ABOUT | GITHUB | CONTACT | MORE POSTS

“Deprecating” Insecure HTTP, Part 2: Disrupt or Be Disrupted

May 2015  |  Status: First Draft

This post is the second part of a series where I analyze the HTTPS Only controversy, triggered by the U.S. federal government’s announcement that they will use HTTPS exclusively in the future, as well as Mozilla’s plan to “deprecate” HTTP.

In the first part, I tried to defuse the FUD (fear, uncertainty, and doubt) that both sides of the debate have been spreading, and explained what browser vendors should do to assure the rest of us that they will not throw us under the bus, even in the sacred name of security.

In this part, I turn to the critics of the HTTPS Only movement, who argue that it is “too soon”. I will argue that we should not evaluate the browser vendors’ proposal in isolation, but in the context of much-needed disruptions in the domain registration, certificate, and hosting markets that the proposals are likely — as well as intended — to trigger.

Too Soon?

Many of the critics of the HTTPS Only movement agree with Mozilla that the web needs better security, but argue that it is too soon to require everyone to use HTTPS. The primary reason, of course, is that TLS certificates — an absolute necessity for enabling HTTPS on a website — cost an arm and a leg. When a wildcard certificate easily costs $100 a year, it is unreasonable to require, the critics argue, everyone to purchase one merely in order to have a presence on the web.

In the first part, I already pointed out that the “merely in order to have a presence on the web” part of this criticism is little more than FUD. Plain unencrypted HTTP ain’t going anywhere; your web presence is not under any threat unless you’re trying to do something dangerous like remotely manipulating the user’s webcam (in which case you would be required to purchase a certificate).

The “$100 wildcard certificate” argument also smells like FUD, at least partially if not entirely. A wildcard certificate is most definitely not needed in order for the little folks to have a voice on the web. For the vast majority of personal and community projects, a single-domain certificate is more than enough, and you can get one for less than five bucks from Comodo resellers already. The subdomain vs. subdirectory debate is ruefully outdated, and you should just pick whatever suits your preferences and budget. Just because you prefer a Ferrari that you can’t afford doesn’t mean that the automotive industry is preventing you from driving at all.

But all of the above assumes the status quo as of early 2015, and statuses quo tend not to remain quo for very long in tech circles. Silicon Valley thrives on disrupting the shit out of ugly old monopolies. Instead of just waiting for Verisign to repent and get baptized by Richard Stallman, what can we do to have our cake and eat it too?

Beyond the Status Quo

Major browser vendors like Google and Mozilla don’t change their policies in a vacuum while the rest of the world remains static. They are very much aware that any decision they make will have cascading effects on the rest of the web, and fully intend to take advantage of such effects, as the following excerpt from Mozilla’s announcement hints at:

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community.

As I noted in the first part, the fact that Mozilla is talking about whips and carrots means that they are not afraid to manipulate the rest of the world into making HTTPS easier and more affordable. They are doing their own part to disrupt the CA market, but even in the absence of a free CA, it would be unfair and intellectually dishonest for us to evaluate HTTPS Only as an isolated proposal without considering the market upheaval that Mozilla’s proposal is likely to trigger.

What would happen in a world where everyone wants HTTPS?

Currently, many shared hosts charge a hefty markup on TLS certificates and charge even more to enable them on a website hosted with them. HTTPS is seen as a luxury that only a few websites — mostly e-commerce websites — need, and the prevailing market rates reflect its perceived status.

This practice may no longer be sustainable as more and more people begin to demand HTTPS. “Free TLS certificate with every 1-year contract!” could well become a standard marketing slogan, just as “Free domain with every 1-year contract!” has been for the last 10 years or more. Reseller prices for some certificates are already low enough for web hosts to eat, so this definitely a possibility. We might even see free wildcard certificates bundled with more expensive plans!

If that happens, hosts that don’t support HTTPS or overcharge for it will gain a reputation among customers as stingy outfits that can’t even get basic security right, and competitors will quickly seize the opportunity to steal security-sensitive customers from them. The shared hosting market has been rather stagnant for the last few years (as high-end customers moved on to virtual servers and cloud services), so a bit of disruption to the benefit of little folks would be very welcome.

