title: “HTTPS considered harmful”, yes, but isn’t HTTP too?
Since David doesn’t allow public responses, I’ll try and follow his way of publishing letters in personal spaces.
Following on our conversation regarding your point that HTTPS is harmful:
Encouraging everybody to switch to HTTPS promotes strong dependency to a third-party mafia, increases load time, makes your content inaccessible if you have any trouble reconducting your certificate, avoids migrating easily from one hosting platform to another, forces upgrading on a lot more security issues if you are hosting yourself. Even worse, when you switch there is no harmless turning back! That’s not the Web I’m aiming for.
To which I replied earlier a technical answer:
I don’t argue HTTPS is overkill for many uses, especially for websites that provide read-only, low-importance information, and I do agree with your underlying expectations of simplicity and performance. My replies are only there because you used several technical arguments that I consider slightly exaggerated. You mention “not in my case”, then it would be worth describing that case more precisely in the article (though I think I see the kind of small, server-rendered, simple website you’re talking about and that I also tend to ship).
I’d argue that there’s a flip side to the ethical arguments too, though, and these are the ones that personally convinced me to take the burden of the added complexity.
You’re right, “That’s not the Web I’m aiming for.”. But the Web where corps inject ad trackers in traffic and where government agencies massively tap HTTP isn’t either. And in this game, as a professional developer, I prefer to take on the complexity and work harder to optimise my content for performance in order to protect my users, and the users of the Web in general. For sure, certificate issuers are now honeypots, and we need to keep pushing for decentralised trust. But the IX were already, and it has become way too easy for intermediaries to do anything they want on clear text to refuse taking care of the privacy of our users. I am glad Wikipedia is served over HTTPS, not because I’m afraid my ISP will change the birth date of Napoleon, but because I don’t want it to know which articles I’m reading at what time. The profiling power of aggregated metadata is too strong for us not to make it as hard as we can for spies to leverage it against our fellow netizens.