I understand the fear of raising the barriers to entry. As a child, I too fell in love with an internet made by everyone, and have spent my career, my volunteer work, and my hobbies trying to share what that love has taught me. I want children everywhere in the world to grow up feeling like the internet that permeates their lives is also in their service—a LEGO set in real life that you can buy with a week's allowance.Yet as an adult, I also understand that power for ordinary people is hard to come by and hard to keep. The path of least resistance for human society is for money to buy more money, and might to demand more might. Democracy is designed not so much to expand freedom as it is to give people tools to desperately hold onto the freedom they have.But the Mozilla foundation's HTTPS requirement is, to me, the real end of the DIY era. This is not a closed-source corporation, or a startup pushing its new tool, or the arrogant guy at the hackathon, but the Mozilla Foundation — "Our mission is to promote openness, innovation & opportunity on the Web" — saying that if you are building web pages using tools from your desert island, without first filling in registration forms, then you are doing it wrong.
Put another way: power has a way of flowing away from the varied, strange, beautiful little leaf nodes and into the unaccountable, unimaginative, ever-hungry center.The nation of India tried and failed to ban all of GitHub
- Verizon injects tracking headers into unencrypted traffic so it can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized it "had a latent asset," but wasn't noticed until 2014.
- Other companies like Turn piggyback on Verizon's tracking header to sell your data to even more people, because they "are trying to use the most persistent identifier that we can in order to do what we do," says Turn's chief privacy officer.
- Comcast injects ads into unencrypted traffic, because "it's a courtesy, and it helps address some concerns that people might not be absolutely sure it's on a hotspot from Comcast."
- Andreas Gal (Mozilla's CTO, in his personal capacity) has claimed that Yahoo and Bing "can acquire search traffic by working with large internet service providers" to harvest users' Google search results to improve their own—and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
- The nation of India tried and failed to ban all of GitHub. HTTPS meant they couldn't censor individual pages, and GitHub is too important to India's tech sector for them to ban the whole thing.
- The nation of China weaponized the browsers of users all over the world to attack GitHub for hosting anti-censorship materials (since like India, they can't block only individual pages) by rewriting Baidu's unencrypted JavaScript files in flight.
- The NSA scans just about everything that goes through the internet backbones and saves as much of it as possible, in collaboration with intelligence agencies around the world. This is called "upstream collection," and the agency's "posture" is to "collect it all."
- The NSA's upstream collection program, authorized under section 702 of the FISA Amendments Act, has not been reformed. It will not be reformed by the current draft of the USA Freedom Act, in fact was endorsed by the only government agency whose job it is to review it, and the most meaningful court victory so far—while a wonderful and important precedent—addresses a separate program that only touches data about telephone calls.
- After the Charlie Hebdo attacks, France is now making bulk internet spying explicitly legal and giving its intelligence services vast powers to work with ISPs to surveil the network.
- The United Kingdom is likely to do something similar, after Cameron's strong re-election means he can make good on his pledge to make all online communication subject to monitoring.
As problematic as the certificate authority (CA) system that underlies HTTPS may be, its relative centralization allows for one of the very few systems of encryption available today that Just Works for regular people. In many ways, it's no different than registering a domain: you pay a nominal fee to a usually for-profit organization to participate in a mostly centralized system.Richard Barnes, the author of Mozilla's HTTP deprecation announcement and policy, responded to Ben, saying:The transition to HTTPS won't be painless, but it is necessary
Starting that movement doesn't happen in a vacuum. Chrome is there, the IETF and W3C TAG are there—even the ad industry is getting there, with the news media right behind it. That kind of movement can become self-fulfilling, motivating more people and work than anyone thought possible at the start.Many have said that HTTPS configuration and the CA system need to become painless before we can make it the new standard. However, this has cause and effect backwards: the only way to motivate the investment and market demand necessary to make HTTPS free, easy, and everywhere is to first make it part of the baseline, like DNS is today.The transition to HTTPS won't be painless, but it is necessary, and it's already getting easier every year. The web will evolve, and when it does we'll have pushed some of its power back out of the center and into its edges for another generation to wield, love, and defend.Eric Mill has been making websites and caring about the open internet since 1997, and would like the internet to still be around in 10,000 years. This post originally appeared on his blog.As I've said in some other threads on this topic, I'm under no illusion that HTTPS or the CA system is perfect. But to quote the great sage Mr. Rumsfeld, "you go to war with the army you have, not the army you might want or wish to have at a later time." Our long experience with HTTPS shows that it's strong enough to carry the web, and it looks like its weaknesses can be patched. Which is enough, at least for me, to get the movement started.