[giergirey]

Are you sure that the Google authentication token(s) sent over HTTP can actually be used to perform sensitive actions (e.g. reading/sending mail, changing settings)?

That is, perhaps Google require an HTTPS-only token for sensitive actions and the authentication token sent over HTTP is only used for basic personalization (like showing your username) and some unimportant actions?

Though I guess we know that someone who has stolen your HTTP authentication token could ask embarrassing baraza questions on your behalf ...

[selectnull]

No, I'm not sure and your questions are valid. But wouldn't you be happier if they used https and the questions wouldn't have to be asked in the first place?

This practice of having a website respond to both http and https simply has to die. Google is not the only offender here, but I expected more from them, because they are very security sensitive.

Google, next time you accuse Chinese of hacking you, reconsider your practices.

[giergirey]

I agree, it would be good to see Google setting the trend here by going HTTPS everywhere. Personally I think the next website I create will be all-HTTPS.

The main reasons I encounter for not going HTTPS everywhere are:

1) Possible negative effect on search engine ranking during transition period.

2) 3rd party content from analytics tools and advert networks not supporting HTTPS.

3) Slower initial page load over mobile due to SSL handshake.

4) No-one else is doing it.

Hopefully these reasons will become less valid over time!

[bad_user]

Nr. 3 is very problematic for satellite connections, which have extremely high latency, making HTTPS websites unusable. I guess that is why Google went with plain HTTP in Africa.

[ensignavenger]

This isn't only a consideration for Africa- I am in rural Missouri, USA, and I am stuck with a satellite connection. HTTPS sites are several times slower than their HTTP siblings. The problem, as I understand it, is that my service provider can't compress the pages before sending them over the satellite link.

[smoyer]

There's actually no excuse ... SSL is cheap today and by terminating it at a load balancer or proxy, you don't even have to think about its impact on web-server performance. I imagine that Google has racks of equipment dedicated to SSL termination already!