Mozilla Security Blog Logo

The Troubling Trend Toward Secure HTTP

In a recent blog post, Mozilla (makers of the popular Firefox browser) plans to set a date by which non-encrypted [1] websites would see access to browser features gradually removed. While the details aren’t yet clear as to the timeframe, or exactly what features will be limited; but it’s a definite message that powerful players are pushing encryption on everyone. This trend of “encrypt everything” is becoming very troubling.

This is not to say encryption is bad. It’s essential in today’s web climate. The average person is likely being spied on by multiple government bodies, and the tools they keep people’s information private need to be stronger, and more reliable. Stronger and easier to use encryption is to everyone’s benefit.

But, there is also a limit. There are some sites that may never need to be encrypted. Consider a simple blog, for example. You open the page, it renders inside of your browser as you read it, and you’re one of many hundreds (or thousands) who might be reading the page. The vast majority of sites these days (beyond cookies) are a one-way reading scenario. Encrypting the data transmission of these sites would be a waste of electrical energy, time, and computer resources.

And, security is not only achieved by having a site run on SSL. Users can encrypt data streams with VPN tools. browsers such as Onion Project’s Tor allow users to encrypt information while browsing. Tools like Truecrypt allow users to use high encryption on files. And, even PGP encryption tools are out there to help secure messages. But, again, some of these tools are way overboard. That really cool “Sad Keanu” meme you just create probably doesn’t need to be encrypted.

I would also speak of the effort that webmasters are going to need to expand on sites that should probably never have to be encrypted. But, I understand this is part of running a site. Let’s face it, this is the webmaster’s job. The other side of this, though, is that if Google begins to penalize sites for not being encrypted (if they aren’t already), then those webmasters will not only see the extra effort, but a possible big hit to search advertising revenue. Should that happen to sites that probably don’t need to be encrypted?

Certificates are hard too. They’re not exactly easy to implement on the server-side. The different types of encryption standards that need to be enabled (and disabled) are mind-numbingly extensive. Certificate features are not all supported by all versions of server software. And, when a site is not completely secured, the user sees warnings (meaning all older embedded content needs to be audited).  Imagine you have to go over a site of 5,000 blog posts to fix them? Also, certificates expire – a real pain in the ass if you sold commodities that can’t be later updated (and certificates don’t signal impending expiry, they just expire and break things).

Oh yes, and the entire Uniform resource identifier (URI) has to change when implementing secure HTTP. This means that all links to the site are immediately broken once encrypted. The port the webserver runs on has to change to 443 (from 80). And, in most cases, there’s the matter of forcing users who go to the old HTTP into the new HTTPS site so they stay encrypted. This could be messy in very large implementations.

Even worse, certificates are controlled by large companies and most are not free. If you were an administrator and needed to understand how to simply implement a Google-compatible SSL on your company’s blog, good luck wading through that mess. Adding insult-to-injury, many registrars and hosting companies prey on customer’s lack of knowledge about technology-related issues – and thus probably offer very limited SSL support, or probably support that only promotes their services in the long run. To many, the Certification Authority system on the web is completely broken.

Are companies like Google and Mozilla helping us when they employ such strong tactics to motivate? I tend to err on the positive side and say yes, but with announcements like Mozilla’s, I’m starting to think twice. It’s never a good thing to force people into compliance.

There is hope. I think more people are going to need to add reason to this conversation. More people with influence will speak out [2]. Certificates are not yet free (but for StartSSL and WoSign), but the Let’s Encrypt initiative looks like a real winner if it goes live on time and fulfills its promise. There’s a great deal of work to do with so many issues – security, accessibility, layout, interesting prose, and kowtowing to Google’s latest algorithm change – that the poor schleps that bring you the web deserve a break too.

1. You know the site is encrypted when seeing https:// in front of the site’s url.
2. Yes, the guy who invented the web is a voice of reason on this subject too.