HTTPS is still optional, at least sort of

January 16, 2022

I was recently reading this article (via). I have a number of reactions to it, but today's reaction is to the small portion of its argument that the need for HTTPS certificate renewal (and HTTPS certificates) makes modern websites somewhat dynamic in practice in that you can't just abandon them and necessarily have everything keep on working. My counterpoint is that HTTPS is still optional for certain sorts of sites, even here in early 2022.

Certainly what you can do on a plain HTTP website is limited and getting more so; a steadily increasing variety of Javascript features and so on are getting fenced off to secure origins only (ie, HTTPS sites). However, if you're building the sort of website which could reasonably be a static site, this is not likely to be a concern (unless you really want to do client side rendering of your content with a giant bolus of Javascript, which requires browsers to accept that bunch of Javascript over HTTP). You can definitely have a HTTP website today with useful content (for example) and even modern browsers are willing to show it to people even if some of them put warnings into the URL bar.

It's possible that browsers will stop supporting plain HTTP at some point in the future, just like they stopped supporting FTP recently. But it seems much less likely. First, there are plenty of HTTP sites currently and it seems likely that many of these will continue to be HTTP in the future. Second, browsers need to continue to support HTTP the protocol for a long time to come, since it's one of the protocols used for 'HTTPS' (which is really multiple protocols now). Dropping support for plaintext HTTP is likely to remove relatively little code from browsers, unlike the case with FTP (where dropping FTP allowed removing all of the code for a somewhat complex protocol). Third, there would be a lot more people objecting to it than there are for FTP, since there are no other good clients for plaintext HTTP other than browsers, which again is unlike the situation with FTP.

(I expect people would be very vocal about things if any browser proposed stopping supporting plaintext HTTP. There are a lot of tangled issues, since requiring HTTPS makes people dependent on access to the general CA infrastructure to run websites. Let's Encrypt not withstanding, this access is in no way guaranteed today.)


Comments on this page:

By Anonymous at 2022-01-19 16:03:26:

HTTPS is still optional, at least sort of

Not really, check out [1] and [2].

[1] Here's Why Your Static Website Needs HTTPS https://www.troyhunt.com/heres-why-your-static-website-needs-https/

[2] Why No HTTPS? https://whynohttps.com/

I was also recently reading that idiocy, and had the same thoughts. I primarily comment to respond to Anonymous here. Hey Anonymous, check out these links:

http://verisimilitudes.net/2020-12-30 http://n-gate.com/software/2017/07/12/0/

I refuse to participate in fake encryption, which any CA can simply break by-design. It's not my responsibility to save a man from sticking his hand in fires, if he so chooses. It's obvious this is pushed primarily to serve online advertisements, not anything else.

This is from the second link:

Each of the following websites loads over an insecure connection without redirecting to a secure, encrypted connection.

That means it still works in older WWW browsers, which is important for an organization such as GNU.

If the unencrypted nature of my website kills a man, the only thing I'd care about is learning how, to amuse myself. Anyone who could be killed so, must take his safety into his hands, not demand others do it for him.

Written on 16 January 2022.
« You should do lint checks on your Prometheus alert (and recording) rules
Pipx and a problem with changing the system Python version »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 16 21:18:10 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.