google.

They can start on youtube (1)

citizenr (871508) | about 4 months ago | (#47625465)

http://www.arthur-schiwon.de/w... [arthur-schiwon.de]

Google forces weakest shittiest broken RC4 crypto and calls it secure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?