

Is Google overreaching by forcing me to use TLS? - AndyBaker
http://security.stackexchange.com/questions/54120/is-google-overreaching-by-forcing-me-to-use-tls

======
finch_
I agree with the overall point of the responses that Google isn't in fact evil
to be doing this, but I want to disagree somewhat with one point - the idea
that Google doesn't have any obligation to respect users wishes just because
its a free service that no one is forcing you to use.

The problem with this is that Google's very existence makes it harder for
similar services to exist. There are a few reasons for this, including:

1\. Google benefits from economies of scale

2\. Google benefits from having massive amounts of data to crunch through (for
example, its hard to build a span filter as good as Gmail's without a training
dataset as big as Gmail's)

Its kind of like the argument for the minimum wage - conservatives would say
its not needed because you can just choose not to work for a company that
isn't offering enough money, but sometimes you don't really have an
alternative.

~~~
dublinben
The argument has been made that Google's free products and services are
anticompetitive dumping which makes it harder for a competing service to
survive.

~~~
beached_whale
The same argument has been made against OSS. Google's products are free like
broadcast TV. They are selling access to you via their services to marketers.

------
sarreph
A comment on the answer perfectly encapsulates this post:

 _Did you just troll security.SE and then reasonably answer your own
question?_ – Stephen Touset

~~~
kapitalx
If you continue on reading you'll find OPs comment below it:

"@StephenTouset -- indeed. That's actually a feature; see Its OK to Ask and
Answer Your Own Questions. As [it was] pointed out, the question was prompted
by the computerworld article [1]."

[1] - [http://blogs.computerworld.com/privacy/23698/google-
customer...](http://blogs.computerworld.com/privacy/23698/google-customers-
you-will-use-https)

------
cromwellian
Best snarky answer from that thread: "Is Google overreaching by forcing you to
log in with a password?"

Vaccine analogy answer from stackexchange: It's not just about you, it's about
herd immunity. Having everyone have secure communications helps makes others
secure as well.

------
skywhopper
I suppose it's nice to have the rationale written out somewhere, but does
anyone anywhere actually balk at being required to use HTTPS?

~~~
backwoodshacker
I realise I'm going to be in the 0.1% minority on this, but yep, I do. Three
reasons.

First, I've been enough places where Internet connectivity is so poor that
HTTPS effectively breaks the connection. I used to stay half the week
somewhere where the only connectivity was a dire, over-saturated 3G link. I
couldn't browse HTTPS sites unless I was very lucky.

Second, I'm uneasy with the implication that "HTTPS=secure", in that it
absolves the user of taking any responsibility for their own security. A site
can require a HTTPS connection and still store the password in cleartext, for
example; so unless you have a unique password, this "secure" site can still
screw you. Yeah, I know HN readers understand the difference, but IMX most
people dimly understand a binary distinction between "secure site" and "not
secure site" and that's it.

Third and related, the corollary of "HTTPS=secure" is that "sites that only
use HTTP = insecure". This is leading to a requirement that any guy who builds
a website with login functionality needs to implement HTTPS, and that saddens
me. The web becomes less democratic, less meritocratic, the more technical
hurdles we require.

But, like I say, I realise 99.9% of people disagree with me.

~~~
dragonwriter
> Third and related, the corollary of "HTTPS=secure" is that "sites that only
> use HTTP = insecure". This is leading to a requirement that any guy who
> builds a website with login functionality needs to implement HTTPS, and that
> saddens me.

HTTPS may not be secure, but HTTP (over the public internet, at least) is
definitely insecure. If you have login functionality that matters, rather than
serving as a very basic deterrent to _accidentally_ getting somewhere you
shouldn't be, yes, you need to use HTTPS.

------
ds9
Can anyone explain this line from commenter Darren Cook: "Once this
enforcement is in place, browsers will simply refuse to connect to Google over
an insecure or compromised connection. By shipping this setting in the browser
itself, circumvention will become effectively impossible."

Some browsers are open source, and it seems to me that developers can never
definitely rely on their behavior. Surely the enforcement depends ultimately
not on the browsers but rather on the server refusing non-TLS connection
attempts?

~~~
gcp
You can patch the browser to disable HSTS, but if you allow patching the
browser to break the security intentionally, then all bets are off I'd say?

 _Surely the enforcement depends ultimately not on the browsers but rather on
the server refusing non-TLS connection attempts?_

No, HSTS capable browsers (Firefox and Chrome) will flatly refuse to connect
if HSTS is in action. That's the whole idea and the defense against SSLstrip.

------
malux85
Uh, did this guy answer his own post?

~~~
schrodinger
You're encouraged to do that. I wonder why it seems to upset so many people?
(I'm honestly curious, I'm not trying to be snarky)

~~~
ephemeralgomi
My main objection to it is that since the OP is almost certainly going to
accept their own answer before other people can post, there may be other,
better answers that arrive late and don't get as much attention.

~~~
noblethrasher
The moderation system largely mitigates that problem.

Also, the SO/SE people have long maintained that Google is their homepage, and
from this view it's easy to see why they would encourage people to answer
their own questions: so that SO gets the googlejuice instead of some blog.

On the other hand, to the degree that we believe that individual blogs are
good, we absolutely should worry about auto-answering.

~~~
dm2
"Google is their homepage"

That's an interesting concept that I'd never even considered. I then realized
that I couldn't even remember what the stackoverflow homepage looked like, yet
I utilize that website daily.

It doesn't seem to be harming the stackoverflow and associated sites, so I
guess it's not a bad thing.

------
afhsfsfdsss88
Google and others[Telecoms] are in positions to collect rents on your PI from
third parties and G.O.'s. When they[Google] recently learned that the NSA had
tapped their unencrypted fiber lines between data centers, they were pissed.

Not because they give a fraction of a shit about you, but because the NSA was
stealing their product.

Now they encrypt everything with [very strong] SSL to force everyone to
ask/pay for their info.

~~~
einhverfr
I don't think we know what the relationship between Google and the NSA
actually is. I will say that I operate under the assumption that Google gives
the NSA whatever they ask for up to and including access to raw streams of
information.

I agree with the decision to require TLS, but I don't know that it does a lot
with regard to the NSA, and moreover, I don't trust them anymore not to turn
over information in bulk.