Meanwhile, some domain registrars already offer free or low-cost TLS certificates with the purchase of every domain. This practice may become more widespread as registrars scramble to remain competitive. Unlike what some people seem to think, this may not even need to entail a significant increase in domain prices because, as noted above, reseller prices for some brands of TLS certificates are already very low and getting lower every year.

What about the CAs themselves? Will they be forced to lower their prices? I think so. Even without StartSSL and Let’s Encrypt handing out certificates for free, CAs may soon realize that competing on price is the only way to protect their bottom line when a horde of super-price-conscious consumers begin to flood their once-prestigious trading floors. It will only take one vendor to succumb to the allure of a low-margin, high-volume policy for the rest of the market to join the race to the bottom. Extended Validation and other specialty certificates may remain expensive; but most people have no need for them, and the ones who do need them can usually afford them.

Is it even possible for everyone to use HTTPS?

Only a few years ago, the answer would have been “No”. Without SNI, each HTTPS website needs its own IP address, or at the very least, a non-standard port. Since IPv4 addresses are all but exhausted, IPv6 adoption is lackluster at best, and non-standard ports often can’t get through corporate firewalls, a sudden explosion of HTTPS-enabled websites would have placed a serious strain on the world’s networking infrastructure and the cost of dedicated IPv4 addresses would have skyrocketed.

Now, the situation is much better. Virtually all popular operating systems and browsers support SNI, and the ones that don’t are quickly going the way of the dinosaurs. Android 2.x and Windows XP are the only significant holdouts, but both are quickly losing market share as old mobile devices reach the end of their useful lives (behold planned obsolescence unintentionally serving the greater good!) and Microsoft has been heavily discouraging the use of XP since its official EOL a year ago.

The much-hyped release of Windows 10 this summer will only help reduce XP’s market share even further. In any case, it is becoming more and more difficult for websites to provide any security to XP users as fewer of the protocols and ciphers supported by XP seem to remain safe every year. In a couple of years, I predict that most websites will be able to safely ignore clients that do not support SNI. Then it will become standard practice to host hundreds of HTTPS websites on a single IPv4 address, all on port 443, just like the world has been doing with HTTP websites.

This website is hosted with NearlyFreeSpeech.net, where every customer gets HTTPS with SNI — on a subdomain of nfshost.com by default, and on personal domains with the purchase of a certificate (not necessarily from the host). So if you are reading this post on a secure connection, it means that your browser is compatible with SNI. The future arrived yesterday. Today is time to party.

(The redirect and HSTS are only enabled for visitors using modern browsers, so even the stubborn minority who still use IE6 can read my blog, albeit without the benefit of encryption. I don’t expect to have to maintain this dual setup for long; but even if I have to, it doesn’t cost me any extra.)

Waiting for the Sun to Rise in the West

Will the changes I described above come to pass in reality? No, I can’t guarantee that.

But there’s something I can guarantee, and it is the fact that those changes will not occur unless the rest of the world can exert a massive, organized, and persistent pressure on the lazy, greedy incumbents of the hosting, domain registration, and CA industry.

If you think it’s too soon to tell everyone to use HTTPS, and keep waiting for the right time to come, the right time will never come. Entrenched interests don’t dissolve by themselves. You have to break them apart, piece by piece, by hammering at them for months and years.

Let me repeat, because this is important: The world will only become ready for everyone to use HTTPS if everyone uses HTTPS. Does that sound like a Catch-22? You bet it is. But the situation is exactly the same with any technology that requires a critical mass of early adopters in order to grow further, and we’ve seen such technologies succeed from time to time. What is needed is for everyone to get off their asses and start demanding HTTPS whenever possible.

Mozilla is doing its part by trying to bring free, easy-to-install certificates to everyone. There’s no guarantee that they’ll succeed, but if they don’t, someone else will, sooner or later. Because they are making such an effort, Mozilla has the right to tell us that it is not too soon. If you are not making any such effort, at least by supporting someone who does if not by yourself, you have no right to complain that it is too soon — because you’re the one who is making it too soon.

By all means fuck the CAs, fuck the registrars, and fuck the web hosts that charge an arm and a leg to enable HTTPS. But leave the good guys at Google and Mozilla alone, because they’re trying much harder than anyone else to disrupt those industries to the best of their ability.

Let’s Go Racketeerin’!

