It slows down doing anything that involves it. I end up landing on some jank AMP page, and have to then navigate to the top, and pop up the original link, click it, then wait for the real site to load. Total UX fail
If you want to mitm yourself, nobody takes it away from you. Create your own CA, add it to the trusted list, setup your proxy with the keys, and mitm all you want.
You do get the benefit of https even on static sites though. Do you want every network you join to be able to inject any JS they want into pages you're viewing? Https solves that.
I disagree. There's no reason to leak things to everyone on the planet, even if what's leaked isn't the most-damaging-to -leak-thing possible. As an example, it annoys me that the Texas Instruments site isn't encrypted, leaking my interest in parts to anybody listening.
Even if Texas Instruments implemented SSL the fact that you went there would not be a secret to anyone who can see your packets due to SNI[0]. HTTPS is really only useful when you want to hide the contents of a message, not the recipient.
I don't understand this point of view. You are either using a vpn or tor if you don't want the planet to leak your info to the world or you are leaking already.
If you are not then sure browsing in an internet cafe or an unsafe network will allow rogue entities to see your interest in parts.
Your browser is fingerprinting you on chrome with an id. You are being fingerprinted with your unique fonts on other browsers. If you have javascript on that opens the floodgates. Logged into facebook still? Browser extension gone rogue? Andriod OS?
I dont think they meant leaking into to TI, they meant leaking more into to ISPs than necessary. Http connections are like a post card, anyone in route can read it. At least with https they have to jump thru more hoops.
This gets trotted out a lot, but who is "everyone"? At worst it's a bunch of random people in the cafe whose WiFi you're using - but these people don't have the resources to track your activity once you leave the cafe. Otherwise it's just the same rogue's gallery of large corporations interested in adtech/surveillance money: ISPs, device makers, other online service providers. The thing is, none of them have the reach, data collection, and analytics capability of Google. And Google almost certainly gets all this information too, whether you use HTTPS or not (see reCaptcha, Google Analytics).
To me, this rationale looks an awful lot like a moat to stifle Google's competition. If collecting "the urls you're browsing" is wrong, why is it ok for Google to do it? And if it's not wrong, why is it somehow better that only Google gets to do it?
> At worst it's a bunch of random people in the cafe whose WiFi you're using - but these people don't have the resources to track your activity once you leave the cafe.
Depending on what you're doing, one-time collection may be enough.
Also, many captive portals are provided to businesses by companies whose own business interest is in tracking people, and they'll absolutely correlate the data.
Rather than having to worry about whether the service you're getting internet access from will track you, make it impossible for them to do so.
Isn't this just imparting a false sense of security? The one party who I'm most worried about getting my data, Google, will still get it.
I think you've still failed to answer my basic point - how is this not just a competitive moat that benefits Google? If we care about privacy and data collection, legislation is required because Google and Facebook have no reservations about sucking up everything they can. If it's ok for them to do it, why not $RANDOM_CANADIAN_ISP?
Especially when you can just sit behind cloudflare and gett for free with very little work on your part.
Granted, you then have to trust cloudflare; but it seems like they have been good actors so far considering their privileged position delivering tons of content across the web.