HTTP vs. HTTPS

@n3verm0re shared this link about HTTP vs HTTPS and I wanted to start a new thread for my dumb opinions rather than pollute the positive vibe in the other one:

I agree with the link that browsers/clients should support HTTP for the reasons stated. But I think it is responsible internet citizenship to encourage users to use HTTPS. And one of the best ways to do that, now that all non-reactionary clients support HTTPS, is for servers to go HTTPS only.

I don’t really find the “someone might have set up an HTTP server 20 years ago and forgotten about it” argument convincing. You can’t keep a server online for that long—and pay the associated bills—without being good enough at computers to set up SSL.

I think we’re in a pretty good place now with the HSTS preload list. Sites can opt-in. I don’t see a huge benefit from being much more strict about it.

I actually miss the capability to pin a site to a specific key. That made using dynamic DNS much safer, but I understand that’s an uncommon case few care about.

yeah https should definitely be enforced id unserstand all the arguments if you had to pay for SSL/TLS but you literally can do it for free! unless your goal is to support really old hardware, theres no practical reason not to use SSL

I can see both sides of the argument here, though one of the arguments in the article really gets my brain going.
“If HTTPS is such a great idea… Why force people to do it?”

If HTTPs is absolutely necessary, then I would have expected more grassroots efforts to make people switch over, but I’ve only ever seen Google do it, and Google aren’t exactly known for having the regular joe’s safety and best interests in mind.

I remember when I used Chrome they had a feature turned on automatically that bypassed any VPN and let a site know your real location. This was on by default and you had to turn it off in advanced settings.
There is also their captcha service training AI, which is a very dangerous thing imo given the bad actors out there already using AI to scam people and manipulate them.

So it seems a tad suspicious that Google is very eagar to force people to switch over. How does this benefit them? They don’t necessarily care for safety or privacy (except maybe their own), so perhaps there is another motive. What motive that is I don’t know.

I also agree with the argument that forcing HTTPS raises the bar a lot, and I can see this leading to the point only companies can host sites Google’s browser accepts. The web has become very centralised and commercialised in the last decade or two, and I’m sure companies like Google love that.

I’m also big on supporting old hardware. I like to browse the net with my Windows 98 PC and any old consoles I have, and as a homebrew developer, it only feels right to make websites that can be access by these same machines.

So I’m softly leaning on being against this change, but I’m open to having my mind changed.

EDIT: I just remembered Blu-Rays are a thing. It may not seem relevant, but I feel Blu-Rays are the HTTPS to physical movies. Anyone was (and still is) able to make VHS tapes or DVDs of whatever they want, and self-publish, but Blu-Rays added encryption and it really raised the barrier to entry where now only big companies can publish Blu-Rays of things, and they’re starting to phase those out…

One thing I will add here: For some reason, it seems like ICECAST streams only read metadata properly using HTTP, and not HTTPS.

Replace HTTPS with “car insurance”

Not a bad point. Though to be fair, I think driving a car is very different to hosting a website. For one, websites can’t kill people.

Right, of course. But the point is that there are good things like “beer” and good things like “vegetables” and they require different incentive management.

That pretty much happened when Firesheep was released in October 2010. HTTPS Everywhere was also released in 2010. NoScript had some HTTPS-forcing features a couple years before that ~2008. Later the two app stores for the two phones would start forcing apps to use HTTPS for communication with their backends.

There was a grassroots effort and nearly everybody switched over.

Firesheep was code as activism, and it was spectacularly effective.

Until someone looks at my code and dies from a heart attack :P