Housekeeping – on HTTPS

Related to my previous rant on Internet security, the latest trend is to force a move to HTTPS — the encrypted version of the web’s primary protocol. In my opinion, this is largely silly: its security theater, since most scam sites can easily provide a certificate, and it gives browser makers even more leverage over little content developers.

I find it offensive in a different way, too: it breaks compatibility on the Internet. A whole generation of devices that have older versions of SSL, that can’t easily be upgraded, get cut off from today’s web.

There’s a place for HTTPS — namely, anywhere you submit data to a server. I don’t argue the importance of that. But lots of content is just there to be consumed, and the whole transaction with the server is “give me the content.” For a browser to claim that transaction is unsafe, just because the request and response weren’t encrypted, is dumb. Its perfectly safe to read this website without encryption — and there’s millions of sites where that is true.

That said, it irks me to see my own website marked as insecure, so I did what probably every other “little guy” should do, just to keep up with the times, and added a SSL cert for free through Lets Encrypt. However, my implementation does not break compatibility with older devices: you can still access this site without HTTPS by sending an uncommon user-agent. This will happen automatically if you’re, say, in Netscape Navigator on an old Performa, or visiting from a HP TouchPad. Only if a modern OS is detected will my main site meta-redirect to the HTTPS version, and you can over-ride through your browser’s Developer Tools. Otherwise, if you visit via HTTP, you’ll see a brief flash while the content re-loads over an encrypted connection.

Utility and classic sub-domains will remain on HTTP until all these young hippies get off my lawn…

Leave a Reply

Your email address will not be published. Required fields are marked *