W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Mon, 8 Dec 2014 22:26:01 -0700
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <20141208222601.c3841ef3b6a3d38f608a9bab@bisonsystems.net>
Melvin Carvalho wrote:
> IMHO, People prefer utility and convenience over security, in most
> cases. But facebook got to 100 million users without turning on
> HTTPS.  Stealing money or identity would trump that, but is a small
> minority of requests on the web, and normally has HTTPS already.

What people (especially small business owners) *really* want is for
stuff to just work (like the "back" button _used_ to). A friend asked me
this morning, what she could do about her FB profile returning this:

"Sorry, this profile is not available at the moment. Please try again

Which reminds me of another friend who recently asked me about this:

"Your account is temporarily unavailable due to site maintenance. It
should be available again within a few hours."

This is obviously not the case for a statistically-significant number
of users; otherwise, 12 hours later, this wouldn't still be the case
with her profile -- or, in the latter case, three days.

Really frustrating to me, as I'm no longer in the Web business but still
seem to be the go-to guy for FB tech support despite never having had a
FB account myself, and cited just this sort of thing when I told them
not to subject their online business presence to the control of _any_
large company.

Searching these issues shows them to be long-standing, and everyone
else from indy devs to various support forums seems to be expected to
solve it -- search the above messages on Google to see what I mean...


Try getting FB to do anything about it, let alone admit anyone's having
a problem, aside from one 5-year-old CNET article. What's really, really
aggravating, is when clients are just trying to deliver a brochure and
don't *need* encryption except where logins/transactions are involved.

> The long tail of innovation among developers require an easy way to
> get up and running.  HTTP provides that, but HTTPS currently does
> not.  It's expensive and still in many cases painful to set up and
> maintain.

Therein lies the problem. I tell folks they get what they pay for, and
really shouldn't rely on big players for their online presence, and
that I consider all my customers to be statistically singnificant. But,
and especially if we're talking HTTPS, it's more than they feel they
should have to pay, for something everyone else says they need.

> I welcome Mozilla's initiative "lets encrypt" which hopefully with
> provide cheap and easy HTTPS on the web.  Perhaps this initiative
> could get behind that effort, and other similar systems.

I'd love to see that happen, as I hate that the only solution to HTTPS
is to send folks to FB and other forms of Web hosting, where all they
have to do is cede control of their content, and forfeit any level of
service when problems arise, to companies who simply don't care, and
really can't be trusted.

I doubt I'm the only independent developer whose business has literally
been killed by "Transitioning the Web to HTTPS" but it's a big reason I
won't have anything to do with independent Web development any more. If
people didn't think they _need_ HTTPS, I'd still be in the business of
providing cost-effective hosting solutions which scale through traffic
flurries by way of shared public caching.

Received on Tuesday, 9 December 2014 05:26:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC