Google Chrome now marking non-SSL sites as insecure

Another Google Unnecessity?

Previously Google’s Chrome was just marking sensitive sites where you would input things like credit card details as insecure (and rightfully so) but what’s happened in July of 2018 here is a different ball game.  They are now marking any sites that are not using SSL (including mine) as being insecure- a blog site that does nothing more than provide information…

Another strange thing is that Google is claiming that there are “performance benefits” to switch to SSL.  I am not aware of any performance benefits as the SSL handshake and encryption overhead itself only decreases performance.  Now I am not saying it is always significant and noticeable but it definitely silly to claim a negative performance feature as something that increases performance.  It’s like saying “we’ve added way more stairs to your daily walk” but “this results in improved stair climbing time”.

The one thing I and many others take issue with is that Google wields enormous power and has been known to abuse it for their benefit and the benefit of other large businesses, to the detriment of small business.  Google is perhaps the most powerful on the internet overall since they control Search, Youtube and they are a non-regulated for-profit business that is essentially going to be cutting off access and traffic to non-SSL sites.

While it is good for everything to use some sort of encryption it’s important to remember that not every site on the internet has the resources to setup their own SSL certificate. I am not talking only financially (although it is not very expensive to do) but on a technical level I can imagine a lot of people and organizations will not have the ability to do so.  In addition there are other technical steps required in some hosting environments such as often requiring a separate IP which requires a DNS update or migration (which is no simple feat for the non-technical).

I’ve always kept what I’ve thought of as “public domain” sites where I am publicly sharing the information on purpose as not needing SSL.  I am neither concerned for example with this site and articles who is reading or who can see what is being read.

I think part of the motivation here may be an SEO benefit or to weed out a lot of websites and owners which will happen to be smaller and less sophisticated.  This means that the average or smaller guy or company will be at a huge disadvantage on the web in Google Chrome where their users are scared off that viewing this article here without SSL is dangerous.

I think encouraging more sites to use SSL is a good idea but I also think it is a form of penalizing and reducing the views, traffic and audience of smaller organizations and businesses.

I’d also like to point out that the average key size is very small on average from 128bit to 256bit and I believe this is well within the ability of large supercomputing facilities to crack.  SSL and TLS has suffered from security flaws in recent years and if anything I think it is time to switch to something GPG based if we are serious about security.  I believe the current SSL implementations give us a false sense of security.

There are a lot of cheap solutions to do this but it all depends on how and where you are hosted and your level of expertise.

It’s also important to keep in mind that Google may give more weight to SSL sites in the search results than before if they are implementing this in Chrome (yes I am aware that supposedly SSL sites have ranked higher for awhile but I think the algorithm will be tweaked shortly if it hasn’t already to give much less weight to non-SSL sites).