We're Deprecating HTTP And It's Going To Be Okay

published by Eric Mill on

Mozilla recently announced their intent to deprecate the insecure HTTP protocol in Firefox in favor of HTTPS (https://). In practice, they plan to do this by gradually removing the ability for HTTP websites to use various web features. They're joined by the Chrome security team, who declared something similar in December.

Mozilla's announcement has gotten a lot of attention, more than Chrome's, and much of it negative. There have been various laments, but the most sincere and helpful one is Ben Klemens' "HTTPS: the end of an era":

But the Mozilla foundation’s HTTPS requirement is, to me, the real end of the DIY era. This is not a closed-source corporation, or a startup pushing its new tool, or the arrogant guy at the hackathon, but the Mozilla Foundation — “Our mission is to promote openness, innovation & opportunity on the Web” — saying that if you are building web pages using tools from your desert island, without first filling in registration forms, then you are doing it wrong.

I understand the fear of raising the barriers to entry. As a child, I too fell in love with an internet made by everyone, and have spent my career, my volunteer work, and my hobbies trying to share what that love has taught me. I want children everywhere in the world to grow up feeling like the internet that permeates their lives is also in their service -- a lego set in real life that you can buy with a week's allowance.

Yet as an adult, I also understand that power for ordinary people is hard to come by and hard to keep. The path of least resistance for human society is for money to buy more money, and might to demand more might. Democracy is designed not so much to expand freedom as it is to give people tools to desperately hold onto the freedom they have.

Put another way: power has a way of flowing away from the varied, strange, beautiful little leaf nodes on the outer edges and into the unaccountable, unimaginative, ever-hungry center.

Image source: Melonie Richey

TCP/IP, DNS, and the web were each tremendous reversals of this trend, freely giving the means of production to all of us little leafs. It felt like the powers that be just didn't realize what was happening until it was too late.

But when I look at the last few years, I see a very different web than the one I was introduced to:

  • Verizon injects tracking headers into unencrypted traffic so they can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized they "had a latent asset", but wasn't noticed until 2014.
  • Other companies like Turn piggyback on Verizon's tracking header to sell your data to even more people, because they "are trying to use the most persistent identifier that we can in order to do what we do", says Turn's chief privacy officer.
  • Comcast injects ads into unencrypted traffic, because "it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast".
  • Andreas Gal (Mozilla's CTO, in his personal capacity) has claimed that Yahoo and Bing "can acquire search traffic by working with large Internet Service providers" to harvest users' Google search results to improve their own -- and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
  • The nation of India tried and failed to ban all of GitHub. HTTPS meant they couldn't censor individual pages, and GitHub is too important to India's tech sector for them to ban the whole thing.
  • The nation of China weaponized the browsers of users all over the world to attack GitHub for hosting anti-censorship materials (since like India, they can't block only individual pages) by rewriting Baidu's unencrypted JavaScript files in flight.

And then there's government surveillance. Still here, still real, and not getting better:

When I look at all these things, I see companies and governments asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to "interpret censorship as damage".

In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.

What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.

As problematic as the certificate authority (CA) system that underlies HTTPS may be, its relative centralization allows for one of the very few systems of encryption available today that Just Works for regular people. In many ways, it's no different than registering a domain: you pay a nominal fee to a usually for-profit organization to participate in a mostly centralized system.

Richard Barnes, the author of Mozilla's HTTP deprecation announcement and policy, responded to Ben, saying:

As I've said in some other threads on this topic, I'm under no illusion that HTTPS or the CA system is perfect. But to quote the great sage Mr. Rumsfeld, "you go to war with the army you have, not the army you might want or wish to have at a later time." Our long experience with HTTPS shows that it’s strong enough to carry the web, and it looks like its weaknesses can be patched. Which is enough, at least for me, to get the movement started.

Starting that movement doesn't happen in a vacuum. Chrome is there, the IETF and W3C TAG are there -- even the ad industry is getting there, with the news media right behind them. That kind of movement can become self-fulfilling, motivating more people and work than anyone thought possible at the start.

Many have said that HTTPS configuration and the CA system need to become painless before we can make it the new standard. However, this has cause and effect backwards: the only way to motivate the investment and market demand necessary to make HTTPS free, easy, and everywhere is to first make it part of the baseline, like DNS is today.

The transition to HTTPS won't be painless, but it is necessary, and it's already getting easier every year. The web will evolve, and when it does we'll have pushed some of its power back out of the center and into its edges for another generation to wield, love, and defend.

If you're really concerned about keeping the internet a place for everyone, look at what's happening right now with DNS and ICANN, as the US government attempts to voluntarily relinquish control over IANA responsibilities. There's even a recent House committee hearing on the subject.

I can't recommend highly enough this outstanding explanation of the IANA transition (PDF), by Danielle Kehl and David Post at the Open Technology Institute, for understanding the history and politics of ICANN.