Are we starting to see the end of unencrypted HTTP?
A little less than a year ago, Mozilla announced that they will be deprecating “non-secure” HTTP. The response was unending flattery and congratulations for pioneering online security and privacy, hailing…
A little less than a year ago, Mozilla announced that they will be deprecating “non-secure” HTTP. The response was unending flattery and congratulations for pioneering online security and privacy, hailing the coming of a completely encrypted web.
No, I know. Of course it wasn’t. It was a still burning shitstorm of insults, death threats and endless repetitions of the word “boycott”. The security team behind Chromium, and by extension Google Chrome, received a similar treatment, albeit lessened somewhat by the fact that Google is already evil, so who is surprised?
(Note: the author of this article considers neither Mozilla nor Google to be evil but rather reserves that label for people who send death threats over the internet.)
Nevertheless, with arguably the majority of browser developers on the same side, the intention is clear; the people in charge want internet-wide encryption. And this is how they’re going to do it.
How do you deprecate HTTP?
In essence, you can’t. It’s a protocol; anyone can use it in perpetuity. What Google and Mozilla can do, however, is hold visitors hostage if a website is unencrypted.
Chrome and Firefox make up the lion’s share of all traffic. If they agree to withhold new features from unencrypted websites or literally mark them as unsafe — i.e. displaying a warning to the user — there’s nothing the owners of said unencrypted website can do. It could be working completely fine, despite the lack of encryption, but users will steer clear because their browser is telling them to do so.
So, to be entirely accurate, no one is really deprecating anything — Google and Mozilla will effectively be forcing people to stop using something. It’s not very obvious right now, but the signs are already there.
As of today, 22/3/2016
Chrome on the right is quite understated. Perhaps the word is honest. Firefox, on the other hand, is with red text telling the user that the site they’re on is not secure. For the moment, neither of these warnings are immediately visible to the average user. You have to click the icon next to the omnibar.
But imagine if that little icon became red on unencrypted sites. Imagine if the entire screen turned red and the user had to click that “I know the risks, let me through”-button in order to visit the site. Nothing will have changed — HTTP isn’t any more or less secure than it was yesterday — but now its shortcomings are thrust into the faces of everyone.
At that point, the promise to not outright disable unencrypted HTTP becomes pretty pointless. And the average person does not care or need to know the exact specifics of internet security.
HTTPS everywhere because we say so
People find it difficult enough as it is to break even on a website. How many could afford to stick with unencrypted HTTP if one of the major browsers started actively telling users not to visit it? According to some sources, Chrome makes up over 50% of browser traffic. Google could snap their fingers and take away up to half of an unencrypted website’s traffic.
And I imagine that once one of the big browser developers is brave enough to take the step, the others will soon follow. Because I have a feeling that the security warning will start to be relied upon, and why would you choose to use a browser which doesn’t warn you of dangers when you can use one that does?
It doesn’t matter that HTTP hasn’t changed, that it’s not any more insecure than it’s been for years or that HTTPS is no guarantee of safety. Fact remains — the browser developers are in control of how the web evolves. And they’ve decided that HTTPS is it.
For the greater good(?)
Even if we were to view this forced evolution in the worst and most malicious way possible, I would still not advise anyone to stick with HTTP. Since the start of 2016, we at Avidmode have been in the process of transitioning all our hosted websites to HTTPS-only. Some will use commercial certificates, others will use Let’s Encrypt.
The reason for this is that the web needs encryption. Every year, more information is stored digitally and more transactions happen digitally. Without peer verification and transport security — server certificates plus encryption — this would be one giant house of cards just waiting to come tumbling down.
And everyone who’s been on this ride for a while knows how resistant the web is to change. Just look at the absurdity of how some people responded to Mozilla’s announcement. Amongst the vitriol and bullshit, I didn’t see so much as a shred of alternative solutions.
We would never come to a consensus on this.
And that leaves us with the best available option, and it’s up to the people with power to force it upon the others, which is both necessary and just as bad as it sounds.
All the best,
Dan
If you enjoyed reading this blog post, check out similar ones in the sidebar. Feel free to get in touch with to chat about your latest project ideas - we love a good excuse for more tea.
[…] something you should already be aware of: HTTP is unencrypted by default. This means the data you send and receive from across the web can potentially be […]