This is why keeping HTTP open is an accessibility must-have, despite the low risk of ISP MITM and such.
There are millions of devices out there already which are usable for many tasks like reading, searching, and non-critical writing, as long as HTTP is allowed.
HTTPS/SSL introduces many accessibility issues, such as for people with older devices, those who do not know how to set their clock correctly, and many other scenarios.
PKI (public key infrastructure) is much more fragile than people realize. Each browser vendor has its own store of trusted certificates. Java, Node.JS, .NET/Mono have their own stores. These are completely separate from the operating system's store for good and bad reasons. Also, certificate revocations are not even handled like you'd expect: https://www.ssls.com/blog/why-ssl-certificate-revocation-che...
Who decides what’s non-critical? I’d prefer my news articles not be rewritten by the government for example. Catering security to the absolute lowest common denominator (“can’t set a clock”) is not a path to success.
> Suppose the likelihood of the government or ISP rewriting my requests is very low, as it is in the U.S.
Comcast used to (and maybe still does) inject JavaScript into HTTP requests when users were approaching their transfer caps, so that a warning banner would be shown to let them know they are almost at their terabyte limit.
ISP's have been and continue to be caught playing tricks like this. T-Mobile for instance used to rewrite the playlists that YouTube would send down for HSL to remove the higher bitrates to reduce network traffic.
Just because you are in the US does not mean you are immune from this sort of shenanigans, currently it is used mostly in the name of network management, but it could also be used for nefarious purposes.
I also fully believe this is why public libraries should exist. The library near me has new computers, help that can help the person navigate those sites and even has tablets available for loan.
What do you think the person looking for critical information would choose?
By the way, libraries are scarce in the U.S., and library computers have been some of the most out-of-date and poorly maintained machines I've used. This is a problem I have no chance of solving, while allowing HTTP access is something I can do today.
You act like "no access" can't happen because other things break. If that was the only choice, I'd consider it, but I'm not going to give up everything in tiny incremental bits to maximize access in every edge case.
Also you could disable expiration as a much safer measure.
There are many reasons something can break. I'm not sure how you got the impression I believe otherwise.
There are many reasons someone may not be able to access.
Furthermore, some of those reasons can be known ahead of time, and some cannot even be predicted before they happen.
But the ones I do know of, I try to accommodate, just like i try to accommodate visually impaired, those with slow devices, etc.
And I have found that the more known scenarios I accommodate, the more unknown scenarios are also accommodated, just from raising the accessibility bar.
Of course, this is not something everyone cares about. You probably won't gain many profitable customers with deep pockets accommodating the edge cases. They're all using the latest and greatest.
But if you care about allowing access to as many as possible to your resource, serving both HTTP and HTTPS is the way.
I don't see how this kind of argument generalizes. Short of armored truck deliveries, cryptographically signed digital transmissions are about the only form of information delivery where it's even possible to get this kind of assurance. Yet civilizations have operated for centuries if not millennia on the premise that we deliver things nonetheless. There is no guarantee at all that the government isn't rewriting the New York Times before it hits newsstands, intercepting and changing television signals, swapping out or reading your mail, injecting mind control serum into foods before they reach the grocery store, or that fluoride isn't used to subdue the population (other than science, but you don't know the government isn't intercepting and rewriting published research). The only assurance you get is all these things are illegal. Governments definitely don't universally follow their own laws, but at some point, the existence of some system of laws is either enough for you, or you go live in the woods with a bunker full of seeds and ammo, or start a revolution to replace the government with a new one.
I decide what's non-critical. What a concept, huh. If I consider an online transaction to be critical, I'll check for https:// in the address bar.
Usually I don't.
Case in point: Firefox 93 now issues gratuitous scary warnings when a .PDF is downloaded over a non-https connection. [1] Right now it only seems to happen if you arrive at the link via a search engine, but it would be silly to pretend they'll stop there. There is nothing OK about this. It literally breaks the whole idea of decentralized Internet protocols.
