On 2020-02-03 at 11:51, Marvin Renich wrote: > As a specific example of unnecessary default security, take the > "https everywhere" campaign. Having https available on most servers > is definitely good. However, if you explicitly go to > http://www.google.com/ you are redirected to the https version. Of > all the (hundreds of?) billions of google searches done every day, > how many of them would really cause any harm at all if the > communications were unencrypted? Yet the entire computer-using > segment of society pays the price for higher bandwidth and CPU > usage.
I think part of the idea here is to promote a type of "herd immunity" against surveillance. (That analogy may be a bad one.) The more people do not use HTTPS for Google searches which aren't sensitive enough to require security, the easier it is for surveillance actors to distinguish the searches which do require it, and thereby identify targets for subjecting to surveillance - or worse - by other methods. I understand that benefit - of making it easier for those who do need the security to hide among the crowd - to be one of the major arguments for having HTTPS be used everywhere and in all cases, even places and cases which would not otherwise see any benefit from using it. That argument does not necessarily generalize to other "higher security by default" discussions, however, and at a glance I don't think I see how it would apply to the one at hand in this thread. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature