As you can see in Blogger in HTTP only? What happened to HTTPS? this is not news for me.
Although there seems to be an recent improvement (i.e. HTTPS actually works if directly used), the question is why doesn't Google do it?
Why doesn't Google provides an 100% SSL experience?
I'm speculating, but it has to be a mix of:
- Not enough compromises/attacks (if an attack happened but there is no public record of it, did it really happened?)
- Not enough public and high-profile compromises/attacks (more realistic)
- The Hardware costs of making that change (which is weird, since I would assume that Google is able to provide iSSL in at a cost-effective way)
- The Software/Application costs of making that change (this sounds more realistic since some apps are hard to move to SSL due to its dependencies and side effects)
- Not being sued on this topic (because if they were, the maths/business-case/ROI would be simple)
The last point is an interesting one, since:
- There is clearly a case that Google is not taking due care with their customer's data
- Google has publicly stated the importance of HTTPs (see HTTPS security for web applications )
- In 2012 there is no 'real' or 'defensible' technical excuse for not using SSL all the time
I guess with the teams of clever lawyers and developers at Google, their conclusion was that (as Oct 2012) there is a 'real' or 'defensible' business excuse for them to act this way.
Another fine example of why Security is so hard to do from a business point of view.
Here it is a nice service, used by millions of customers with no (reported/public) problems, and then, here come the Security TAX forcing code and infrastructure changes!!! (with no visible customer benefit)
Tip: Just in case, I just used a great little feature from the Blogger admin panel which is the 'Export Blog' (this gives you an xml file with your entire blog contents. Now if only I could get Blogger to sync it with a GitHub repository