[quote=“doctorow, post:33, topic:94159, full:true”]
The point here, though, isn’t that Hitler also did it, but that there is strong evidence that taking up the Weimar road-building project was a shrewd political move that strengthened his popular support at a key juncture, leading to a victory in an otherwise close-run referendum on whether to expand his powers.[/quote]
People can use roads, though. They don’t really get much out of a wall they will never see, that they’re going to end up paying for, and that won’t actually do anything to stop illicit border crossings.
I’m sure they’ll be told Mexico paid for it and it stopped illegal immigration 100% and anyone who says anything else is a dissident. That’s when the Hitler part kicks in.
Surrounding it with unencrypted data doesn’t make it any less secure. Encrypted data is already sufficiently obscured that hiding it with other encrypted data doesn’t really buy you anything.
True from a technical standpoint but it’s like seeing the one guy who locks his doors and going ‘what do you have. Hide?’ Vs Everyone locking their doors.
If Google is going to dictate what I have to do with my business and effect my page-ranking, it better be for a technical reason, and not a perceptual one.
The problem is it’s not for you, or me, or the owner of some random blog to decide when privacy is or isn’t needed. It’s up to the person who’s privacy is actually impacted to make that decision. And at least for the moment I’m in the position that I can bad mouth my president without needing to worry, but there are plenty of countries that still have laws against insulting the monarchy, or clergy, etc.
If the cost of protecting those who are truly in danger from oppressive laws is a little concern about encryption than it’s a fair price to pay.
Meta data can be as telling as the actual data transferred. In a network where 90% of traffic is not encrypted a single user sending a large amount of encrypted traffic is suspicious, even when the content is innocuous. In a network where 50% of traffic is encrypted a single user sending a large amount of encrypted traffic is normal.
Google has frequently changed their raking algorithm in far more drastic ways that had far deeper impacts to business models than asking that websites set up a free TLS cert.
I’d be curious to know what business you do that Google’s rank for your pages is a big enough concern to complain about their ranking changes, but not important enough to take the time to configure TLS for your site. I’ll freely admit my perspective on this is probably skewed by the fact that I work in the payment card industry and I constantly encounter people in the industry that feel that all this security stuff is a waste of time.
You’ve got a encrypted connection to boingboing. Do you really need it? I don’t think I do. Anyone can read what is posted, and there are no barriers for entry, so why the secrecy?
Encryption isn’t always about “suspicious” traffic. When you’re transferring money or identity information, there’s nothing suspicious about encrypting the connection in order to protect your privacy. But once you’re signed in, there are no secrets being shared when you connect up with boingboing and read about the next great Frauenfelder kitchen gadget.
Shortly after Snowden’s revelations, Google decided that they thought all web traffic was worthy of encryption, even the mundane traffic. So they decided to penalize everyone who didn’t configure TLS on their webservers. Until very recently, there was a financial burden in getting a secure certificate. I put up informational websites for small companies to communicate with the public. There’s very little secure information being transferred, but in order for them to complete on an even footing on SEO, they need to provide a secure connection to their website because of a decision that a third party has forced upon them. I don’t think it’s particularly fair, and yet, here we are. Beholden to the whims of an capricious internet behemoth with the power of a virtual monopoly.
Quoting out of order to address similar issues at once.
Knowing that I read boingboing and knowing which posts to boingboing are mine are two different things. (Meaning connecting the physical me to the virtual me.) Very few countries punish you for what you read, but many will punish you for what you write. boingboing may not be a traditional hot bed of political decent (although by recent content it seems like it could become one), but why should it not be a forum where political activists could organize?
Any site that accepts a login for it to be at all secure it MUST present all login forms over HTTPS, it MUST accept all login credentials ONLY over HTTPS, and any cookies it sets MUST have the Secure flag set, allowing them to only travel back to the server over HTTPS.
Any less is the equivalent of having not used encryption at all. (I may be a bit hyperbolic on this statement, after all stealing a cookie and being able to post as another person on their Facebook account could only completely ruin them, it’s not like you’d also know their password…)
I’d prefer that any site that asked me for a password also used HSTS, but that is probably overkill for most sites.
That does suck. Many years ago I built public facing web sites and Google’s tendency to change how they rank sites without warning, sometimes even contradicting their prior advice, gets old fast.
Googles decision, according to them, was at least partially based on the fact that there are now multiple groups offering or working towards offering free and near zero setup required certificates.
I think you may have under estimated just how much security using TLS can provide, and why Google, after repeated major exploits have targeted major sites that would have been safe had they used TLS, may want to move to a safer internet.
Attacks trickle down, the ground breaking attacks targeting Facebook and Twitter yesterday will be the dragnet and drive by attacks on millions of tiny sites tomorrow.
Jesus rides beside me