On Sat, Apr 15, 2023 at 11:09 AM <pa...@quillandmouse.com> wrote: > On Sat, 15 Apr 2023 14:01:27 +0100 > Alain D D Williams <a...@phcomp.co.uk> wrote: > > On Sat, Apr 15, 2023 at 08:52:06AM -0400, Greg Wooledge wrote: > > While we are talking about this, is there any reason why all the > > http: should not be https: ? > > > > I have done this on my own machine without ill effect. > > Okay. Let's open this can of worms. The ONLY reason https is used on > most sites is because Google *mandated* it years ago. ("Mandate" means > we'll downgrade your search ranking if you don't use https.) There is > otherwise no earthly reason to have an encrypted connection to a web > server unless there is some exchange of private information between you > and the server. > > Reading through all of Google's explanations, I've never seen a > satisfactory explanation for this change. With that in mind, I believe > the Debian gods did the right thing in leaving their web connections > "insecure". Though, in truth, the integrity of Debian server contents > wouldn't be changed in the slightest whether the connection was > encrypted or not.
The change came after Snowden released his cache of documents and the world learned how pervasive snooping is by the US government. There's nothing special about the US government, and we know other governments were doing it, too. I think Snowden accelerated HTTPS adoption or pushed it over the top. The browsers were interested in encrypting communications for years because of the "free ISPs". The ones like NetZero that provided no cost dialup or broadband, but monitored connections and injected JavaScript into web pages. Not only did it happen with HTTPS, it also happened in mail protocols. Google stopped accepting plain text SMTP connections, too. I think the browsers did a pretty good job of forcing folks to use encrypted channels. I think it helped secure content for most users. One size did not fit all. I watched some browser engineers bully folks on the Web Crypto mailing list pushing the "HTTPS Everywhere" agenda. One fellow bullied was Mark Watson who tried to argue NetFlix only needed encrypted comms part of the time (like login and streaming content). The Google engineers' treatment of folks with non-conforming viewpoints was awful. Jeff