Why do I support HTTPS Everywhere?
One of the things I'm passionately in support of is HTTPS everywhere. That is, every single website using HTTPS. It doesn't matter if it's a simple text site or if it's a full blown corporate webpage, it should be using HTTPS.
I also promote going beyond HTTPS on websites which is why I support and recommend the use of the additional functions that HTTPS provides like Content Security Policies and HSTS.
The reason for this is fairly simple, the web is an amazing resource and everyone who uses it should be able to do so safely. There are too many horror stories of insecure content being hijacked and misused. A secure web helps avoid those issues.
There are some people who don't agree with HTTPS and there have been several arguments put forward as to why HTTPS is a bad thing. I'd like to take a bit of time and give my responses to the arguments put forward by Dave Winer at http://this.how/googleAndHttp/
They don't have standing. The web is an open platform, not a corporate platform. It is defined by its stability. Also, if Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time.
This is Dave talking about how Google Chrome will mark pages and logon boxes as "NOT SECURE" when over HTTP.
The web isn't an open platform, nor is a corporate platform. HTTP is actually defined by the IETF and there are a series of RFC's that dictate how HTTP (and HTTPS along with everything else) works. I'm not sure what he means by "defined by it's stability", pages go down all the time and they change ALL THE TIME. By writing this article, this site will change.
That's why it's important that no one has the power to change what the web is.
Google is doing what the programming priesthood always does, building the barrier to entry higher, making things more complicated, giving themselves an exclusive.
Just because browsers will list sites as non-secure doesn't stop people from putting up web pages. They'll just be correctly flagged and it'll make people more aware of the security of sites they visit. It won't be just Google who can put up web pages. Certainly, some people will be confused by certs and will need some hand-holding. That's fine, certs are getting many times easier thanks to automation and lets encrypt.
Many of the sites they will label as "not secure" don't ask the user for any information. Of course users won't understand that.
It doesn't matter, the page will still be "not secure", if they have ads on the page then there is plenty of room for code-injection and malicious behaviour. If site is important (i.e. if it's more than just "this is my website") then it really should be over HTTPS. This just highlights that.
They tell us to worry about man-in-the-middle attacks that might modify content, but fail to mention that they can do it in the browser, even if you use a "secure" protocol.
Content can be changed in browser but it's only changed on that one machine. By changing the content in flight, it's delivered to every requestor of that page and, more importantly, they won't know it's been changed.
It will destroy the web's history.
It's like a massive book burning, at a much bigger scale than ever done before.
This is bizarre. The webs history is still there (if it's been recorded), just served over HTTPS. The way back machine (as an example) uses HTTPS. This blog started out using HTTP via blogger.com 12 years ago. It's all still there, just over HTTPS now.
I wonder if there is some confusion between HTTP and HTTPS, they are the SAME protocol, it's just that one uses encryption and the other doesn't. That is it.
If HTTPS is such a great idea...
Why force people to do it? This suggests that the main benefit is for Google, not for people who own the content.
For a start, it's not being forced. If you want to use HTTP then you can, your site will just be marked as not secure, which is right. It is not secure. I also feel this is a bit like the seatbelt laws, seatbelts were a good idea but it took a change in the law to make people use them. Google (and other browsers) pushing HTTPS are doing so in a much less direct way than Governments did when they made seat belts compulsory!
In short, HTTPS is a good thing. HTSTS, CSP's and all the other wonderful acronyms are good things. Yes, some change the way the web works. They take it from insecure where content can be injected and make it secure. That's a good thing.
None of this stops people spinning up their own website over HTTP, that protocol is still there. If they want a secure site and don't have the skills to do it then there are sites like wix.com that will host their content for free or they can have the traffic go through Cloudflare. There are still good, simple options for people who are not technical experts.
Finally, Dave Winer has closed comments on his blog which is a shame as I feel that the HTTP versus HTTPS debate needs to be fully explored as I know that there are people who aren't happy with this "brave new world" and those concerns need to be addressed. My comments are open and I'd love to hear feedback, good or bad around this article.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox