Please Google, Don't shame HTTP (yet)
When the World Wide Web was invented, there was no security. There was no need for security. Times have changed, of course, and now almost every critical functional in life can be accomplished via the web. For all those sites encryption, or TLS (formerly SSL), has become de rigueur. Important data = Encryption. Seems easy enough. So why does the Average Joe want TLS (HTTPS) on everything including this very blog? Because people have gotten really good at hijacking browser connections.
What do you do when your alarm goes off in the morning and you don’t want to get up? You mute it. What do you do when your cell phone keeps beeping about something? You mute it. What do you do when something keeps beeping and annoying you? You start to ignore it. It’s a very simple concept known as “Alarm Fatigue". Humans are really good at learning to ignore things that happen all the time, like false alarms that constantly happen. What do you think will happen when one day 50% of the websites your average user visits, show a redlock icon in Chrome? They’ll freak at first and then learn that it’s a “false alarm” and stop caring. Now that the users don’t care, malicious attackers can go ahead and start to attack your browsing of properly encrypted websites (Read: Your Bank) all they want. You don’t mind sharing your bank information with the hackers, right?
Should Hospitals Be More Like Airplanes?". The author goes on to explain the different levels of alarms and notifications that happen in a commercial airliner’s cockpit. For example the color red is not used ANYWHERE unless something terribly wrong is happening. More importantly there are only a small handful of things that can trigger the highest level of warnings and those are issues that are an immediate danger to the aircraft. Keep in mind, this list of warnings does NOT include the engine catching fire. Yes, that’s right, it’s not a red alert to lose an engine (because there are two).
So please, lets find a way to convince the world to get on board with an encrypted web that does not require us teaching 99% of the world to stop giving a damn about encryption.