* Certificates are expensive (to buy _and_ to manage)
* Crypto is hard and there will be a lot of screw up with inadequate certs in the wild for a long time. Just having a certificate does not mean much if it weak or broken.
* Can't help the feeling it's an indirect push for cloud business hence possibly eating the margin of freelancers / ISV
* Security Theatre : a lot of critical information for business still transit by email. Will Google force encrypted emails for the greater good ? I don't think so.
Google is not "enforcing" anything, people react like if you are not going to show up in the results at all, or Chrome won't work via HTTP. HTTPS is signal, just like having a link from a well ranked website like HN is a signal, and probably dozens other.
The points you mention are in fact indicators that someone has put care and resources to make their site work more securely, which says a good thing about the site, which google rewards with some points in their algorithm. Makes perfect sense to me that this will somewhat improve the quality of their results. Would you also complain about google using fast response times as a signal because that "forces" people to pay for better servers?
About your security point, google can not do that without loosing 50% of its customers, I really don't understand what that has to do with the rewarding HTTPS being good or bad. Looks like a red herring.
Right, you will not disappear from the results. The reaction (granted maybe overreaction) is about Google pushing HTTPS hard for security (which could be good but not automatically so) and not caring in areas where it is as important if not more.
You are just proving my point. Google rewards the richest, those who have the resources as you say. As for care, I would be clad if people were not going to do it for the wrong incentives. Will Google just check if HTTPS is available and reward or will it also check for broken cipher and penalize ?
I am not against HTTPS. Just saying that rewarding HTTPS is not enough. It's worst actually, some will set it up quickly and badly just for the extra ranking points and not the actual security it should be providing.
To me the red herring here is pretending doing it for security. What is the point of HTTPS if I receive my password by mail ? To me email is more important to secure first. Google could perfectly incentive security practices in Gmail without loosing a single customer. I would even settle for just signing instead of encrypting mails.
As for enforcing, HTTP2 (that is SPDY) IS enforcing HTTPS.
IMO, Good HTTPS where it matters is more important then Crappy HTTPS everywhere just is ridiculous and could even be dangerous thanks to a false sense of security.
> Google rewards the richest, those who have the resources as you say.
Google doesn't care who is it rewarding, google cares about the users that search, they've said that multiple times. And yes, people with better resources build on average better things than people without them.
> I am not against HTTPS. Just saying that rewarding HTTPS is not enough. It's worst actually, some will set it up quickly and badly just for the extra ranking points and not the actual security it should be providing.
Even then, still 10 times better than plain text HTTP so my whole office can see what I'm browsing with a simple console command.
> What is the point of HTTPS if I receive my password by mail ?
Your email inbox should be accessed via TLS, it's something up to you. And while you don't control the origin (nobody can without breaking compatibility) intercepting a message in transit like that if not exactly something most people I know can do. While getting that password over HTTP is almost trivial for anyone sitting around me.
> As for enforcing, HTTP2 (that is SPDY) IS enforcing HTTPS.
The day you can only see a website via SPDY then I would call that enforcing it. Yes if you want to carrot (performance) you have to pass through the hop (security), nobody forces you to eat the carrot.
> IMO, Good HTTPS where it matters is more important then Crappy HTTPS everywhere just is ridiculous and could even be dangerous thanks to a false sense of security.
I really can not get which scenario you are picturing here. Setting it up is not rocket science.
> Google doesn't care who is it rewarding, google cares about the users that search, they've said that multiple times.
Hum, well I've grown wary of what Google say. Like puting comercial mail in a separated inbox is to help the user.
It also happens to indirectly help Adsense.
> And yes, people with better resources build on average better things than people without them.
Does that mean content created by association without a dime for instance is on average inferior ?
I happen to like cooking. I often find websites with great content by word of mouth. They are generally badly ranked because they look like they were done on Frontpage and from Geocities ages. Yet the content is very good and even sometime quite unique. They rank badly because they are not speedy and in beautiful html5. That's elitism. Maybe they should by Adwords.
> Even then, still 10 times better than plain text HTTP so my whole office can see what I'm browsing with a simple console command.
That is one of the few good arguments for HTTPS everywhere : privacy.
> And while you don't control the origin (nobody can without breaking compatibility)
You can encrypt or even just sign emails without breaking compatibility. Put commercial email in a separated inbox is OK but put unencrypted and/or unsigned email in a separated inbox is not ?
> While getting that password over HTTP is almost trivial for anyone sitting around me.
> I really can not get which scenario you are picturing here. Setting it up is not rocket science.
Is it better to have open WiFi or WiFi with WEP ? It's the same because WEP is nowadays easily broken by script kiddies with simple tools.
That the scenario I'm picturing here. A web full of weak/broken certs to comply for ranking, people feeling safe (it's encrypted right ?) and script kiddies with trival tools to break the WEP equivalent of weak/broken HTTPS certs.
Granted, maybe I'm over-pessimistic here but the trend annoy me. i don't take Google at face value anymore. You know they excel at long play.
On the bright side, maybe people will use their certs for more than HTTPS ... say mail server for instance :)
Oh come on.. if multiplying your ranking by 0.01 (now) means that much to you, then probably you're making enough money you can afford a cert - or you probably have one in place.
* Certificates are expensive (to buy _and_ to manage)
* Crypto is hard and there will be a lot of screw up with inadequate certs in the wild for a long time. Just having a certificate does not mean much if it weak or broken.
* Can't help the feeling it's an indirect push for cloud business hence possibly eating the margin of freelancers / ISV
* Security Theatre : a lot of critical information for business still transit by email. Will Google force encrypted emails for the greater good ? I don't think so.