In the wake of the Mozilla Foundation’s announcement that it intends to “phase out non-secure HTTP,” reactions have run the gamut from full-throated praise to contempt. One article in particular caught my interest. Ben Klemens, writing on Medium, focuses on the human impact of the phasing out of HTTP. Klemens argument revolves around the assertion that because HTTPS is difficult to implement it means the end of a culture in which anyone can easily own their own space on the web. And, because implementing HTTPS necessarily involves paying a certificate authority for verification, the end of HTTP implies the end of the anonymous web.
Klemens focuses on how the change will affect introverts, but his basic point is more general: Insisting on HTTPS will be harmful to a culture that has existed on the Internet since its inception. A culture to which anyone can contribute, including, as Klemens quotes from the Debian free software test, someone sitting on a desert island with access to only a solar powered laptop or a dissident in a totalitarian state who must be able to contribute anonymously.
This conceptual conflation of software development and online publishing is where my difficulty with his line of thought begins. It is, in theory, possible for a developer on a desert island to modify and use open source code to her heart’s content without ever having to rely on anything more than her solar powered laptop. We can, within that limited scenario, think of development as a solitary task that an “introvert” can tackle alone.
There is nothing solitary about the Internet. The act of publishing is inherently communal. It’s an act of communication and it relies on often dozens of entities to transmit packets from server to browser. Most of those entities are good, but many of them have motivations that do not line up with those of Internet users. Those users need protection. The Internet is a collective, and online security is in the interest of everyone, including web hosts and website owners.
Users, eCommerce retailers, bloggers, and online service providers need protection from man-in-the-middle attackers who would steal their data or falsify their identity. As Klemens points out, even something as seemingly innocuous as checking the weather online reveals a host of details about the user to a snooper, including location.
I’m not asserting that every Internet connection must be encrypted or the sky will fall. I am saying that encryption should be more widely adopted than at present. Warning users when their connection is not encrypted seems to me a move in the right direction.
It is difficult to implement HTTPS, but those difficulties are likely to be overcome. Let’s Encrypt, of which Mozilla is a major sponsor, aims to make HTTPS trivially easy. The difficulty is a technical one and there are solutions under development.
The anonymity issue is slightly tricker, but anyone who needs their own CA-signed SSL certificate is likely to have registered a domain, which also requires the handing over of identifiable data. There exist a multitude of anonymous platforms that implement HTTPS (one of which is Medium). It’s only necessary that data is encrypted and the identity of the server validated, not that each publishing individual be identified.
A move towards ubiquitous HTTPS is likely to bring greater security to the web, and that can’t be a bad thing.