title: Re: HTTPS considered harmful
lang: en

Both [Anthony](https://ricaud.me/blog/pages/a-propos) and [Matti](https://twitter.com/matti_sg/status/950250330574344192) — two persons I highly estimate — reacted to the [previous note](/david/stream/2018/01/06/) with overlapping suggestions, here are my answers trying to be my own devil’s advocate:

* *“[Let’s Encrypt](https://letsencrypt.org/) is not a mafia.”* When you turn an oligopole into a monopole, it cannot be a mafia anymore, heh. Is that better? Sure. Is that **really** what I want to encourage? Not so sure, and I’m not even talking about security issues with such a single point of failure. Governments are probably racing to get master keys.
* *“0-RTT will reduce initial load time.”* One day, maybe. But for now it’s [quite limited](https://istlsfastyet.com/) to say the least.
* *“HTTP2 is good for performances.”* Sure, when you have to load a bunch of resources but **in my case** it’s not that pertinent. HTTPS highly impacts my *First Byte Time* though.
* *“You have the guarantee your content is not altered.”* Except if done once downloaded. A bunch of views are now performed directly within apps without any feedback on certificates or integrity and can be modified as such.
* *“Get rid of your domain name too!”* Well, glad you ask, I’m thinking about it for a while :-). Providing a downloadable archive is an option, for instance reusing [kiwix](https://github.com/kiwix/kiwix-js) and/or using [dat](https://datproject.org/) and/or [something new](https://github.com/WICG/webpackage/blob/master/explainer.md) ([cache](/david/cache/7fb7e8f5fb68a4ddc308b112a7f8d09f/)).
* *“Don’t use [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)!”* Mmmh, I don’t get the point of providing content over HTTPS if you do not force it somehow, is that better to [let the responsibility](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) to the client? The user interface of browsers is not adapted to that.
* *“301 are honored over HTTPS.”* Except that you need to keep a server running to handle this, it’s not anymore as easy as changing a redirection at your registar level. See the parenthesis in [Why?](https://4042302.org/why/) ([cache](/david/cache/64f6381f9270b8b6c8eb1208336e052b/)) for instance.
* *“certbot autorenew works well.”* I was talking about the configuration of the server itself not only the update of certificates, security is a race and you have to keep up on best practices.
* *“You can use Service Workers!”* Great, I can now [break the refresh button](https://twitter.com/markdalgleish/status/921515267804487680) ;-) (I’m half-joking here given that I often have to reload pages of websites badly implemented because of Service Workers…)

Did I even mentioned [how tedious it can be](https://certsimple.com/blog/localhost-ssl-fix) ([cache](/david/cache/63e224124ceedf8c6e787bbbc7896165/)) to setup and use a self-signed certificate on localhost?