I’m a philosopher by training, and every philosophy paper has a section at the end where the author preemptively responds to one of the most serious criticisms that he anticipates. This is that section.

In the first part, I said that it’s wrong to manipulate people with whips and carrots except as a last-ditch effort to meet a specific, pressing need. Why, then, do I think it’s okay to pressure web hosts, CAs, and domain registrars into making HTTPS more accessible to the masses, and why am I complimenting Google and Mozilla for running such an extortion racket? How is that any better than the extortion racket currently being run by Verisign and its ilk?

The answer is that the CAs’ racket takes money from the little people, leaving the powerless even more powerless, whereas the strategy I propose takes money from monopolies and other businesses with outdated business models with the explicit goal of empowering the little people (by making their communications less subject to state-level blanket surveillance or ISP-injected tracking beacons).

Moreover, “manipulating” one another into taking action is what the market economy is all about. Everyone who runs a business in a free economy has already signed up to compete or perish. You flood the market with superior (or cheaper) products to force the hands of your competitors; and if possible, you change the very rules of the game to outcompete everyone in one fell swoop. If you’re the kind of person who feels happy when a tiny startup disrupts a large, stagnant industry, you should not have any moral qualms, either, about another group of tech companies that set out to disrupt yet another industry. You say racket, I say innovation. The difference really is quite thin. In the former, those with power intimidate those without, whereas in the latter, it’s the other way around.

Remember when several well-known PHP projects colluded to force the web hosting industry into upgrading their PHP version? That was glorious, and there has even been talk of reenacting it for another round of much-needed upgrades. The PHP community occasionally runs these extortion rackets because shared hosting is their most important playground, yet the hosts can rarely be bothered to install any version of the unfortunate language other than what they had when they first incorporated. In Korea, where IE8 is the national browser and PHP 4 still has a sizable installation base, it took a major domestic CMS upping its requirements to PHP 5.3 (in March 2015!) to force web hosts to upgrade — and if the forums are any indication, the hosts are very annoyed that they finally need to install something written in the 21st century.

Blessed are those who can set up a droplet in 55 seconds and install their favorite Linux distribution on it. The rest of the WordPress blogs of the world, however, are stuck with GoDaddy and EIG. These pathetic hosts, who resell $5 certificates for $50 or more, are the most serious roadblock in the widespread adoption of HTTPS, perhaps even more so than the CAs. I think Google and Mozilla are doing the world a great service by adding their weight to the much-needed pressure to make the shared hosting industry (as well as the CAs) improve the accessibility of HTTPS for ordinary people. If threatening to put a thousand lousy corporations (not natural persons, who have human rights) out of business is what it would take to make the web a safer place, then I say, so be it.

Conclusion

tl;dr:

  1. It would be a good thing for more websites to use HTTPS.
  2. But not every website needs to use HTTPS, and the choice ultimately belongs to owners and users. In situations where only authentication is needed (e.g. scientists sending data to one another), checksums or electronic signatures may also work.
  3. HTTP isn’t going anywhere. It will continue to be supported.
  4. It’s OK for browser vendors to disable highly dangerous features (such as accessing the microphone) when used over an insecure connection.
  5. But such restrictions should have a strong security-related justification, and not merely used as a carrot/whip to encourage adoption of HTTPS.
  6. All of the above should have been crystal clear in the initial announcement of the intent to “deprecate” or “phase out” HTTP, because those wordings practically beg for FUD.
  7. Readers of Mozilla’s announcement should not evaluate the proposal in isolation and assuming current conditions, but interpret it as part of a wide-reaching attempt to disrupt and transform the industry in a direction that makes HTTPS more accessible to ordinary people.
  8. Shared hosting companies, CAs, and domain registrars need — and deserve — to be disrupted in a way that forces them to make HTTPS more accessible to the masses.
  9. Technical limitations that so far prevented widespread adoption of HTTPS, such as lack of support for SNI, are quickly disappearing; they may become completely negligible by the time Mozilla’s policies are finalized.
  10. Most importantly, we cannot wait until the world is ready for widespread adoption of HTTPS, because the only way to make the world ready for HTTPS is to use HTTPS right now. We should make it so commonplace, and expound its virtues so loudly, that everyone will regard it as an essential element of a website. By drastically increasing popular demand for HTTPS, we can force the market to stop treating it as a luxury.