Repository with sources and generator of https://larlet.fr/david/ https://larlet.fr/david/
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

index.md 3.0KB

title: Re: HTTPS considered harmful lang: en

Both Anthony and Matti — two persons I highly estimate — reacted to the previous note with overlapping suggestions, here are my answers trying to be my own devil’s advocate:

  • Let’s Encrypt is not a mafia.” When you turn an oligopole into a monopole, it cannot be a mafia anymore, heh. Is that better? Sure. Is that really what I want to encourage? Not so sure, and I’m not even talking about security issues with such a single point of failure. Governments are probably racing to get master keys.
  • “0-RTT will reduce initial load time.” One day, maybe. But for now it’s quite limited to say the least.
  • “HTTP2 is good for performances.” Sure, when you have to load a bunch of resources but in my case it’s not that pertinent. HTTPS highly impacts my First Byte Time though.
  • “You have the guarantee your content is not altered.” Except if done once downloaded. A bunch of views are now performed directly within apps without any feedback on certificates or integrity and can be modified as such.
  • “Get rid of your domain name too!” Well, glad you ask, I’m thinking about it for a while :-). Providing a downloadable archive is an option, for instance reusing kiwix and/or using dat and/or something new (cache).
  • “Don’t use HSTS!” Mmmh, I don’t get the point of providing content over HTTPS if you do not force it somehow, is that better to let the responsibility to the client? The user interface of browsers is not adapted to that.
  • “301 are honored over HTTPS.” Except that you need to keep a server running to handle this, it’s not anymore as easy as changing a redirection at your registar level. See the parenthesis in Why? (cache) for instance.
  • “certbot autorenew works well.” I was talking about the configuration of the server itself not only the update of certificates, security is a race and you have to keep up on best practices.
  • “You can use Service Workers!” Great, I can now break the refresh button ;-) (I’m half-joking here given that I often have to reload pages of websites badly implemented because of Service Workers…)

Did I even mentioned how tedious it can be (cache) to setup and use a self-signed certificate on localhost?