Some thoughts on going to HTTPS by default

April 17, 2013

My Twitter feed recently dropped a link to Tim Bray's Private By Default in front of me so I read it, nodded along in agreement, and started thinking about doing it myself for my personal domain. The technical side was easy and pain-free, since there's a Certificate Authority who'll give you free basic SSL certificates. But that's as far as I've gone due to what I've come to think of as the problem of really committing to HTTPS.

If I was doing this seriously, I would redirect all HTTP traffic to the HTTPS version of my site (because otherwise much of the existing traffic won't shift). But doing that implies an ongoing commitment to HTTPS. If people are using HTTPS URLs I need to keep those URLs working and in turn that means I need a duly CA-approved SSL certificate. Right now I can get such a thing for free but there's no guarantee that this will continue to be the case in the future; at that point, well, I have to cough up some money. And I'm not at all sure that I'm enthused enough about HTTPS everywhere to actually pay for it.

(I agree with all of Tim Bray's arguments for it intellectually. But buying a SSL certificate is not just money, it's also hassle. For that matter, using an SSL certificate is an ongoing hassle if you really care about security because then you get to wade into the great SSL cipher swamp every time a new threat emerges.)

But is this actually a real worry? Presumably I ought to have at least some warning that my next certificate will cost me money; at that point I could start redirecting my HTTPS traffic back to the HTTP version of the site and I should have some amount of time for the redirections to take effect before the certificate expired. In the extreme case I could get the cheapest one-year certificate available to have a full year for the transition (and extremely cheap SSL certificates don't seem likely to go away). Also the HTTPS version of the site wouldn't go away entirely because I'd probably put up a self-signed certificate just to keep the URLs valid (although visitors would get the usual scary browser warnings). How much this affected people in practice would depend on how many saved HTTPS URLs there were for my site out there in the wild.

(In a world of ephemeral social media and search-driven navigation that's probably a good question in general. I have no answers.)


Comments on this page:

From 131.58.64.193 at 2013-04-17 09:27:31:

"utcc.utoronto.ca uses an invalid security certificate. The certificate is only valid for the following names: cns.utoronto.ca , www.cns.utoronto.ca (Error code: ssl_error_bad_cert_domain)"

By cks at 2013-04-17 09:50:35:

Yes, that's why I was talking about HTTPS for my personal domain. SSL for this blog's (current) host is another thing entirely and you've just spotted one of the issues involved.

Written on 17 April 2013.
« The basics of 4K sector hard drives (aka 'Advanced Format' drives)
How SCSI devices tell you their logical and physical block sizes »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Apr 17 01:16:50 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.