Google search may favor SSL sites

[Moonchild]

Comodo was kind enough to alert me about the following:

https://blogs.comodo.com/e-commerce/google-search-may-favor-ssl/

Of course, it was touted as a reason to buy an SSL certificate from them (probably the real incentive behind that entire post), but for me it's just yet another reason to keep using DuckDuckGo as my search provider of choice (and the default in Pale Moon). Basically, Google would be punishing website owners for not buying SSL or an SSL-enabled hosting service, even if SSL is not needed for those sites - and for most sites/pages, SSL is not needed, because it is all public information.

[access2godzilla]

SSL is not needed, because it is all public information.

Just because the published information is public does not mean that encryption is not required -- connections can be still eavesdropped on (and I need not elaborate on why the current trend of unrestrained surveillance is harmful for people and society in general, unless you've been living in a cave).

BTW that post is very suspiciously written, Googling for 'matt cutts ssl' tells me that this is probably only a proposal.

[Supernova]

On public information, SSL is not needed, but since it protects again : -someone else having the ability to know exactly what you read (what you post is not a great problem since public, but still it gives easier access) without much effort ; which with ISP keeping all records is not a moot point (knowing what you read on an info website reveals a TON of thing about you for example)
-the probably rare case for a random individual, but still notable, of modifying content by a man-in-the-middle attack in what you receive (with the possibility of serving a fake site, which leads to very serious problem : if you was searching a download link for example ?) or emitt. And yes this problem is mainly on public wifi but surely not restricted to it and one cannot dismiss these issues.
So SSL remains very useful even for "public" things.

That said, comodo blog post is very probably oriented by commercial interest, yes, and as such contains probably some inaccuracies.

[Moonchild]

Please let's not get into the whole "but they record your visits" discussions again - they will record your visits just as much when you use SSL to visit a website.
There is no specific advantage for using SSL to access public information. Keeping a record of which articles are accessed is still possible over SSL, and the practical side of the matter is that you don't even have to eavesdrop on the connection to get that information, since webservers always keep logs.

And MitM, don't make me laugh XD - a hot term applied willy-nilly whenever the term SSL is dropped in conversation. First go have a look what it would involve to pull off a MitM attack, even on regular unencrypted traffic; it's not trivial.
Apart from wanting to censor requested information (which is more easily done in other ways) or intercepting download links to inject malware (easily avoided by the user, and once again, also more easily done in other ways) there is no use for any attack on data streams of public information to end users.

Aside from that point, yes, it's a proposal, it's not in place yet if we go by the state in the article, by the looks of it, but also as stated it's an internal debate with the Pro-people in high positions. We don't know exactly if it will be implemented, if it already has, or if it is planned, in any case, because Google's algos are such tightly guarded secrets.

[access2godzilla]

There is no specific advantage for using SSL to access public information. Keeping a record of which articles are accessed is still possible over SSL, and the practical side of the matter is that you don't even have to eavesdrop on the connection to get that information, since webservers always keep logs.

Any eavesdropper can note the destination of the requests but not the contents. A malicious Wi-fi hotspot (such as those in shopping malls) may use it for analytics, if not anything else. As far as governments are concerned ... well, it can be got hold of via legal means, but any company should be able to challenge/disclose that. Also, consider the legal niceties if the website is located in a country that has no extradition treaties with the country from which such a request is being sent.

it's not trivial

Not very difficult either. There are many companies selling such products at (comparatively) cheap prices, and sometimes, even built into firewalls. Not to say that governments could buy them easily, regardless of the price.

intercepting download links to inject malware (easily avoided by the user, and once again, also more easily done in other ways)

Easily avoided by the user? How? An antivirus (Not to say that they're useless, but they're entirely useless in this case.)
E-mails are preferred for these things, but consider the fact that a security-aware user won't open attachments/links, but it's difficult to tell if a binary was modified/replaced with a malicious one when you're downloading from a reputed source.

[Moonchild]

OK, I'm sorry I started this thread without being clearer about what I wanted to discuss. It immediately derailed into more of the same headbutting about https vs http, which, all things considered, isn't even relevant to the original post.

Off-topic:
You're also confusing insecure open wifi hotspots (were anyone with some sense would use VPN or similar to get out of the insecure zone anyway) with normal web traffic.

To prevent this thread from becoming a mashup for 5 different topics altogether, please split out the topics if you want to discuss them further:

• Any discussion about Google favoring search results from https servers should go in this thread
  This includes financial edges, inherent favoring of larger companies and punishing small-time publishers.
• Discussions about insecure open (local) networks (like hotel/airport/shopping mall wifi) should be split off
• Discussions about http vs https should be split off
  This includes user security for "rewriting" data streams in transit over http
• Discussions about MitM attacks should be split off
• Discussions about government surveillance should be split off

[Supernova]

Well, if I'm sure there would be financial reasons if google changed its algorithm in that way (because cash #1), the advantages of https over http are very relevant to them wanting (or not) to promote it.