I'm sorry, but this simply isn't something a search engine should be dictating. Turning enabling SSL into some arms race that panics small businesses into buying millions of new, pointless certificates just isn't very fair.
This kind of policy needs to be discussed openly in a suitable forum, e.g. the IETF, not handed down to us by a single company who think they have a right to dictate how the Internet works - and have provably done a horrible job of it in the past (websocket over SPDY, anyone? Yeah, I'm not even sure which version combination of SPDY and websocket I'm talking about either - pick one of the hundred)
There are strong arguments for not enabling privacy by default - not least since it prevents any kind of decentralization or caching of content. At a time when OpenSSL just suffered one of its worst bugs in history, forcing small sites to assume the risk of running code like this, which they inevitably will get wrong, materially worsens security for all, it doesn't improve it.
This kind of policy needs to be discussed openly in a suitable forum, e.g. the IETF, not handed down to us by a single company who think they have a right to dictate how the Internet works
I don't see how is this any different from any other signal that Google uses to prioritize sites. Forcing small businesses to buy certificates doesn't seem any different than forcing them to have faster websites, for example.
There's an argument for more diversity in search engines, but I don't see how is that specific to this signal.
There are strong arguments for not enabling privacy by default - not least since it prevents any kind of decentralization or caching of content.
How does it prevent decentralization?
At a time when OpenSSL just suffered one of its worst bugs in history, forcing small sites to assume the risk of running code like this, which they inevitably will get wrong, materially worsens security for all, it doesn't improve it.
How many people could exploit Heartbleed before it was publicly announced compared to how could sniff traffic on open networks, as countless tutorials explain how to do?
Heartbleed was bad, and OpenSSL is a mess, but let's pretend that unencrypted logins are somehow less bad.
>any other signal that Google uses to prioritize sites
they don't just own the signals and sites... the own access to data about your digital life and their algorithms process it as another signal in mining your life.
> I don't see how is this any different from any other signal that Google uses to prioritize sites.
«Oh, they're screwing up before, too? Then I guess it's alright»
> How does it prevent decentralization?
Because only a handful of companies can issue certificates.
Apologies, I haven't made myself clear with that idiotic of a snarky remark :) What I meant is that their actions in the past shouldn't be an excuse to their actions today.
The principles behind PageRank are based on unbiased reputation, and provide for a good ranking system (spammers aside). Whatever's thrown on top needs to be carefully considered not to enforce biases towards any group in particular.
> I'm sorry, but this simply isn't something a search engine should be dictating.
Damned if you do, damned if you don't. If the announcement from Google had been that they wouldn't want to use their considerable clout to promote SSL, they'd been criticized for putting their profits over improving the general long term health of the internet.
> have provably done a horrible job of it in the past
That's a single example of a new technology that didn't work out well. How about pioneering certificate pinning for a counter example? Nobody's perfect, if you never break anything it means you never try anything new. Also, websockets and SPDY isn't even close to "dictating" anything, it's a new technology that you can use or not use as you want to.
Google is free to use any metric to score their ranking. The difference is this one they are telling us about.
HTTPS is also used to upgrade connections to stuff like HTTP2 and SPDY which give a substantial improvement to speed, which in turns improves satisfaction. So it makes sense to priotise https sites.
I think your description of the situation is rather overblown. Having HTTPS support will only get you a very minor boost in rankings.
Additionally, discussing things in a forum usually doesn't get things moving. It's coming out with actual advancements like the original Chrome beta with V8 that drives innovation.
I think that the solution to harmful dictatorship should be good alternatives, not more laws to shackle progress to humongous councils.
"Having HTTPS support will only get you a very minor boost in rankings."
If your livelihood depends on getting traffic from Google - and a lot of sites do - then even a minor boost may equal a lot of money. Plus the fact that you can never know quite how much, so to be safe you must assume it's worthwhile.
The problem I have with this move is that to me it appears as Google are furthering their own political agenda. They want the web to be https, so they penalise sites that are not. It would be different if the argument was that sites on https tend to hold more quality content than non-https sites, but that doesn't seem to be the reasoning.
Why is "quality content" an objective measure and "user security and privacy" a political agenda?
I agree that it's dangerous for one entity to have so much power over the web, but I don't see how is this particular signal any different from any other they already use, including those which define the quality of the content.
> At a time when OpenSSL just suffered one of its worst bugs in history, forcing small sites to assume the risk of running code like this, which they inevitably will get wrong, materially worsens security for all, it doesn't improve it.
OpenSSL is not the only SSL stack you know. I run one of my websites on Tomcat so I can benefit from the pure-Java TLS stack it uses (the default one actually). Something like heartbleed is impossible for such a stack.
The OP was referring to the webmasters, not the search engine end users, as the ones being 'dictated'* to by Google.
Unlike end users, webmasters themselves switching to Bing or DDG in their personal capacity would have little influence on their visitor's (end users) behavior.
* 'firmly encouraged' is perhaps more appropriate ;)
This kind of policy needs to be discussed openly in a suitable forum, e.g. the IETF, not handed down to us by a single company who think they have a right to dictate how the Internet works - and have provably done a horrible job of it in the past (websocket over SPDY, anyone? Yeah, I'm not even sure which version combination of SPDY and websocket I'm talking about either - pick one of the hundred)
There are strong arguments for not enabling privacy by default - not least since it prevents any kind of decentralization or caching of content. At a time when OpenSSL just suffered one of its worst bugs in history, forcing small sites to assume the risk of running code like this, which they inevitably will get wrong, materially worsens security for all, it doesn't improve it.