SSL/TLS Pushers Strike Back
In an earlier blog I spoke of my disapproval for the way Google will be flagging websites that are not on SSL/TLS connections. In summary, any website that uses “http” instead of “https” will be flagged and marked with a notice that states the websites
connection is not secure. Well that post got some attention on Twitter. Before I get into all of the good stuff.. Let me make some things clear. I am not an expert in information security. I am not an expert in web security. I know a little more than the basics, but I am by no means an expert. I specialize in branding and design. I did make some statements in my previous blog that are not 100% accurate, and after this post, I will correct them. However the purpose of my blog was not to educate, it was to voice an opinion. That opinion has not changed. I do believe the way Google is pushing this https issue is misleading. Now here is what went down…
It started with WordPress Medic, (give him a follow, he’s a pretty smart guy) retweeting my twitter post about all of this ssl https stuff and tagged Troy Hunt, an Australian web security expert, with connections to Microsoft, he is well known in the information security industry with over 107,000 twitter followers.. I have to mention Scott Helme, he was an integral part of my flash education. There was a few others, I definitely can’t name them all… But back to Mr. Medic, he posted another link to my twitter post suggesting I check it out. The link made many claims about https, that I believed to be untrue. Apparently I was wrong(we’ll get to that). Mr. Medic and I go back and forth a few times, and then comes the explosion of notifications…
I was hit from the left, I was hit from the right, notification after notification, what the hell is happening. I had my website chat open for customers and it starts going crazy with people visiting my site. I start to panic initially and think, do I need to protect my site? Are these people about to teach me a lesson? Well They did teach me a lesson, but thankfully they didn’t hack my site, however i would not doubt their ability to do so. These guys were all smart, and I am super stubborn, not a great combination. I was hit with fact after fact, opinion after opinion, i picked and prodded through the notifications, trying to address the ones with valid arguments. I wanted to refute them but I had questions as well. What have I done.
To be honest, I think I held my ground pretty well, but I did cave on a few issues as I went back and forth with several of them. Number 1 I did install a TLS in the middle of all of this chaos. Not just out of fear from Google but out of fear from that these hackers would attack me with something other than their knowledge. I don’t deny they knew what they were talking about, but they couldn’t grasp the reality of my complaint. They speak another language and claim that everyone can understand it. They think that just because they are subscribed to all of the hottest security news, that everyone else must be too. This is where they are mistaken and where they lose their grasp on reality. These guys did teach me a few things I won’t deny that at all. I actually appreciate their bombardment and the fast dose of knowledge it brought to me. But for as much knowledge as they had they could not understand a down to earth average point of view. They couldn’t understand that these flags on websites could potentially harm businesses, they denied it in fact. They didn’t understand that not everyone is savvy with the latest security measures, and worse they didn’t seem to care. All they cared about is that https would be forced on all. Yes Https is a good thing. But there are far better ways to initiate a secure web than to force it on businesses with guns pointed at their websites.
Before I go on further about my opinion and what didn’t change about it, here are some things that did change. I now know and understand that an SSL/TLS connection can add a layer of protection for all websites, even those with just pictures and text. I now realize that SSL/TLS can prevent MITM (man in the middle) injections. I believe we should all switch to https as soon as possible. (that’s not really new, but i feel it a little more important than previously).
Now back to my opinion and what I still believe. What I believe is absolutely true, is Google will be marking website that do not have https urls, as “not secure”. And this is true. However it has always been that way, it is nothing new. What many of you may not realize, and this is why I have voiced my opinion, is that they are not speaking specifically about the website, the website could be perfectly fine, they are speaking about the connection the website is using. The website may or may not be safe, its the connection they are flagging as insecure. What this means is, any information passed on that connection, whether it is form data, images, text, it is all subject to attacks from someone attempting to intercept that data and change it for evil doing. But again, it has always been a possibility. Http has never, ever been secure in that sense.
Now this is where I see this as misleading… When average Bob comes to Joes landscaping website, and sees it has been flagged with an insecure connection notice. What is Bob going to think? Bob is going to think something is wrong with that website, and he is going to take his business elsewhere. Poor Joe the landscaper loses business because a browser told his potential customer that his website connection was insecure. Here’s the thing. Bob could have went on Joe’s website like he has any other website and been perfectly fine. Nothing may have happened at all. Sure, something might, but you might be hit by a bus tomorrow too. Even though Joes website is clean and not infected, even though it is more likely that his connection will NOT be intercepted by the evil hackers, Joe’s website is avoided because a trusted browser pointed out that the “connection”, that all websites have been using for decades, is not secure. As it has been for always.
This is my problem. Google is misleading, with the truth. Yes I know that sounds ridiculous, but its true. Its semantics. They are telling the truth with language you may not understand or will interpret differently. You would have to understand some specific IT terminology in order to really understand what google is saying. If you see a warning that a connection is insecure, what will you think that means? Will you trust that site? Well here is what it means. First off, it has nothing whatsoever to do with an actual website at all. It only has to do with the connection the website uses and the route it goes through. An HTTP connection is not secure. It never has been, ever. But suddenly you see a warning, and you will think something is wrong. Technically something is wrong, but it has always been wrong. Here’s the thing.. Knowing that the site itself may be perfectly safe, and the only risk at all, is that there is a very very slight possibility that the website may be intercepted along the way, would you still be afraid to view it? Its is the same connection the internet has used since day 1, it has always been insecure, nothing new has really changed, is there any reason you should not visit that site? The answer is no, not really. Sure it could get hijacked along the way, just like the earth could be hit by a meteor tomorrow. The site is just as safe as it ever was. Yes something could happen, something could have happened 20 years ago. Its the same. Sadly I know even if most people know this, they will STILL avoid that website because Google has flagged it, and we all know Google knows best. And that’s the problem. The website is as fine today as it was 20 years ago, but now that Google has flagged it, people will avoid it. Knowing all of what I just told you.. if the warning was gone, and there was no flag telling you the connection was not secure, you probably would visit the site without worries. The only thing that would stop you, is the flag from Google.
Now I get it. We want a secure web and that’s what this is all about. Or is it? Because here is another problem with googles flags. Google will mark a website connection with https as “secured”. It will literally have a green “secure” with a green padlock. The problem is… that site could very well be full of malicious content. It could be a phishing website setup to steal your information. And Google will give it a big green pass and call it “secure”. But again we are not talking about the website, says all of the security gurus, we are talking about the connection. So I ask anyone reading this. Do you trust google when it tells you something is secure? When you see the green padlock and the secure text at the top, what do you think about that website? Secure and trustworthy, right? Well wrong! They are only talking about the https connection, that site could do more harm than any http connected website ever did.
Misleading! Confusing at best! Https WILL make the web safer. Install ASAP. But with over half of the websites still running on http, many businesses will suffer from this approach.
That is all I have to say about all of this. I have learned a lot over the last 24 hours, and I think all of you for your input. It is still my opinion that this is a horrible way to execute such a great idea. Wise man once said, Good ideas, Don’t require Force. Https is a great idea, there is no need to force it.
Have an amazing day!