>‘That isn’t enough. The padlock on the https page gives users a false sense of security.’
>‘We don’t agree with that. Where’s your data?’
Where is your source that this is Google's position? Considering they have some of the best security employees in the business, I find that hard to believe.
Allowing sites to intercept browser actions that should make a user leave the site, and inject other operations is obviously and plainly a security issue.
I reported this to google several years ago, and it was never addressed.
Can't you do the same thing without JavaScript, by having the web page go through a brief redirect so the back button takes you to the redirect?
And if so, how do you solve this? Ban server-side redirects? Make the Google SERP iframe all sites it takes you to? I agree this is a problem but I have no idea how to solve it in a way that's not worse.
>Allowing sites to intercept browser actions that should make a user leave the site, and inject other operations is obviously and plainly a security issue.
Sure, I agree. But what does it have to do with the parent comment's claim?
I've read much of the discussions involving the early push for HTTPS, and the developers involved were very fastidious.
The point is that google should be penalizing sites that do that in search results, or at least in chrome with some kind of browser recognition - as the OP states in the article.
>‘We don’t agree with that. Where’s your data?’
Where is your source that this is Google's position? Considering they have some of the best security employees in the business, I find that hard to believe.