On the other hand, cleartext-based attacks are also more easy to detect since the traffic is plainly visible. The maliciousness doesn't always have to be outside, despite all the focus on surveillance recently; and when it isn't, a "secure" connection makes it even harder to detect until it's too late.
If that was over HTTPS, would such data collection have been as obvious or even discoverable? It would be completely indistinguishable from any other "phoning home" - e.g. to legitimately check for software updates. The same encryption technologies that purport to protect us from mass surveillance... can be used to do it even more stealthily, and this is the main concern I have with making encryption ubiquitous.
Interesting, though I don't know how this is really relevant to the debate about whether it's appropriate to tell a user that HTTP is insecure but HTTPS is secure (the comment I was replying to questioned that exact point).
That's because the technology clearly exists to hide the type of phoning-home you are talking about. Any move toward more HTTPS for end users doesn't seem to increase that risk to me.
Here's a recent demonstration of this principle - "smart TVs" phoning home via an unencrypted connection: http://arstechnica.com/security/2013/11/smart-tv-from-lg-pho...
If that was over HTTPS, would such data collection have been as obvious or even discoverable? It would be completely indistinguishable from any other "phoning home" - e.g. to legitimately check for software updates. The same encryption technologies that purport to protect us from mass surveillance... can be used to do it even more stealthily, and this is the main concern I have with making encryption ubiquitous.