Comment Re:was bit by this (Score 1) 299
Ahhh exactly the example of a perfectionist. The same person who's probably willing to pay via credit card at a supermarket. Typical paranoia. Either everything or nothing. When it's snowing outside I'll put on whatever clothes I have, even though they are not designed exactly for the weather. Yes I might be a little cold after a while, but oh well. You on the other hand will either not go outside at all or run around naked, because if you dont have everything designed for exactly the right conditions, you might as well not put on any clothing at all.
Look, there are two thing, encryption and authentication. Don't conflate the two. Encrypted connection is for protecting against different things than authenticated connection. Saying that you can't have one without the other is stupid. There's no reason to ever send anything cleartext. Yes, it might be better to authenticate, but it is not all that difficult to obtain a certificate for a domain if you can control the domain for a bit, which is exactly what you need to impersonate a site that google would be connecting to. The thing is as long as you have any certificate given for that domain, then you're Bob.
Authentication and Encryption are TWO DIFFERENT THINGS.
Also this is google we are talking about. They FOR YEARS could not cobble a two factor or one time password authentication together. So I won't take any lecturing about how concerned they are about security.
BTW, google has been using quite a bit of software I wrote, for free, even android apparently used a bit of my software as my website pops up in their license files. I don't feel at all bad for them giving something to me for free. Plus it's not free. They are not doing it out of the goodness of their hearts (you did notice those ads in gmail did you not?). They are making quite a bit of money. Enough to not pay taxes on lot of it and make lots of people angry.