Don't get me wrong. i like the EFF, in fact, i've contributed and gotten the full set of stickers and lovely note, but there are times that i kinda wonder if they're thinking clearly.
Take, for instance, a note they published yesterday Several Facts about Google. They note that they're very happy with the fact that Google is testing out HTTPS connections for gmail, since that means that the connection between you and Google is secure. That's very nice. Granted, SMTP, the method of delivery of your mail, is generally unencrypted, but that's probably beside the point. Kind of like how it's great to have a locking mailbox, but your mailman can still get mugged or just bury your mail in his backyard.
The other part that really had me scratching my head was that they were pushing to have Google use HTTPS for searches.
Again, i really like EFF, but i really wish they'd consider what they're asking for.
HTTPS means a secure connection. That means that so long as you're holding a connection open, you've got a mutual, trusted handshake between you and the box you're talking to. That's important to think about so make sure you remember that.
When you make an HTTP request to Google, the first thing that happens is that your request goes to a DNS balancer. This machine tries to figure out the closest server to you and hands you off to that machine. That machine is probably a VIP or "Load balancer" who's job it is to hand you off to a machine that can actually service your request. How you walk that path is kind of dependent on a lot of things like how busy a given server is. All of these hand-offs are done in nanoseconds because none of these needs to keep the "line" open. In fact, with some things, you may not even get to google because you wanted something that exactly matched what someone else just asked for (like "Ed McMahon Memorial" or something). That's called Caching and it means even faster delivery of data to you.
When you switch to HTTPS, however, you introduce a good deal of security and a lot of extra steps. Your machine will only exchange information with a machine that identifies itself correctly. It also means that every request and response has to be encrypted and signed and then checked and decrypted.
Think of it this way, let's say you wanted to get a quart of milk. Currently you go to a local grocery store, and grab a jug. (We'll pretend that milk is free and unlimited, so you don't have to worry about checking out.) That's pretty much how HTTP works.
HTTPS means driving to an approved Milk Distributor, showing your ID at the door, calling the FDA to ensure that the person you've shown your ID to is who he says he is, handing him a cryptogram that contains your request for a jug of milk, he walks into the store, and sometime later returns with a locked safe which he hands you. You depart, drive home, enter the combination to unlock the safe and pull out your jug of milk. That, of course, presumes that nobody else wanted milk, eggs, meat, or laundry detergent that day and you had to wait in line to talk to the clerk.
Why would you have to wait in line to talk to the clerk? Well, because he costs a lot more than the fridge (even though he's basically walking up to said fridge to grab the milk), and even if you're the most successful grocery store on the planet, you can only realistically afford so many highly trained, FDA approved clerks. Plus, you have to pay for new training for them every year.
i'm sorry EFF, but that's just a really dumb idea. Particularly since your fridge, err, computer could still be seized and the store's receipts , err, search engine's logs can also be subpoenaed.
There are lots of existing ways that you can cover your tracks should you need to. Just ask anyone in China or Iran how to do it. But for the bulk of us, i think we can live my life with my milk in a normal, non-reinforced carton.
