> find it really hard to really trust if that's your contact information
Because Google implemented warning in their web browser, and you comply without understanding their reasons?
SSL is most useful for credit cards processing.
SSL makes some sense for e-mails and chat messages, also for authentication.
SSL is useless for static content.
I think Google did that for money, just sold the security story really well. They’re smart people, they can’t possibly be unaware of certificates being useless for majority of the web. Here’s the reasons.
Increases entry barrier, centralizing internet even more. For-profit internet companies have zero issues paying for certificates, it’s part of their business. It raises barrier for ordinary people. Also creates more incentive for placing ads on their web sites to reduce costs. Guess who earns most profits from internet ads?
Also, SSL breaks caching proxies by design. This opens market for technically inferior google AMP. Technically inferior, because proxies are closer to users, 20 years ago most office buildings had a caching proxy like Squid or MS ISA Server.
Also, there’s unintended consequence, users learning to ignore SSL errors and proceed anyway. People processing credit cards usually know what they do, take security seriously and SSL errors there often means what it’s supposed to mean, warns about potential hacks. People implementing SSL just to shut up the google browser don’t need security, they care much less and screw up much more often.
This is just... false. Without SSL, static content can be MITM'd just like anything else. Don't believe me? Connect to the WiFi in any Starbucks and visit http://example.com. That redirect to the Starbucks WiFi login page certainly isn't being served from example.com...
Please stop spreading misinformation about SSL.
Lets encrypt is one obvious thing to mention here, besides removing the cost barrier to entry it really is quite simple to set up.
Lots of commenters have raised good points and pointed you to instructive resources on the subject, and you've quite selectively ignored the best ones. Please take a moment and withhold the assumption that we've all been brainwashed by Google, and consider that other people might know something you don't.
No it ain't. The cert is at least some assurance that the static content was not altered in transit between the original server and some MITM. Non-HTTPS sites absolutely suck to browse on less-scrupulous public wi-fi hotspots that try to inject their own ads into your browsing sessions (cough cough Greyhound cough cough).
> It raises barrier for ordinary people
Let's Encrypt has existed for multiple years now. There's certainly an effort-related barrier to entry, but not a financial one.
> 20 years ago most office buildings had a caching proxy like Squid or MS ISA Server.
And they can still have that by setting up their own internal CA and installing their own root cert on company-owned machines. Hell, running an internal CA is pretty standard practice for large enterprises (and even some medium ones) specifically so that Intranet applications can use TLS without browsers whining about self-signed certs.
One of the advantages of holding on to this idea for so long is that it's given me time to save a bit of a runway.
Hopefully the fabled Product/Market fit materialises before this runs out :)
