Google to prioritise secure websites(bbc.co.uk) |
Google to prioritise secure websites(bbc.co.uk) |
https://groups.google.com/a/chromium.org/forum/m/#!topic/sec...
Checkout how FF renders a standard domain validated cert on a site versus one with extended green bar validation:
https://www.expeditedssl.com/assets/browser-ssl/thumbs/stand...
https://www.expeditedssl.com/assets/browser-ssl/thumbs/exten...
The gray icon might as well not be there as far as consumers are concerned and blue vs green crossing guard icons really fail to indicate anything of use to an end user.
If you want to see a big list of SSL UI screenshots, I have them up at:
https://www.expeditedssl.com/pages/visual-security-browser-s...
What happens if this influence turns completely and more directly self-serving? Such as, Google adwords customers are given higher organic ranking, weighted by how much they spend?
At first glance it might appear that such a scheme would work against adwords, but it really wouldn't because the ad-click advertising just doesn't work for a lot of us, but organic search does.
Absolute power corrupts absolutely, and all that.
What? This is entirely wrong. It makes them more vulnerable to hacking. There is a whole lot more complex software and configuration to get right, and we know SSL doesn't have a great recent history of that....
Of course it help secure the communications which presumably is what they meant but it's 100% wrong with the statement the article actually says.
In terms of compromising the server you're right
How that compares to the increased attack surface of the HTTPS implementation is of course up for debate.
It makes YOU (the consumer) less vulnerable to "hacking" (MiTM), it actually doesn't make the website less vulnerable and as you quite correctly pointed out somewhat more (just due to increased attack surface).
That's a large part of the reason HTTPS/SSL isn't more common: It doesn't benefit the website as much as it benefits their customers and there are both real and perceived costs in deploying HTTPS.
So you have to put pressure on them (websites) to adopt secure defaults. Google are now helping hugely.
Later, high-quality content will be carrying less weight than HTTPS.
Who knows what comes next.
I wrote about this a few months ago: https://rythie.com/blog/blog/2014/03/05/should-all-sites-use...
It is technically encrypted in HTTPS traffic but it isn't treated with very much respect so if you actually have access to all of the HTTP and DNS traffic surrounding a request you can often recover pages viewed.
Additionally, in a lot of these countries computers come pre-installed with a government root CA which they can use to impersonate sites like Wikipedia (although the USG does this too!).
Right now, launching without CloudFlare would almost certainly result in the unfortunate death of my VPS. SSL would only expediate that. OTOH, the minimum paid CloudFlare package would quadruple my hosting costs - I'm not running enterprise scale infrastructure for my personal site!
If CloudFlare do make it part of their free package, I will definitely use SSL by default.
I can not think of any scenario in which HTTP runs fine but HTTPS will kill the server.
Wow, that's a lot of duplicate articles about this reaching the front page, one of which already contains a complaint about the mods changing the title. They could really do with merging these articles together.
I've previously suggested a feature to show title change histories under the title, before the comments, because certain comments make no sense after the title is changed.
I'd also like to suggest a similar feature for merges whereby when there are separate articles talking about the same thing, the canonical one gets used as the main link and others submissions are retained, again, under the title, before the comments.
To be secure, won't this require your customers to set up HTTPS between CloudFlare and their hosting providers, which will require additional manual setup with their hosting provider, assuming they even support HTTPS? It seems rather optimistic to assume that enough customers can/will do this to result in a doubling of sites supporting HTTPS on the Internet.
Wouldn't want the next big community to be fake-secure to save a few quid
Source: https://support.cloudflare.com/hc/en-us/articles/200170416-W...
Google, from 2010: "On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead."
https://www.imperialviolet.org/2010/06/25/overclocking-ssl.h...
Entropy is a different matter, but I believe pretty much all virtualisation platforms have ways to ensure the VMs have enough entropy sources - so it should be fine.
As for entropy, your server only needs a small amount of entropy to seed a CSPRNG, and the CSPRNG takes it from there.
"A user agent MUST NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol." http://tools.ietf.org/html/rfc7231#section-5.5.2
and that's how browsers implement it too.
DNS doesn't give the page you were on. Whilst some systems might have a government root CA on it, it's still quite possible to remove that - it's pratically impossible to remove ISP level monitoring.
To quote it: "Second, at CloudFlare we've cleared one of the last major technical hurdle before making SSL available for every one of our customers -- even free customers. We're on track to roll out SSL for all CloudFlare customers by mid-October."
