Comment by modeless
1 day ago
> remarkably, nearly all the end-user consumer Internet browsing and app traffic we observed used TLS or QUIC
There was a surprising amount of resistance to the push to enable TLS everywhere on the public Internet. I'm glad it was ultimately successful.
It was only successful because Google said you'd rank higher if you did it.
It was only successful because of Let's Encrypt removing any excuse for not having HTTPS on your website, HSTS becoming a thing, and Chrome moving from gentle inducements (that cute green padlock) to nasty looking warnings if you didn't use encryption.
No, that was after, and it made it easy, but before google many people said there was no point "because their site wasnt sensitive". Those people didn't care about let's encrypt or how easy it was, they just didn't find a reason to do it. Google gave them a monetary reason to do it.
Which in-turn was driven by the Snowden revelations of what the NSA was doing in terms of mass surveillance.
I have a more cynical view of the reason.
It is to protect commercial interests, I don't think that Google cares about the NSA looking at your personal data.
Google cares a lot about protecting the personal data they get from you, so that they and no one else can get it, at least not for free.
Because let's get real, 99% of the time, why do you need encryption? The reason is commercial activity. It is really important to protect your credit card number, otherwise no one would trust e-commerce. For paid service to work, you need to authenticate, and it means encryption, no paywall means no authentication and much less need for encryption. And even with "free" services, you need encryption to protect the account that shouldn't even be required in the first place. As for general communication, my guess is that hackers and governments alike are more interested in financial data than in casual conversation.
So by pushing TLS everywhere, Google is actually pushing for a more commercial, less open web. That it helps with general privacy (except against Google itself) is just a happy accident.
2 replies →
> I'm glad it was ultimately successful.
What are you talking about? It was an absolute failure.
As soon as we got widespread TLS adoption, Cloudflare magically came along and wooed all the nerds into handing over all the plaintext traffic to a single company.
It has improved security, but it has made it less durable. Hosts now need constant maintenance to keep up with changes to TLS policies, certificate renewal protocols and so on.