The obsession with "https everywhere" needs to stop, now. Otherwise, not only will our future landfills groan under the weight of megatons of e-waste that didn't need to stop working when it did, but our collective cultural history online will eventually consist of nothing but undecodable random numbers.
Not everything needs unbreakable encryption. The vast majority of online content doesn't.
> The obsession with "https everywhere" needs to stop, now. Otherwise, not only will our future landfills groan under the weight of megatons of e-waste that didn't need to stop working when it did, but our collective cultural history online will eventually consist of nothing but undecodable random numbers.
If those devices can't even update certs, they absolutely should not be online because they're solid blocks of vulnerable software that will just contribute to botnets.
And the only way for this to contribute to losing history is if you're somehow archiving content by grabbing it off the wire, which seems inefficient anyways.
If those devices can't even update certs, they absolutely should not be online because they're solid blocks of vulnerable software that will just contribute to botnets.
Ah, yes, the presumption of guilt. "You're going to do a bad thing at some point, I just know it. This is probably because you're a moron, while I'm not. Fortunately, I have the solution."
ISP MITM is not low risk, and has been already done by Comcast at the very least in the US to inject warnings about bandwidth caps [0]. And with the horrible security of home routers, ISP provided or not, MITM attacks are highly likely on home connections sourced from botnets and malware attacks on routers.
In terms of the topic in this thread, it's not the customers responsibility to deal with expired root certificates. That said, I understand that there is a large issue with devices that drop support way too soon, even though the hardware is good. But the solution is not the weaken the security, but instead to force better standards for how hardware is maintained, and ensuring that there is a long lifetime where either the manufacture supports the device, or the device is completely unlocked and allowed for easy community sourced modifications and updates. That sort of critical information should be secure, because taking an example from elsewhere in this thread, I'd rather be confident I was reading the exact page as intended from the government source regarding how to apply for unemployment benefits and not have to worry that malware in the router is modifying the information on the page to steal information and use it to redirect those unemployment benefits.
And this theoretical attack on home routers is not out of the question at all. How many unmaintained unpatched IoT devices have been abused with malware/botnets. The clock is ticking on mass exploitation of home routers being attacked and it's firmware replaced with one injecting/stealing information from insecure webpages. If the devices can't be updated, we should make sure there are _safe_ alternatives to accessing the information, rather than hoping that no actor is doing things they should not.
I can list so many scenarios with critical information and attacks that could be made if the webpage was not HTTPS with proper certificates. Including school districts in the United States being force to block inappropriate content in order to receive federal funding, and those firewalls abusing non-http content to decide what to block, and school districts abusing that capability to block anything and everything they want. How about a student trying to understand more about LGBTQ+ individuals and the school district inspecting and censoring the exact content inside the pages to remove words like "lesbian" or "gay" because the school considers them "questionable." Or a school blocking articles pertaining to hacking. I have seen that exact last scenario in fact, where certain articles posted here were blocked in my highschool years ago because they were considered hacking and that was apparently not appropriate to view in school. These are real scenarios and not hypotheticals.
> That said, I understand that there is a large issue with devices that drop support way too soon, even though the hardware is good. But the solution is not the weaken the security, but instead to force better standards for how hardware is maintained, and ensuring that there is a long lifetime where either the manufacture supports the device, or the device is completely unlocked and allowed for easy community sourced modifications and updates.
Yes, that would be nice.
Unfortunately, I have exactly ZERO control over this, and it won't happen for years or decades to come, if at all. And almost certainly not for existing devices.
What I DO have control over is supporting all those devices today, right now, with some MITM risk in certain scenarios.
There are millions of devices out there already which are usable for many tasks like reading, searching, and non-critical writing, as long as HTTP is allowed.
HTTPS/SSL introduces many accessibility issues, such as for people with older devices, those who do not know how to set their clock correctly, and many other scenarios.