HTTPS is still optional, at least sort of
I was recently reading this article (via). I have a number of reactions to it, but today's reaction is to the small portion of its argument that the need for HTTPS certificate renewal (and HTTPS certificates) makes modern websites somewhat dynamic in practice in that you can't just abandon them and necessarily have everything keep on working. My counterpoint is that HTTPS is still optional for certain sorts of sites, even here in early 2022.
It's possible that browsers will stop supporting plain HTTP at some point in the future, just like they stopped supporting FTP recently. But it seems much less likely. First, there are plenty of HTTP sites currently and it seems likely that many of these will continue to be HTTP in the future. Second, browsers need to continue to support HTTP the protocol for a long time to come, since it's one of the protocols used for 'HTTPS' (which is really multiple protocols now). Dropping support for plaintext HTTP is likely to remove relatively little code from browsers, unlike the case with FTP (where dropping FTP allowed removing all of the code for a somewhat complex protocol). Third, there would be a lot more people objecting to it than there are for FTP, since there are no other good clients for plaintext HTTP other than browsers, which again is unlike the situation with FTP.
(I expect people would be very vocal about things if any browser proposed stopping supporting plaintext HTTP. There are a lot of tangled issues, since requiring HTTPS makes people dependent on access to the general CA infrastructure to run websites. Let's Encrypt not withstanding, this access is in no way guaranteed today.)
Comments on this page:Written on 16 January 2022.