One of the recurring problems we face as technologists is accusations that we are out of touch with the sorts of issues and problems that affect most people. We're accused of pushing through changes without taking into account the reality of the costs and collateral damage that will be triggered, and basically of being downright arrogant toward the world at large. Unfortunately, such complaints are not wholly without merit, and one need look no further than current discussions on a major Mozilla development mailing list to understand why. You know Mozilla, of course -- the custodians of the Firefox browser. The same firm that stole a bundle of perfectly happy Google Search users to hand over to Yahoo under the terms of a lucrative new business deal. Right, that Mozilla. Well, if you run an older, legacy website that hasn't had the money, time, technical ability, or other resources necessary to convert over to encrypted https connections, it appears that Mozilla is talking about a little surprise for you. Looks like they may want to shut you down. Now, one would be hard-pressed to find a more outspoken proponent of opportunistic encryption than I am -- I've been boosting the concept for ages. In fact, years ago I wrote a piece entitled "http: Must Die!" However, in the time since then, it's become ever more clear that trying to force sites into the increasingly corrupt and dysfunctional existing SSL/TLS certificate infrastructure would grossly disserve many legacy sites, especially smaller ones with extremely limited resources available. I have long been an advocate of leveraging self-signed certificates -- yes, despite their known limitations -- as an interim step toward a new, more practical opportunistic crypto infrastructure -- but this obviously takes significant time even in the best of circumstances. But whatever specific technological path is taken, a foundational requirement should be using the carrot and not the stick to help encourage these transitions. And while Mozilla is by no means the only firm that can be accurately accused of using rather hard-edged "we know better so just shut up or get left behind, losers!" approaches, the folks over at Mozilla are really sharpening up the javelins and charging up the cattle prods. What they're discussing for Firefox is turning off unencrypted http support. You're not able to run encrypted https? Too bad, Firefox users won't be able to access your sites. Or perhaps for a while they'll just get a big red warning telling would-be visitors that you're subhuman slime who just doesn't care about security. Plus -- you guessed it -- it seems that they'd like to make this an Internet standard so you'd effectively have no escape regardless of which browser was in use. As someone who has long advocated the righteousness of fully-encrypted Internet communications, I find the attitude being expressed over at Mozilla to be infuriating, because while the end goal is laudable, the approach is indeed arrogant and almost religious in its fervor, and in its refusal to acknowledge the problems with which the "little guys" on the Net have to deal with every day. For all the talk of supposedly "automatic" ways to convert sites to https, and the availability of so-called "free" security certificates, the bottom line is that many legacy sites are simply unable to devote the resources necessary to undergo such conversions and maintain them. Many of these sites have been providing reference materials for many years that -- frankly -- are not of the sort where communications security can realistically be seen as a priority matter. Now, if Mozilla is willing to establish a cadre of bonded and insured site design experts willing to perform https conversions for such sites without charge, and help maintain them forevermore, well, I'd certainly be interested in having that conversation. That's using the carrot approach I mentioned earlier. On the other hand, plans to try use those sharp sticks and prods to try bully these sites into the https camp like cattle -- well, if you think the world has a mixed view of technologists now, if Mozilla gets its way we'll end up with a positive rating on par with politicians -- if we're lucky. I very much want to see an Internet where all communications are securely encrypted, but only if it's done the right way, with sites and users treated as valued partners with a full understanding of their resource constraints and sensibilities -- and not as "losers" to be treated with what amounts fundamentally to arrogant contempt. Be seeing you. --Lauren-- |
Posted by Lauren at May 1, 2015 11:34 AM
| Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein