A quick reminder on HTTPS everywhere
HTTPS "everywhere" means everywhere—not just the login page, or the page where you accept donations. Everything.
HTTPS Everywhere! So the plugin says, and now browsers are warning users that sites not implementing https:// are security risks. Using HTTPS everywhere is good advice. And this really means “everywhere”: the home page, everything. Not just the login page, or the page where you accept donations. Everything.
Implementing HTTPS everywhere has some downsides, as Eric Meyer points out. It breaks caching, which makes the web much slower for people limited to satellite connections (and that’s much of the third world); it’s a problem for people who, for various reasons, have to use older browsers (there are more ancient browsers and operating systems in the world than you would like to think, trust me); domain names and IP address are handled by lower-level protocols that HTTPS doesn’t get to touch, so it’s not as private as one would like; and more. It’s not a great solution, but it’s a necessary one. (Meyer’s article, and the comments following it, are excellent.)
The real problem isn’t HTTPS’s downsides; it’s that I see and hear more and more complaints from people who run simple non-commercial sites asking why this affects them. Do you need cryptographic security if your site is a simple read-only, text-only site with nothing controversial? Unfortunately, you do. Here’s why. Since the ISPs’ theft of the web (it’s not limited to the loss of Network Neutrality, and not just an issue in the U.S.), the ISPs themselves can legally execute man-in-the-middle attacks to:
- Insert their own advertising into your site, without your permission, consent, or compensation.
- Collect and sell your users’ browsing history, without their permission or consent.
- Censor or rewrite parts of your site
The first two are happening already; the third may be. (It’s possible that GDPR, which protects European citizens regardless of where they’re located, might prevent ISPs from collecting and selling browsing history. I wouldn’t count on it, though.)
Yesterday, I poked around a bit and found many sites that don’t use HTTPS everywhere. Those sites include an ivy league university (Cornell, get your act together!), many non-profit organizations (including several that I belong to), several well-known newspapers and magazines, local libraries, and a lot of small businesses. The irony is most of these sites accept donations, let you read restricted-access materials, and even sell stuff online, and these pages are already using HTTPS (though not always correctly). Protecting the entire site doesn’t require that big a change. In many cases, using HTTPS for the entire site is simpler than protecting a limited collection of pages.
I agree that HTTPS is a significant administrative burden for simple, static sites, or sites that are run by groups that don’t have the technical ability to implement HTTPS. Services like Let’s Encrypt reduce some of the burden (Let’s Encrypt provides free certificates, reducing the process of setting up HTTPS to a few well-placed clicks)—but you still have to do it.
Nothing stays simple and elegant, particularly when it’s under attack. And the web is under attack: from the pirate ISPs, from hostile governments (a somewhat different issue, but related), and from many other actors. HTTPS is a solution—a problematic one, I’ll grant, and one that imposes a burden on the sites least capable of dealing with technical overhead, but we don’t have a better solution. Well, yes, we do have a better solution: IPSec and IPv6 solve the problem nicely. But we’ve been waiting for widespread adoption of those for more than 20 years, and we’re still waiting. These are problems we need to solve now.
“There’s nothing on my site that requires cryptography” doesn’t help anyone. That’s no more helpful than people who say “I have nothing to hide, so I don’t need privacy.” You don’t need either privacy or HTTPS until you do, and then it’s way, way too late. Do it for your users’ sake.