

Google to prioritise secure websites - gbuckingham89
http://www.bbc.co.uk/news/technology-28687513

======
diafygi
Good. Also, I recently poked the bear on the chromium and mozilla dev security
mailing lists, and they started discussing ways to push https in the browser
UI. Hopefully this momentum continues!

[https://groups.google.com/a/chromium.org/forum/m/#!topic/sec...](https://groups.google.com/a/chromium.org/forum/m/#!topic/security-
dev/rGM2oiKZqZU)

~~~
dhimes
I disagree. It's not that I don't think that secure websites are preferable,
but instead I see Google's growing influence being able to shape the web the
way Google wants it to be, and them being perfectly willing to use that
influence. You can argue that the things they are doing now are making the web
better. But are we assured that this will always be the case?

What happens if this influence turns completely and more directly self-
serving? Such as, Google adwords customers are given higher organic ranking,
weighted by how much they spend?

At first glance it might appear that such a scheme would work _against_
adwords, but it really wouldn't because the ad-click advertising just doesn't
work for a lot of us, but organic search does.

Absolute power corrupts absolutely, and all that.

~~~
diafygi
I would think in this instance that this is not just a Google opinion. It is
now becoming a Best Practice[1].

[1] - [http://tools.ietf.org/html/rfc7258](http://tools.ietf.org/html/rfc7258)

~~~
dhimes
But shouldn't page rank be about content?

------
jbb555
"The decision could encourage more sites to turn on encryption, which makes
them less vulnerable to hacking".

What? This is entirely wrong. It makes them more vulnerable to hacking. There
is a whole lot more complex software and configuration to get right, and we
know SSL doesn't have a great recent history of that....

Of course it help secure the communications which presumably is what they
meant but it's 100% wrong with the statement the article actually says.

~~~
shawabawa3
If you consider stuff like sniffing cookies to steal sessions as hacking,
which most people do, then it's true.

In terms of compromising the server you're right

~~~
claudius
As somebody else pointed out recently in another thread, being able to steal
session cookies can even help you attack the server directly, as authenticated
users usually have more/different write access to databases and the like,
making (e.g.) SQL injections easier. In this regard, even if you don’t
consider it “hacking a website” if someone steals session cookies, HTTPS makes
it more difficult to “hack websites” in the sense of “getting root access to
the server”.

How that compares to the increased attack surface of the HTTPS implementation
is of course up for debate.

------
borplk
Great. SEO people will now rush in for their fancy certificates.

~~~
thejosh
If cloudflare start offering free SSL certificates we'll start seeing so many
with HTTPS if it actually gives a SERP boost.

------
fiatjaf
> "For now it's only a very lightweight signal - affecting fewer than 1% of
> global queries, and carrying less weight than other signals such as high-
> quality content - while we give webmasters time to switch to HTTPS,"
> Google's Zineb Ait Bahajji and Gary Illyes said in the blog post.

Later, high-quality content will be carrying less weight than HTTPS.

Who knows what comes next.

------
jgrahamc
Related:
[https://news.ycombinator.com/item?id=8146660](https://news.ycombinator.com/item?id=8146660)

~~~
robert_tweed
It's good to see CloudFlare are going to make this free. In planning the
launch of my own new site/blog/thing (hopefully launching soon), the one thing
that's really stopping me considering SSL isn't the cost of certificates
(which can be had for peanuts anyway if you don't care too much which CA you
use) it's the ongoing costs and increased server load.

Right now, launching without CloudFlare would almost certainly result in the
unfortunate death of my VPS. SSL would only expediate that. OTOH, the minimum
paid CloudFlare package would quadruple my hosting costs - I'm not running
enterprise scale infrastructure for my personal site!

If CloudFlare do make it part of their free package, I will definitely use SSL
by default.

~~~
jgrahamc
Yes, we are going to make SSL certificates available to customers on our free
plan for free.

~~~
diafygi
Nice! Which CA are you using?

~~~
jgrahamc
I can't reveal that at the moment. That will be part of the announcement in
mid-October. I can say that this will _not_ require anyone to install new root
certs in browsers etc.

------
okasaki
Uh. What if a site doesn't need https? Like if it has just static pages with
public content?

~~~
augustl
Indeed. My static blog hosted on Linode behind Apache has survived a HN
frontpage entry three times now. If I have to use HTTPS, does that mean I need
a beefy server with lots of entropy?

~~~
stephen_g
Nope!

Google, from 2010: "On our production frontend machines, SSL/TLS accounts for
less than 1% of the CPU load, less than 10KB of memory per connection and less
than 2% of network overhead."

[https://www.imperialviolet.org/2010/06/25/overclocking-
ssl.h...](https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)

Entropy is a different matter, but I believe pretty much all virtualisation
platforms have ways to ensure the VMs have enough entropy sources - so it
should be fine.

------
rahimnathwani
Previous discussion:
[https://news.ycombinator.com/item?id=8146433](https://news.ycombinator.com/item?id=8146433)

------
rabino
But they also prioritise speed right? So if you have the same site served both
in HTTP and HTTPS, which one will win?

~~~
higherpurpose
Probably the HTTPS one, since the difference in speed isn't that big between
the two.

