path: root/published/https.txt

There's a major change coming to the web in the next couple of years. Quick, check your URL bar right now. See that http up there (assuming your web browser still thinks you're smart enough to understand it)? That's going to be getting an extra "s". Or at least it will if Mozilla and Google get their way.

Mozilla recently became the latest in the long line of companies big and small trying to <a href="https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/">push the web</a> from HTTP to the more secure HTTPS protocol. 

In the post-Snowden world where everyone from the NSA, GCHQ to your ISP is inspecting and sometimes altering content, HTTPS (which makes such things nearly impossible) makes sense. 

Let's make that doubly clear: moving to HTTPS is a good thing. 

However, the timing and way in which Mozilla, and to a lesser degree Google, would like to rush the web into HTTPS is all wrong. 

Like Google before it, Mozilla wants to encourage developers to deploy new sites using HTTPS. Unlike Google, which has thus far used only carrot-like methods to entice developers, Mozilla is going to bring out the stick and start beating the web into HTTPS.

Mozilla plans to depreciate HTTP by first making "new features... available only to secure websites." Then, at some point it will be "gradually phasing out access to browser features for non-secure websites."

That means that without an HTTPS website you won't be able to take advantage of any new features in HTML that might come along. Eventually you won't even be able to use the ones you're using today. 

In some cases this makes sense. For instance, the geolocation API should have been HTTPS-only from the beginning. Some existing HTML APIs, like Service Workers, are already HTTPS-only. All of which is to say, again, HTTPS is a good thing, but making it the only thing, as Mozilla proposes to do, is fraught with problems.

The first problem is that it means the web is no longer free as in beer. Obtaining an SSL certificate is not free. In a follow up <a href="https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf">FAQ statement</a> (bizarrely, a PDF file) Mozilla does some handwaving about the question of HTTPS costs and contends that StartSSL offers free certificates.

That is technically true, you can obtain a certificate from StartSSL for zero dollars up front. But StartSSL charges to revoke certificates, even when those certificates turn out to be vulnerable to security threats like Heartbleed. 

In other words, practically speaking, StartSSL is not free. If you can't revoke a certificate for free it isn't free. StartSSL is free in the same way that the first shot of heroin is always free. You'll be back and when you are you'll be paying for everything you do. StartSSL and others using the same pricing model know this, that's why they offer "free" certificates.

Full disclosure: I run a number of HTTPS domains using certificates issued by StartSSL because there is no upfront cost. I do not, however, consider the service to be free. It also happens to be the most challenging thing I've ever tried set up on a web server in twenty years of running servers. More on that in a minute.

There are some efforts underway to create a service that's both trusted by browsers -- so visitors don't get the scary message about "self-signed" certificates -- and free. The most notable is <a href="https://letsencrypt.org/">Let's Encrypt</a>, which Mozilla is a part of, but so far, while it sounds nice, Let's Encrypt is just vaporware.

The move to pure HTTPS has costs, which thus far Mozilla has not credibly shown can be overcome. The HTTPS-only web Mozilla is envisioning is one in which only the rich are welcome.

The costs are only part of the problem though. 

The real problem with deploying to HTTPS is that it's a difficult process that even very knowledgeable developers frequently get wrong. Expecting the average site owner with a WordPress blog to set up an SSL certificate chain as the process is right now is unrealistic at best.

As developer and open, independent web advocate Jeremy Keith <a href="https://adactio.com/journal/8932">puts it</a>, "this is for everyone... not just those smart enough to figure out how to add HTTPS to their site." He goes on to say that Mozilla's plan "looks like something drafted by underwear gnomes."

To be clear, Keith is not suggesting that the move to HTTPS is bad, just that the timing is ill-conceived. "Let's make HTTPS easy first," he writes, "then we can start to talk about ways of encouraging adoption. Hopefully we can figure out a way that doesn't require Mozilla or Google as gatekeepers."

There's another major problem with the move to HTTPS: it fundamentally breaks the web as it is. 

All those HTTP URLs you visit and have linked to over the years will cease to exist if the site they're a part of moves to HTTPS. Everything needs to be redirected. Again, provided you have developers who know how to do it, this is easy to do. Unfortunately, the history of the web has already shown that few sites will bother to create redirects. The more likely outcome is that millions of URLs will die along the way. 

This is the problem that led web-creator Tim Berners-Lee to plead with developers earlier this year, "don't break the web". To quote Berners-Lee, "the HTTPS Everywhere campaign taken at face value completely breaks the web in a way it is arguably a greater threat to the integrity for the web than anything else in its history." 

Berners-Lee's solution is to make TLS -- the actual encryption and authentication layer in HTTPS -- part of HTTP. In his plan, the HTTP protocol would be by default upgraded to use TLS without having to use a different URL prefix. In other words, the burden to make it happen is transferred off the shoulders of developers and onto the shoulders of protocol designers, standards bodies and browser makers. Reception of Berners-Lee's proposal from those groups has been lukewarm thus far.

Whether or not Berners-Lee's solution is the best option for the web is certainly debatable, what's not debatable is that Mozilla, Google and others pushing HTTPS are ignoring the reality of HTTPS today: it's expensive, difficult to set up and very likely to lead to the biggest batch of broken URLs in the history of the web. 

Before HTTPS becomes common place the process of obtaining and setting up a secure server needs to get much simpler. At the very least the web needs the WordPress of security certificates. Perhaps Let's Encrypt will be just that and solve two of the three problems with the transition to a secure web. But deprecating HTTP now, before very real, very fundamental problems are solved is putting the cart before the horse.

Worse, Mozilla's plan would create a divide between those who have the money and ability to purchase a certificate and those who do not. The move to HTTPS as Mozilla envisions it is counter to the entire notion of an open web.