Skip to content

On enforcing HTTPS

Noted by on his .


One thing this article misses is the fact that webpages are delivered over the Web to Web browsers.

The vast majority of browsers are application runtime environments. Serving pages to users’ browsers creates a software distribution platform. Serving pages in cleartext is a way to give permission to users’ ISPs, network administrators, and governments to serve their malware instead, under your name, whether or not your page includes any scripts of your own.

People can’t always choose their networks, service providers, or governments. They aren’t always equipped to deal with content injection and page alteration.

This isn’t a “fear-based tactic”. It’s an acknowledgement of our reality: networks are hostile. There are no robust measures to stop an intermediary from altering unencrypted traffic, yet there are strong incentives for all able parties to do so. That makes malware injection a perfectly reasonable concern. Moreover: multiple ISPs, including Comcast and Vodafone, have been caught injecting JavaScript apps into unencrypted pages. Governments are no stranger to content injection either.

If you want to serve in cleartext, pick a protocol that’s not part of an application delivery platform. Gopher is a popular option.


Web­mentions

This site supports Webmentions, a backlink-based alternative to traditional comment forms.

Publish a response on your own website and share the link here to send me a webmention! Include a link to this page's canonical location for it to be accepted.

Webmentions received for this post appear in the following list after I approve them. I sometimes send Webmentions to myself on behalf of linking sites that don't support them. I replace broken links with Wayback Machine snapshots, if they exist.

Toggle Webmentions
by

This comment may have major formatting errors that could impact screen reader comprehension.

Reply to Consider Disabling HTTPS Auto Redirects by @tdarb One thing this article misses is the fact that webpages are delivered over the Web to Web browsers.The vast majority of browsers are application runtime environments. Serving pages to users’ browsers creates a software distribution platform. Serving pages in cleartext is a way to give permission to users’ ISPs, network administrators, and governments to serve their malware instead, under your name, whether or not your page include…

by

My main point was not to _force_ redirects. Overall, having HTTPS is a good thing. The problem creeps up for anyone on older hardware wanting to visit sites. Let them take the risk if they are okay with it. I believe that is a better and more accessible option instead of shutting them out completely.

by

@tdarb But wouldn't it be more helpful to teach people to disable javascript by default, as that would also help against so much spying that goes on with perfectly good https certificates? And then teach people to know the difference between http and https? That would help meaningful privacy a lot better than forcing https on everyone. See also http://blog.tfiu.de/foced-https-redirects-considered-harmful.html

by

> If you want to serve in cleartext, pick a protocol that’s not part of an application delivery platform. Gopher is a popular option.Popular with whom? NearlyFreeSpeech.net doesn't provide Gopher. Neither does Dreamhost. If I want to provide gopher on my domain I'd have to rent a VPS from Vultr, Hetzner, etc. and move everything over. I can, but why should I?Instead, I'm going to keep serving my site over both HTTP and HTTPS. As @tdarb said in his reply, it's about options.

Feel free to contact me directly with feedback; here’s my contact info