Wouldn't Let's Encrypt offset any significant benefit of this change? Is it somehow difficult or counterproductive for these sites to add a certificate?
Getting more sites to use Let's Encrypt, or Cloudflare, or to buy a certificate is the intended benefit of the change. Google is gradually restricting these APIs to encrypted origins in order to encourage sites to use encryption, not because they don't want the APIs used.
cloudflare's "flexible ssl" option encrypts the connection between their datacenter and the user, but not the one between the datacenter and the actual web server
i guess it's better than nothing if your host doesn't support ssl but the false sense of security could be harmful
Coincidentally, I'm working on a travel app and had to spend some time automating let's encrypt on our servers because of the update. In the end, I came out as a huge fan of LE.
It is counterproductive, as many ad networks are not fully HTTPS-compliant yet. So you'll literally lose money by switching to HTTPS. It's why many big media sites still haven't done it yet.
It's a chicken-and-egg problem, but it's starting to improve.
Honestly if google really wanted to push this, they would do something to penalize http only ads. That would really pressure advertisers to upgrade or lose.
Why don't ad networks care about HTTPS? It would increase the number of potential sites that can show their ads, make it more difficult for ISPs to block their ads, and allow browsers to load their ads over HTTP/2.
If slow ads were a problem, why are ad networks so damn slow? I frequently see ads taking 10–20 seconds to load on major news sites. Serving fast ads would mean more viewing time, yet that doesn't seem to be a priority for anyone.
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that."
I'm very glad I don't touch web dev anymore. This piecemeal removal of features from one transport mode is exactly the sort of thing that causes clients (of the human, paying sort) to flip out when they misunderstand what is going on.
Don't get me wrong - I think this is a good thing. And I don't know that the answer is a big, publicized drop of all these changes at once, although that would have certain advantages. But a trickle of dropped features that non-technical folks will never see announced is going to be a lot of fun for web developers.
I don't really think the backlash is happening as you describe. There's quite a lot of public awareness about ongoing communications and privacy issues, and implementing SSL is extremely cheap in most cases. "We need to upgrade your security to keep things working, it will take a day" is a fairly straightforward sell in most cases.
Does this move really solve ANY privacy problem? Getting geolocation already prompts the user for approval. Any sinister party wouldn't bat an eye at setting up https. Odd.
The concern is that if the site is insecure you might send Geolocation which might be sensible information through unsecure channels allowing someone to snoop on the connection and read that data.
In other words they are trying to hide the geolocation data from proxies, Carriers, ISPs and someone possibly MitM attacks
Speaking of which, whatever happened to the COWL system? I know Google & Mozilla were involved in researching the tech. Will it ever come to Chrome and other browsers?
So now if someone who hosts/rents a small server for side projects/hosting small services like community forums or a simple game wants to make something experimenting with geolocation they'll have to buy an HTTPS cert, make an app (which requires paying for the ability to put apps on major app stores unless you want to only support Android, where the OS discourages users from installing 3rd party apps with messages about how they might harm your phone, or jailbroken iPhones), or only support non-Chrome browsers (as long as other browsers don't follow in this). Is it really a good thing to restrict web functionality even more from small players? How does it matter if someone sniffs your GPS location from an HTTP connection? Are there situations where that's feasible and your precise geographic location isn't something the attacker doesn't already know? The only major situation I'm aware of is wifi hotspots where the location is already known.
Edit: Apparently there are free certificate suppliers, but will those be sustainable if HTTP is eventually fully phased out? Browsers display errors with self-signed certificates, so it still seems problematic in the long run to have to depend on the good graces of other parties if you want to serve web content.
I have a side-project server. It took me about fifteen minutes to get a ssl cert with letsencrypt, and it was free. I even get use it on my mumble, smtp and imap servers.
Perhaps they are interested in defending against sniffing further along the line (ISP, backbone) or are just making the change as part of the general strategy to encourage HTTPS use? While I see your concern about inconveniencing smaller players, LetsEncrypt exists now, and there are definitely mid- and large-sized players that I would like to see pushed in the direction of HTTPS exclusivity.
This comment seems to imply that you're using a transport layer security mechanism < TLS 1.0, i.e. SSLv2 or SSLv3. I strongly encourage you to upgrade to TLS 1.1 or newer.
Advertising could find a use for my DNA profile but that doesn't mean they should have access to it.
Obviously this is all a sliding scale and has nuance, but I'd say ads should not be using anything that is behind a permission prompt, like geolocation. Tremendously hostile to both the user and the site hosting their ad.
We have clients that are asking us to target down to street level, which IP doesn't even come close to offering. With IP you're stuck in the arms of whatever database you're using.
If you have clients pressing you to use code that requires a permission prompt in an ad then you need to have a very straightforward conversation with them about the effect such prompts have on conversion rates.
So tell them no. I don't want your clients knowing my street address.
I mean, for all you know, I'm in a domestic abuse shelter. Are you going to take responsibility for my well-being if your clients' database gets leaked? And are you confident that your clients know how to competently secure a database if they can't even use HTTPS?
Any data about the user - even simple timestamps - that is leaked is an increasingly-serious problem. Just because you don't have interesting data doesn't mean other people cannot correlate your data with other aggregated personally identifiable data.
edit: Sorry, partial post due to accidentally hitting enter.
I hate to play Devil's Advocate but accuracy can be important. Geoip means they can serve me offers for businesses in the same city, but I'd [almost] love it if I were served offers for a taqueria down the street from my browsing location.
More than likely they'll just correlate browsing habits with location and sell that information to third parties, though. High quality advertising is just not in this reality.
> So ad-supported sites have to choose between greatly reduced ad revenue or a broken app. Thanks Google.
Geolocation API is pretty powerful. It's one thing for a random website to know approximate location, but to be able to track location within 10m is something else.
Yeah, it's just the breaking changes thing - I like what Google are doing, and it's been alerted in the console for ages, but they're strong-arming it slightly.
I'm weird, but it always grates slightly when companies throw their weight around - even if the endgame is a positive outcome.
Plus the cynic in me assumes they have an advertising product in the works and this is facilitating it.
To the people replying to this comment, he's not talking about the ads not being able to use the users location. Most don't. But plenty of ad networks don't work properly or the CPM is much lower for HTTPS enabled websites. I'm guessing r1ch is using a users' locations for his site, and it's ad supported. Hope everyone who is against ads is willing to pay for their content from now on!
> he's not talking about the ads not being able to use the users location
The reason for wanting the user's location doesn't matter. It's incredibly irresponsible to send the user's location (or any other user data) over the network unencrypted.
Yes this was meant to be my point - I didn't even consider ads using gelocation (which explains the downvotes I guess :))).
While we do use geolocation and ads on one of our sites, it's only a single page so this doesn't really affect us that much. I can see it causing big problems with ad-supported sites / services that use geolocation as a primary feature though as I've experienced first-hand the revenue drop that HTTPS causes.
Just embed an iframe for a secure subdomain and use window.postMessage to communicate with it.
Edit: never mind, that is apparently also "insecure", leading me to think they are doing this because they get a kickback from the SSL cert vampires somehow.
There has been a massive loss of confidence in web security since Snowden (and rightly so). Major players now have to look like they're not "helping the NSA", so to speak -- this goes double for Googlers, which try very hard to hide their relationships with the establishment.
In a way, it's good -- privacy on the web improved more in the last 3 years than in the previous 15 -- but it's also a massive charade.
