[cromwellian]

Seems they're between a rock and a hard place. When Google proposed HTTPS everywhere, a number of people took exception because not all content has sensitive data needing protection.

I guess the real question is whether an HTTP call to load an ad copy is sensitive content. I think you can make an argument that it is sensitive content, because if I were monitoring your connection, and everything was encrypted, but I suddenly saw lots of ads for Ashley Madison and cheating sites, I might conclude that you had been researching those in the past even if I couldn't see your other traffic.

A better way would just to let the ad networks fix it. You can bet that after iOS9 ships, if they see a massive drop in ad traffic, they'll be burning the midnight oil to fix it ASAP.

I mean, iOS9 betas have been out for a long time, so it's not like they haven't had time to prepare.

[uxp]

We've moved passed the idea that only sensitive content needs to be transported over SSL/TLS.

https://www.amnesty.org/en/latest/campaigns/2015/04/7-reason...

https://www.aclu.org/blog/you-may-have-nothing-hide-you-stil...

http://www.ted.com/talks/glenn_greenwald_why_privacy_matters

http://falkvinge.net/2012/07/19/debunking-the-dangerous-noth...

https://en.wikipedia.org/wiki/Nothing_to_hide_argument

[mtgx]

It's also a security issue (in all cases), regardless of the privacy implications:

https://citizenlab.org/2014/08/cat-video-and-the-death-of-cl...

[imglorp]

Yes, we, the geeks and privacy advocates have moved past. We care about ubiquitous encryption for non-sensitive content.

The public at large doesn't care or understand unless they're banking or porning, and I'm not sure about the banking.

Telecoms, shareholders, advertisers, governments, and criminals are actively opposed.

We have a ways to go.

[hamedh]

Ad networks haven't supported HTTPS fully on the web either, not just iOS. In fact, Google says you will earn less with just HTTP

"If you do decide to convert your HTTP site to HTTPS, please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages." [0]

I wouldn't be surprised if many app developers put in this exception because at the end of the day, they will hurt too if ads stop showing up.

[0] https://support.google.com/adsense/answer/10528?hl=en

[gress]

Who is "between a rock and a hard place"? Google, or the ad networks?

[cromwellian]

When Google started pushing HTTPS everywhere, a number of threads on HN criticized them for it. Some of the points made:

1. Imposes cost on people serving content even if they think the content doesn't need it in terms of machine resources.

2. Imposes an extra cost on people serving content, in the form of SSL certs. ("Why do I need to pay for this when I'm just hosting a plain vanilla homepage!?!?")

3. The PHK rant.

My point is, not everyone believes that every request should be encrypted (I do), and Google has face criticism on both sides of the fence from purists who believe HTTPS somehow takes away some of the original freedom and centralizes the Web a bit more by requiring cert-authorities.

[gress]

Surely this matters only if Google's priority is to avoid criticism. If you guys believe in keeping end-users safe, it's a straightforward decision.

[Karunamon]

I'm guessing Google, but they have enough power in the market that they could probably say "start serving HTTPS if you want your ads seen" and the networks would jump.

[joshstrange]

This short story comes to mind http://www.crimeflare.com/doctorow.html (re: looking at ads displayed to you to know what you are looking at)