A year and a half ago, I read a great essay by Danny O’Brien (who now works at the EFF) illustrating the difference between public, private, and secret:
http://www.oblomovka.com/entries/2003/10/13#1066058820
Google has a history of disregarding the private-but-not-secret. The Google Toolbar causes pages that aren’t linked from anywhere to end up in the index anyway when they’re visited. Now, they’re dismantling this distinction even further.
Some things aren’t linked, or they’re protected with plaintext passwords. THIS DOESN’T MEAN THEY ARE PUBLIC. By putting up a password but not encrypting, or not linking to pages, you’re saying “I know this isn’t really secret, but go away anyway. There’s nothing valuable to you here, and don’t make me work too hard to keep you out.” This is roughly equivalent to putting up a “no-trespassing” sign.
The Web Accelerator ignores private-but-not-secret login functionality by returning pages generated with the cookies (i.e.: logins) of other Web Accelerator users.
This is Google coming by and taking down all of the no-trespassing signs on the web, and forcing everybody to put up fences to keep the poachers out. I can’t even begin to see how this is okay.
Would Google be equally fine with the situation if some other company (Yahoo or Microsoft come to mind as the obvious candidates) were to release their own Web Accelerator that proxied Google pages and mangled all of the relationships between cookies and users?
Just because this stuff isn’t secret doesn’t mean it’s public either. There’s a distinction here that should be maintained, and isn’t. Google, not using https for all of its own pages, should realize and recognize this.