Some thoughts on going to HTTPS by default
My Twitter feed recently dropped a link to Tim Bray's Private By Default in front of me so I read it, nodded along in agreement, and started thinking about doing it myself for my personal domain. The technical side was easy and pain-free, since there's a Certificate Authority who'll give you free basic SSL certificates. But that's as far as I've gone due to what I've come to think of as the problem of really committing to HTTPS.
If I was doing this seriously, I would redirect all HTTP traffic to the HTTPS version of my site (because otherwise much of the existing traffic won't shift). But doing that implies an ongoing commitment to HTTPS. If people are using HTTPS URLs I need to keep those URLs working and in turn that means I need a duly CA-approved SSL certificate. Right now I can get such a thing for free but there's no guarantee that this will continue to be the case in the future; at that point, well, I have to cough up some money. And I'm not at all sure that I'm enthused enough about HTTPS everywhere to actually pay for it.
(I agree with all of Tim Bray's arguments for it intellectually. But buying a SSL certificate is not just money, it's also hassle. For that matter, using an SSL certificate is an ongoing hassle if you really care about security because then you get to wade into the great SSL cipher swamp every time a new threat emerges.)
But is this actually a real worry? Presumably I ought to have at least some warning that my next certificate will cost me money; at that point I could start redirecting my HTTPS traffic back to the HTTP version of the site and I should have some amount of time for the redirections to take effect before the certificate expired. In the extreme case I could get the cheapest one-year certificate available to have a full year for the transition (and extremely cheap SSL certificates don't seem likely to go away). Also the HTTPS version of the site wouldn't go away entirely because I'd probably put up a self-signed certificate just to keep the URLs valid (although visitors would get the usual scary browser warnings). How much this affected people in practice would depend on how many saved HTTPS URLs there were for my site out there in the wild.
(In a world of ephemeral social media and search-driven navigation that's probably a good question in general. I have no answers.)