Re: Draft finding - "Transitioning the Web to HTTPS"

On 9 December 2014 at 06:26, Eric J. Bowman <eric@bisonsystems.net> wrote:

> Melvin Carvalho wrote:
> >
> > IMHO, People prefer utility and convenience over security, in most
> > cases. But facebook got to 100 million users without turning on
> > HTTPS.  Stealing money or identity would trump that, but is a small
> > minority of requests on the web, and normally has HTTPS already.
> >
>
> What people (especially small business owners) *really* want is for
> stuff to just work (like the "back" button _used_ to). A friend asked me
> this morning, what she could do about her FB profile returning this:
>
> "Sorry, this profile is not available at the moment. Please try again
> shortly."
>
> Which reminds me of another friend who recently asked me about this:
>
> "Your account is temporarily unavailable due to site maintenance. It
> should be available again within a few hours."
>
> This is obviously not the case for a statistically-significant number
> of users; otherwise, 12 hours later, this wouldn't still be the case
> with her profile -- or, in the latter case, three days.
>
> Really frustrating to me, as I'm no longer in the Web business but still
> seem to be the go-to guy for FB tech support despite never having had a
> FB account myself, and cited just this sort of thing when I told them
> not to subject their online business presence to the control of _any_
> large company.
>
> Searching these issues shows them to be long-standing, and everyone
> else from indy devs to various support forums seems to be expected to
> solve it -- search the above messages on Google to see what I mean...
>
> http://www.cnet.com/news/facebook-acknowledges-access-problems/
>
> Try getting FB to do anything about it, let alone admit anyone's having
> a problem, aside from one 5-year-old CNET article. What's really, really
> aggravating, is when clients are just trying to deliver a brochure and
> don't *need* encryption except where logins/transactions are involved.
>
> >
> > The long tail of innovation among developers require an easy way to
> > get up and running.  HTTP provides that, but HTTPS currently does
> > not.  It's expensive and still in many cases painful to set up and
> > maintain.
> >
>
> Therein lies the problem. I tell folks they get what they pay for, and
> really shouldn't rely on big players for their online presence, and
> that I consider all my customers to be statistically singnificant. But,
> and especially if we're talking HTTPS, it's more than they feel they
> should have to pay, for something everyone else says they need.
>
> >
> > I welcome Mozilla's initiative "lets encrypt" which hopefully with
> > provide cheap and easy HTTPS on the web.  Perhaps this initiative
> > could get behind that effort, and other similar systems.
> >
>
> I'd love to see that happen, as I hate that the only solution to HTTPS
> is to send folks to FB and other forms of Web hosting, where all they
> have to do is cede control of their content, and forfeit any level of
> service when problems arise, to companies who simply don't care, and
> really can't be trusted.
>
> I doubt I'm the only independent developer whose business has literally
> been killed by "Transitioning the Web to HTTPS" but it's a big reason I
> won't have anything to do with independent Web development any more. If
> people didn't think they _need_ HTTPS, I'd still be in the business of
> providing cost-effective hosting solutions which scale through traffic
> flurries by way of shared public caching.
>

+1

Im all for a secure web, but I think the demerits of HTTPS are under
stated, and I'm glad you brought a few of them up.

Let's not forget that the X.509 / CA system was designed to offer a
low-cost decentralized web of trust, which has not to date emerged.

I hope that forward thinking initiatives by Mozilla, can be pioneers in
this area.

I welcome some of the positive reactions and ideas, from TAG members, in
this respect.


>
> -Eric
>