Say NO to HTTPS

Say NO to HTTPS, unless there is a very specific requirement like logging in to secure sites.

Most of the World Wide Web is open public information accessible to everyone… Just like you can drive wherever you want on any roads, except some restricted or controlled ones. Trying to make every website secure is like trying to put tollbooths or entry/exit restrictions on every road, and centrally controlling them. Unnecessary overheads become bottlenecks to efficiency, transparency and openness. Somebody somewhere wants to grind an axe. Kinda sorta like this rent-extracting economy masquerading as a free market.

Below I quote parts of some blogposts. You can read them in their entirety by clicking on their respective referred links at the end of this post.

Privacy vs confidentiality in protocols[1]

TLS does not provide privacy. What it does is disable anonymous access to ensure authority. It changes access patterns away from decentralized caching to more centralized authority control. That is the opposite of privacy.

TLS is desirable for access to account-based services wherein anonymity is not a concern (and usually not even allowed). TLS is not desirable for access to public information, except in that it provides an ephemeral form of message integrity that is a weak replacement for content integrity.

TLS everywhere is great for large companies with a financial stake in Internet centralization.

Do we want this open World Wide Web to become centrally controlled? Eventually that might lead to every single transaction being taxed to recoup the high costs of monitoring and controlling every aspect of the web. Somebody has to pay for all that. And my guess is all good as yours! Who else?

KISSThe best solution is the simplest! Twisting things to make them more complicated are classic signs of the incompetent or the downright corrupt. They are trying to manipulate something towards nefarious ends. Beware of FUD!

Google and HTTP[2]

I've been writing about Google's efforts to deprecate HTTP, the protocol of the web. This is a summary of why I am opposed to it.

Their pitch

Advocates of deprecating HTTP make three main points:
1. Something bad could happen to my pages in transit from a server to the user's web browser.

2. It's not hard to convert to HTTPS and it doesn't cost a lot.

3. Google is going to warn people about my site being "not secure." So if I don't want people to be scared away, I should just do what they want me to do.

Why this is bad

Google has spent a lot of effort to convince you that HTTP is not good. Let me have the floor for a moment to tell you why HTTP is the best thing ever.

Its simplicity is what made the web work. It created an explosion of new applications… The explosion happened because the web is simple.

Google is doing what the programming priesthood always does, building the barrier to entry higher, making things more complicated, giving themselves an exclusive. In worlds created by corporate programmers, it's often impossible to find your way around, by design.

The web is a social agreement not to break things. It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best.

The web is like the Grand Canyon. It's a big natural thing, a resource, an inspiration, and like the canyon it deserves our protection. It's a place of experimentation and learning. It's also useful for big corporate websites like Google. All views of the web are important, especially ones that big companies don't understand or respect. It's how progress happens

They believe they have the power
Google makes a popular browser and is a tech industry leader. They can, they believe, encircle the web

It's dishonest
Many of the sites they will label as "not secure" don't ask the user for any information. Of course users won't understand that. Many will take the warning seriously… having no idea why they're doing it. Of course Google knows this. It's the kind of nasty political tactic we expect from corrupt political leaders, not leading tech companies.

Sleight of hand
They tell us to worry about man-in-the-middle attacks that might modify content, but fail to mention that they can do it in the browser, even if you use a "secure" protocol. They are the one entity you must trust above all. No way around it.

They cite the wrong stats

It will destroy the web's history
it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is.
It's like a massive book burning, at a much bigger scale than ever done before.

If HTTPS is such a great idea…
Why force people to do it? This suggests that the main benefit is for Google
If it were such a pressing problem we'd do it because we want to, not because we're being forced to.

The web isn't safe
Lots of things aren't safe. Crossing the street. Bike riding in Manhattan. Falling in love. We do them anyway. You can't be safe all the time. Life itself isn't safe.
PS: Of course we want parts of the web to be safe. Banking websites, for example.

The Cathedral or the Bazaar?

There will always be some who want to own/rule the world. This could be for various dubious and not so dubious reasons. But whatever their reasons… Should we let some control everyone else?


[1] Privacy vs confidentiality in protocols
[2] Google and HTTP

No comments:

Post a Comment

most viewed