[whatwg] TLS deployment issues from Anne van Kesteren on 2014-10-20 (public-whatwg-archive@w3.org from October 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 20 Oct 2014 12:28:17 +0200
To: Glenn Maynard <glenn@zewt.org>
Cc: WHATWG <whatwg@lists.whatwg.org>, Roger Hågensen <rescator@emsai.net>
Message-ID: <CADnb78jk1Qw8F+EFCY1=q-AgVgQWtYE0RdBTNZ_dvhen4j8=Ew@mail.gmail.com>

Thanks Glenn.

On Sun, Oct 19, 2014 at 7:35 PM, Glenn Maynard <glenn@zewt.org> wrote:
> - People asking "why would this page need encryption?", which is always the
> wrong question.  (The right question is "why does this page need to not have
> encryption?")
> - People don't want to jump the hoops to get a certificate and install it.
> I still have to search to find the right OpenSSL magic commands, and it
> still takes fiddling to get TLS enabled on web servers.  (It should require
> editing two or three lines to enable it on Apache, not uncommenting dozens
> of lines of sample configuration then figuring out how to sync it up to your
> HTTP configuration.  I suspect Apache can do this much more simply, and that
> the sample configurations that come with installations are just garbage...)

So these can hopefully be mitigated with better documentation and evangelism.

> - People don't want to pay for a certificate.  (There's StartSSL, but when I
> tried it, it was so bad that I prefer to pay GoDaddy.  That should say a lot
> given how bad *that* site is...)

We used StartSSL for WHATWG (though we had to get validated as our
domain setup is complicated) and I use it for my own sites. The UX is
indeed not great. Fortunately CloudFlare is now competing. Hopefully
shared hosting providers will follow suit and just hand out free
certificates with domains/hosting.

> - They don't want the additional latency that TLS causes.  I assume this is
> why Amazon puts most of the storefront on HTTP, and only selectively
> switches to HTTPS.  (They've put a lot of design behind making this secure,
> but most authors can't do that, and it still has a big privacy cost.)  This
> is at least a valid issue.

As far as I can tell at this point the additional cost is far less
significant than it used to be. And with HTTP/2 of course it's simply
false.

> - Some web services don't support HTTPS.  (There's no excuse for this, but
> saying that doesn't make the problem go away.  I don't recall particular
> examples.)

And can actually be very problematic. The other day it was pointed out
that because major OSs don't protect time synchronization, attackers
can kill HSTS protection.

-- 
https://annevankesteren.nl/

Received on Monday, 20 October 2014 11:45:49 UTC