53 Comments

  • Mary Helen Ferris

    http://www.scoop.it/t/freedomoftheinternet/p/4023831508/2014/06/30/google-i-o-2014-https-everywhere-youtube   #granniegram  broadcast iwth thX @Sigmund Joseph Solares 

  • Andrea Shoemaker

    Isn't anyone concerned about that Qualys Lab Tool and how it displays the "worst scoring" websites publicly?  That sounds like a major security risk in itself.

  • Anders Wegge

    Actually, you can get unlimited wildcard certificates from StartSSL. All it takes is paying $49 for a personal validation, and if commerciel paying $49 more for a company validation. Both keep for a year, and in that period, any number of wildcard certificates can be assigned for free.

  • Philip Mather

    And who are these Certificate Authorities that issue certificates? How much validation do they do of applicants, how secure are they? I have multiple personal domains, hosted locally and remotely, all with their own HTTPS certs and HSTS but it's nothing more than theatre and pretence. There is no trust model when the entities issuing certs are nameless companies staffed by people I don't know. Google should not be perpetuating the sham which is HTTPS, stop skimping on the fix and do it properly by backing the CA system with a proper PKI. People are trying, keybase.io etc…

  • Danny LIVEWIRE

    Thank-you for saying / doing so! … It's amazing how many "security experts" miss this one. Google taking the lead yet again!

  • Three Guys From Miami

    This might affect your Adsense Revenue. According to Adsense:

    The SSL-compatible ad code is designed for publishers who already have existing HTTPS-enabled sites. We don’t recommend that publishers with HTTP sites convert their sites to HTTPS unless they have a strong reason to do so. Unless you're a publisher who needs to protect important user information like credit card details, passwords, or medical records etc., you probably don't need change your site to HTTPS.

    HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages. If you do decide to convert your HTTP site to HTTPS, please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.

  • Michael DeMutis

    I do 301 redirects for any thing without www at the server config level.  Do I still need to verify those in webmaster tools?  There should be no actual working links on those urls.

  • Kirill Berezin

    @Ilya Grigorik 
    Could somebody answer me about authentication in https. I cant be sure i am reaching example.com, cause i have several trusted root CA in my system. If one of them compromised (FBI/NSA) then i can't be sure: They placing MITM with valid, but not original cert, and i have no warning on browser. (Look at SSH host key change).

    And if we lose one of statements, then we lose all. I cant be sure that data not changed(integrity), and not listened(encryption). So https useless. 2:20

    For example cloudflare.com legaly 'hijacking" https connection even if i have my cert. Both have valid path(and different CA), and same domain name. User even dont know about my cert, he viewing only cloudflare. And i tested, i could switch them on live, and i had no notification about 'origin change'. Browser assume that cert change its OK. Its vulnerability.

  • Supralobe

    Looking forward to the "Lets Encrypt" project. Totally agree with https everywhere – currently there are some problems with monetization with google ads, my revenues dropped 30% after switching but should eventually recover. Also not sure how this changes your backlink profile and whether 100% of your page rank / link juice will transfer over if you 301 redirect http to https and keep the non-https links.

  • Supralobe

    A potential obstacle for those wishing to share the same IP for multiple domains/services may be the lack of SNI support for Android 2.3.7, IE running on XP, and Java6u45.

  • Nick Christensen

    Question for @John Mueller or @Pierre Far, I just migrated my site from HTTP to HTTPS and verified the new version within WMT. This video recommends adding all 4 versions (non-www of HTTP and HTTPS) to WMT but is that really best practice if those non-www versions never were created therefore never indexed or internally linked? I can't upload the HTML verification file to the non-www version of my site unless I manually switch it over just to verify, then switch back. That seems counter intuitive. Can you confirm? 

  • Richard Razo

    Any recommendations for a single domain SSL certification (DV) for the reasonable price? I found one for $5/year (https://www.ssls.com/comodo-ssl-certificates/positivessl.html) I see this has a 40% trusted ranking. I have a simple site showing off my web and graphic designs… is this good enough for me?

  • Seth VW

    Awesome Idea, Security is an issue. I like to think that one could prevent lots of hacking issues, by funneling all data through say a cell phone with a thumb print scanner. Cant hack my bio-metrics. 10/10 work

  • John Bell

    Most websites have absolutely no necessity in being secured via SSL.. why are they being penalized? For example, a blog (most of the content on the web) never exchanges data other than maybe an email address for a mailing list.. penalizing them for not spending the extra money for an uneccessary level of security is practically extortion… makes me wonder when you are going to start selling certs, since there is an obvious motive here..

  • Глеб Ворончихин

    Okay Google. You say HTTPS Everywhere, BUT you can't do that when I click Youtube Link in Google, it throws me to HTTP. So when I try to post comment web page reloads. Is it conveniently In your opinion????

  • ronald williams-EL

    My Blog has been taken off of google which describes the crimes that is happening in the world today my followers would be able to to "The truth for all eyes to see" now when I go to it it doesn't appear what do I do..

  • Davin Studer

    23:36 They recommend protocol relative URI's. According to Paul Irish this is actually not the best pattern anymore. Really the best pattern is to use HTTPS is the assets allows it … always. So, instead of src="//path/to/script.js" it should be src="https://path/to/script.js".

  • Steph Pirrie & The Hoolie Band

    I bet if Google also offered free SSL certificates a lot more sites would switch. It would certainly make the "secure browsing" mission more sincere.

  • Giacr45

    I find ironic that you gave a 45 minute talk about using HTTPS everywhere, and yet in the final slide the page about the talk starts with http:// !

  • myWEBpc

    гугол как и америка навязывает сови правила в мире. Это плачевно сука кончится, как обычно.

  • Ian Macdonald

    The problem here is that HTTPS only works properly on sites which are single data sources.
    On sites that use third party data such as adverts, it:
    DOES NOT provide authentication, because the certificates of the advertisers appear nowhere in the browser.
    DOES NOT prevent data being modified. The recent cryptojacking scandal underlines that.
    DOES NOT prevent MITM eavesdropping, because an advertiser can inject a keylogger into the browser.

    -and if it does these things for SOME of the data, but not the rest, what the heck use is that?

    The risk of an advertiser or other third party being a malicious actor is statistically far greater than that of a data carrier being such.Thus when deployed on sites with third party content, HTTPS is not fit for the described purpose of protecting user data from infiltrators.

    The issue with the present situation, created to allow the use of HTTPS on general websites, is that if my bank's website has content injected from a potentially malicious third party, the browser WON'T warn me of this. THIS IS BAD.

    HTTPS should be reconfigured to display, "This site is NOT secure" unless ALL OF the data comes from the indicated source. Otherwise, it is lying to the user.

    https://iwrconsultancy.co.uk/blog/https

  • Samuel Lourenço

    This is a fascist move by Google. Why would I need to move my blog to https, since:
    1- It is a blogger blog with a custom address;
    2- It doesn't require authentication, but if you need to leave a comment, authenticated (you have the option to leave anonymous), you are redirected to Google authentication.

    My blog is only an example, but many other websites don't need https. For instance, a company's page that doesn't have a login option (most don't have). This is, perhaps, a move and a hype to make webmasters pay for an SSL certification (guess, by Google). They are promoting Lighthouse at the same time they do this.

  • Prod by TiG

    For a school project, our group made a tool where you can input a URL and check if the site has an SSL or not before visiting.

Leave a Reply

Your email address will not be published. Required fields are marked *