Hacker News new | past | comments | ask | show | jobs | submit login

If Chrome operated that way, we would still have broken locks on mixed-content SSL pages and no warning at all on non-SSL pages. The fact is, an attempt at security is better than no attempt at all, and visibly marking the insecure option as less secure is better than pretending security doesn’t exist unless it’s implemented 100% as expected (lock icon appears, etc.)



The world has far better uptake of HTTPS than of DKIM. If DKIM was as widely used as HTTPS, then Google likely would indicate when a message was not signed.


This page (about halfway down the page) lists the percentage of pages loaded over HTTPS in Chrome by platform since 2015 when Google started collecting these statistics: https://transparencyreport.google.com/https/overview?hl=en

In 2013, Google published a blog post on DKIM adoption and in 2016, they updated it: https://security.googleblog.com/2013/12/internet-wide-effort...

> 86.8% of the emails we received are signed according to the (DKIM) standard (up from 76.9% in 2013). Over two million domains (weekly active) have adopted this standard (up from 0.5 millions 2013).

> 95.3% of incoming emails we receive come from SMTP servers that are authenticated using the SPF standard (up from 89.1% in 2013). Over 7.8 million domains (weekly active) have adopted the SPF standard (up from 3.5 million domains in 2013).

> 85% of incoming emails we receive are protected by both the DKIM and SPF standards (up from 74.7% in 2013).

> Over 162,000 domains have deployed ___domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard (up from 80,000 in 2013).

In conclusion, the evidence -- from Google itself -- shows that only as of 2017-18 has HTTPS adoption even remotely compared to that of DMARC adoption's statistics from 2013!

Gmail is terribly behind Chrome in this regard. Google Search began down-ranking sites not SSL protected in 2015, Chrome warned about submitting passwords on insecure forms in 2016, and by 2017 was rolling out or planning to roll out a series of changes to visibly mark insecure pages as insecure, one address bar change at a time.

In that same time, Google launched Inbox in 2015 ... and shuttered it by 2018, redesigning Gmail. They had plenty of opportunities to highlight insecure email transmission, they chose not to.


I agree with you in theory, but in practice they are very different situations. For websites, the website owner loses traffic if they don't offer a secure experience -- they are in complete control of their destiny.

For email, the user loses deliverability and may not even be aware of it. Also it's often not within their control to fix. Marking non-signed emails as such would put a huge burden on email users and they might not even be aware of it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: