Most system administrators, site owners, and hosting companies recognize the benefits of HTTPS. For many types of sites, SSL encryption is necessary — particularly for eCommerce stores and sites that deal with sensitive data. For others, it’s optional; it might be nice if your favorite blog was encrypted, but it hardly seems vital.
Many of the most influential online consumer service providers — although not ISPs — take what would appear to be a less nuanced position. They want to see SSL everywhere, and they’re using their influence to make it happen. Publishers will be familiar with Google’s SEO incentive for secure sites, and now Apple has joined other major browser developers with its recent announcement in a WWDC developer session that it will require encryption for HTTP2. Every major browser developer is using technological advancement as a carrot to incentivize HTTPS adoption.
HTTP2 a complete re-engineering of the web’s fundamental protocol and it brings some significant performance enhancements, among other improvements. Except, unless your site is encrypted, it won’t get any of the benefits. All of the major browser developers, including Google, Mozilla, Microsoft, Opera, and now Apple, will not support HTTP2 on “non-secure” sites.
As Mark Nottingham, chair of the IETF HTTP Working Group puts it:
“the upshot is that HTTP/2 is (or will be soon) supported by all of the “major” browsers, and if you want them to use it with your Web site, you’ll need to have HTTPS URLs.”
When HTTP2 was being drafted, there was strong support for mandatory encryption, but it was later decided — probably at the behest of ISPs and other bandwidth providers — that encryption would not be linked to HTTP2 support. Browser manufacturers appear to be slipping mandatory encryption in by the back door, having failed to get it included in the protocol itself.
There are two basic lines of argument against mandatory encryption. Both use the rhetoric of the open web, but the motivations and stakeholders are quite different.
Firstly, we have developers and activists who are strongly in favor of open access to the Internet by everyone. There should be a minimal barrier to entry for anyone who wants to publish on the Internet, and people should be able to publish anonymously. The complexity of setting up SSL is beyond the abilities of many users. But more importantly, requiring HTTPS necessitates SSL-certificate validation, which makes it almost impossible to publish anonymously.
Secondly, we have have organizations like the Open Web Alliance, which is essentially an industry lobbying group for ISPs and other companies that monetize non-secure connections.
I think we can probably set aside the objections of the OWA as non-serious and self-interested, but there’s something to be said for the first set of problems. I’m not sure I like the idea of large companies pushing an agenda through their control of browsers and other essential technologies — it could cut both ways. But in this case the push for encryption largely benefits ordinary web users, even if it might inconvenience site owners and businesses.
What’s important then is that implementing SSL be as easy as possible, and there are a couple of interesting developments in that direction. Firstly, Let’s Encrypt is scheduled to arrive in a couple of months with the aim of making HTTPS-implementation a process almost anyone can handle. And secondly, as Mark Nottingham makes clear, although encrypted connections usually mean SSL, it needn’t always:
“Note that I didn’t say that they’ll require HTTPS URLs, because there is an experimental way to support HTTP URLs over TLS that Firefox has implemented (currently disabled due to a bug, but I’m assured it’ll be back very soon). However, it appears that Firefox is alone in supporting “opportunistic security” — Chrome is firmly against it, and I haven’t seen any evidence of adoption by other browser vendors.”
Unfortunately, it’s unlikely that opportunistic security is going to go anywhere, although it’s not impossible that alternatives to SSL will gain traction over the next few years.
What do you think? Is mandatory encryption an excessive burden, or do the benefits outweigh the complexities?