James Cridland

Why HTTPS is (not just) expensive security theater

Dave Winer publishes a piece about why HTTPS is “expensive security theater”. For whatever reason, I can’t sign onto Twitter to respond (his site hangs on a node2.1999.io call to a non-standard port, so who knows what’s going on there), so I thought I’d at least do so here. He says…

Let’s say I wanted to [enable HTTPS] for my main site, scripting.com.
First I’d have to move it off Amazon S3. But I like having it there.

You don’t actually need to move your site at all. Use Cloudfront to handle SSL for you. Get a certificate, upload it to Amazon, change the DNS of scripting.com to point to your Cloudfront distro. Job done. It’s not expensive to do that: it’s the cost of a cert and not much more in terms of traffic. The “trade-off” is that the site will run faster; though another trade-off is that everything will be cached, which does mean you need to work harder at avoiding that when you’ve made changes to the files.

The bottom line: it’s not expensive, it’s relatively easy to do, and it works.

My RSS feed is there. God knows how many bots are reading it every five seconds.

You don’t have to move it. You don’t even need to retire the http version. Google will probably index the https version once it knows there’s one there, but that’s all.

And many RSS readers don’t deal properly with HTTPS over SNI, as another gotcha.

Frankly if the Chinese want to add or remove stuff from my blog, go ahead, have a party. I’m sure they don’t care. Honestly, I don’t care either.

One example I’ve heard this week at a client: AT&T rewrite and minimise JavaScript when you’re using their data. Sometimes, they screw up and things stop working (as it did for this client). Screw the Chinese — it’s AT&T you need to be careful of! They can’t do that with an HTTPS connection. It’s encrypted all the way to the user’s device.

I changed over to HTTPS because I’d seen hotspots fiddle with the advertising on my site; other mobile networks mess with images and make them look ugly; and other strange interventions done without my consent to my work. I didn’t like it, so I switched.

HTTPS is probably not right for Dave; and probably a bunch more work — particularly for externally-linked JavaScript and other services. It’s probably the right decision not to support HTTPS for him. But that doesn’t mean it’s “expensive security theater”, and nor does it mean HTTPS proponents are lying. There are good reasons for people using it.

Just saying.