It’s been about four years since I wrote an article about the state of encryption on the web. With news that Google is about to step up its efforts to warn users of “insecure” pages, I thought I’d revisit this topic that never ends.
Encryption on the web is good. It’s good for everyone. I support it, this site includes it, as do millions of websites. Of course, the bad guys also use TLS encryption. So, in a sense, you’ll get your virus from the bad guys in the same secure manner you might get this very text. Encryption from client to the server in a browser is bad for those attacking communications in the middle, but otherwise it is just one tool that makes up the secure web.
My main concern is the inverse. The other side, if you will. This branding of “Not Secure” will continue to imply to the unwashed masses that the site is bad, problematic, or even worse, malicious. This nomenclature is one of exclusion, just because Google is stupid. Okay Google, indicate the connection is not encrypted, but leave it at that. Soon, if you go to a non-TLS site your going get a ton of “Not Secure” visuals, and shortly Google’s new nag screen will pop up in Chrome:
Need I remind you that the unencrypted web is also good and important:
Look at http://scripting.com – It’s a developer’s blog. His site is generally static text. It doesn’t specifically need to be point to point encrypted, and, well Dave has decided he doesn’t want to, and that’s enough. Heck, not being encrypted might even make the site ever so slightly faster.
Look at directory indexes. One such Webdav server is http://live.sysinternals.com/ – yes, they have a TLS enabled version you can hit, but maybe for compatibility or to avoid challenges with wget or an older operating system, you want to get a file from there on good old port 80. It’s not an encrypted connection, yes, but implying worse is not good. Unencrypted open directories are all over the Internet an have a ton of different content and uses. They don’t all have to be TLS encrypted.
In fact, to get a certificate Lets Encrypt needs to be able to verify your site first. How? One way is with an unencrypted port 80 connection. If encryption is good, then the means of getting your site encrypted should also be good, right?
Also, for better or worse, many of the manuals I encounter for small offshore companies are hosted on sites that are not TLS encrypted. Hey, that’s ok too.
In some cases, getting a site up is challenge but with your provider, getting TLS certificate is a serious pain in the ass. Don’t let that discourage you. Test that stuff and make it work. If you’re just starting your learning journey in tech, you might think you screwed something up seeing all these “Not Secure.” messages.
We should never have an Internet constructed by monopolies that decided for us what is good and what is bad. The spirit of the open web must live on, encrypted our not.