15 years ago I used to work for the Electronic Frontier Foundation. I’m still a fan and supporter, but sometimes they take really weird positions that is more like a politically correct weird religion cult – and HTTPS Everywhere is an example of that. And they are influencing the web to go along and discriminate against unencrypted web sites, like this one. Google sent me this notification.

Chrome will show security warnings on http://www.dvorak.org

To owner of http://www.dvorak.org,

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data.

I have about 50+ web sites to deal with and I’m just not going to do it. This is a really bad idea and I wouldn’t have a problem with it if it weren’t a tremendous hassle and totally useless.

 



  1. Hmeyers says:

    There are some advantages and some disadvantages to https.

    The certificates expire all fricking time and seem to be pain in the arse to manage.

    There are some advantages even for sites like this one, but it is mostly things like preventing Verizon or other stupid ISPs from inserting ads and a small measure of security for swiss-cheese like sites (hello WordPress!)

    But I think the “real deal” is that Google has infrastructure to seamlessly deliver ads on a site using https and most of their competitors do not (which is why it is even possible for things like AdBlock plug-ins to exist).

    So https is a major weapon to use against other advertisers.

    Follow the money!

    • bobbo, we think with words and flower with Ideas says:

      Good post. I was going to suggest a calm polite letter showing the common sense allowance for opting out………… but that ain’t gonna work against money.

      Why does “Don’t Be Evil” come to mind?

    • Marc Perkel says:

      So why do I care about that on my sites?

      • Hmeyers says:

        You don’t.

        But Google has a bigger bankroll than you, wants to dominate advertising and controls Chrome and pumps money to promoting https so they can clobber the advertisers that can’t do https.

        So — You lose.

        You don’t have to https, https is pointless for sites that aren’t selling something …

        But eventually Chrome will pop-up

        “Warning: Dvorak Blog is an untrusted web site and communications are at risk of being intercepted by a third party attack. Do you wish to continue?”

        Why? Because “Do no evil”. That’s why! Haha 🙂

      • ZTW brushless ESC

      • Jeff says:

        Got it, you don’t care if your users are exposed to add injection, tracking injection, dns poisoning, and malware.

    • Jeff says:

      So much wrong here.

      Which major ad networks can’t serve over https?

      AdBlock-style browser plugins are not bothered by https sites, they run client side code, they can see and block requests urls (even if https), and are not restricted from interacting with https sites to alter the dom.

      An adblocking proxy would be messed up by https, but those are very rare for users.

  2. NewFormatSux says:

    How about going into a little more detail than ‘that sucks’.

  3. David Jung says:

    Pretty useless, right up there with cookie warnings that the EU requires. What great security is there needed for your name and email address getting filled out on a form? I’ve got a B2B site collecting valuable leads I need to scramble to get https’d because of this crap.

  4. eca says:

    well..
    they have passed that HTML 5 can have DRM.. so whats new??
    NO ONE is listening..

  5. Truly futile, up there with treat notices that the EU requires. What incredible security is there required for your name and email address getting rounded out on a shape? I have a B2B site gathering profitable leads I have to scramble to get https’d in view of this poo.

  6. Tursiops says:

    I don’t agree, it’s just good practice to use https even if you don’t have a lot of things to protect.
    Now with free certificate and auto renew it’s really easy to do it.
    I use it on my own website and I’m not a web developer so if I can anyone can.

  7. Jeff says:

    It isn’t like chrome is going to have a big red intercept or block users from visiting.
    What part of their description that the pages are not secure is inaccurate or misleading? It is hardly discrimination, though maybe you mean that in terms of making users more discriminating in the sites they visit?

    Seems like you are just whining that you are inconvenienced. You can always set up let’s encrypt to manage the certificates and guarantees to your users that pages nor dns traffic has been tampered.

  8. Jeff says:

    This site is more and more become the unhinged whining of Marc Pekel. I thought he had his own blog?

  9. tom says:

    Sorry, I don’t agree. I believe that HTTPS Everywhere (and HTTPS in general) serves a worthwhile and valuable purpose and I use it with all my browsers… I have a few simple websites and it was trivial to add it to all them.

  10. Rex says:

    A while back I made my personal website HTTPS knowing that this was coming. Fortunately you can get free certificates from LetsEncrypt. It was a pain in the ass getting it working (nginx) but now I only need to run a script to get it to renew every few months. I’d rather not deal with this because nothing on my site involves personal information.

  11. F U says:

    NOT “useless”!

    You’re just a LAZY CODER who could give a fuck about anyone else that doesn’t speak Java, C++, HTML, bla, bla, bla. Never mind anything about being SECURE! Guess you side with the NSA and are now “anti-encryption” (cause it’s a pain in your ass to support),

    YOU (lazy) MORON!

  12. Semantics says:

    Marc Perkel takes the Equifax approach to security. The admin password = admin.

    • Hmeyers says:

      Is that true or are repeating something someone else told you to think?

      ESPN is not https
      CNN is not https
      FoxNews is not https
      Disney is not https

      You probably like https because someone on the television told you to like it.

      Not because you undersstand what it is.

      • NewFormatSux says:

        https is useful for this blog- when posting links they will still work even with www.

    • Marc Perkel says:

      You do realize Equifax used https?

  13. Mr Anderson says:

    What do you have that’s not worth hiding?

  14. airman says:

    Is Dvorak still alive?

  15. Matt says:

    I’m confused I don’t know what to do call me stupid call me dumb I don’t care what you say I don’t know what to do I need better instructions please !

  16. Dubravko says:

    Have you tried recently to activate free wifi in hotels or airports (usually using http redirect to provider agreement page first) because with https you will only get stupid and not understandable errors.

    Having not one http url in your browser history.
    Thinking what web site is still using http to save your free wifi day…..

  17. jpfitz says:

    https://youtu.be/F5bAa6gFvLs?t=2m33s

    No More Secrets, keep in your memory what you need to hide. Writing down information is just sa vulnerable as the info grabbing WWW.

  18. Grupa Zero says:

    Hi,

    HTTPS is required due to migration to HTTP2, you simply need that encryption. As for certificate expiration, I recommend Let’s Encrypt – it’s free and you can forget about your certificate expiration.

  19. I don’t completely agree. It’s just good practice to use https even if you don’t have a lot of things to protect.

  20. Orwell says:

    Google wants to help the reptilians get rid of those pesky anonymous websites. Vast areas of the Internet will disappear and need not be indexed. Google has already eliminated old content from the search results.

    HTTPS everywhere means old Android devices will not be able to browse to any current website. Planned obsolescence.


0


Bad Behavior has blocked 24974 access attempts in the last 7 days.