Over the last few months I've been putting together my talk for the year, based on a blog post that is titled "HTTPS is Hard". You can read the full article on the Yell blog on which it is published. There's also an abridged version on Medium. It's been a very long time coming, and has changed over the time I've been writing it, so I thought I'd get down a few reflections on the article.
It's really long, and took a long time to write
This is firstly, the longest article I've written (at over four thousand words, it's a quarter of the length of my dissertation) and it's taken the longest time to be published. I had a 95% complete draft ready back in September, when I was supposed to be working on my Velocity talk for October but found myself much more interested in this article. Dan Applequist has repeatedly asked me to "put it in a blog post, the TAG would be very interested" - so finally, it's here.
The truth is that I'm constantly tweaking the post. Even the day before it goes live, I'm still making modifications as final comments and notes come in from friends that I've been working with on this. Also, it seems like every week the technology moves on and the landscape shifts: Adobe offers certs for free, Dreamhost gives away LetsEncrypt HTTPS certs through a one-click button, Netscaler supports HTTP/2, the Washington Post write an article, Google updates advice and documentation, and on and on and on... All through this evolution, new problems emerge and the situation morphs and I come up with new ways to fix things, and as I do, they get put into the blog post. Hence, it's almost a 20 minute read.
A special thank you to Andy Davies, Pete Gasston, Patrick Hamann and the good people at Yell; Jurga, Claire and the UI team (Andrzej, Lee and Stevie) for their feedback throughout this whole process. I'm sure they skipped to the new bits each time.
Is HTTPS really neccessary, for everyone?
Every day something silly happens. Today's was from generally-awesome tech-friendly company Mailchimp. They originally claimed that "Hosted forms are secure on our end, so we don't need to offer HTTPS. We get that some of our users would like this, though" (tweet has since been deleted). Thankfully, they owned up and showed CalEvans how to do secure forms.
@CalEvans We apologize for the inaccurate info from earlier, Cal. It is actually possible to use HTTPS with our hosted forms by grabbing the— MailChimp (@MailChimp) March 29, 2016
Still, it's this kind of naivety that puts everyone's security at risk. A big thumbs up to Mailchimp for rectifying the situation.
If I were to have started today, would HTTPS still be hard?
Yes, though nowhere near as hard. We'd still have gone through the whole process, but it wouldn't have taken as long (the Adobe and Netscaler bits were quite time-consuming) and the aftermath wouldn't have gone on for anywhere near as long if I'd have realised in advance about the referrer problem.
If you'd have known about the referrer issue, would you have made the switch to HTTPS?
Honestly, I'm not sure I would have pushed so hard for it. We don't have any solid evidence to say it's affecting any business metrics, but I personally wouldn't like the impression that traffic just dropped off a cliff, and it wouldn't make me sign up as an advertiser. Is this why Yelp, TripAdvisor and others haven't migrated over? Who can say...
This is why the education piece of HTTPS is so important, because developers can easily miss little details like referrers, and just see the goals of ranking and HTTP/2 and just go for it.
The point of the whole article is that there just isn't the huge incentive to move to HTTPS. Having a padlock doesn't make a difference to users unless they sign in or buy something. There needs to be something far more aggressive to convince your average developer to move their web site to HTTPS. I am fully in support of Chrome and Firefox's efforts to mark HTTP as insecure to the user. The only comments I get around the office about HTTPS happen when a Chrome extension causes a red line to go through the protocol in the address bar - setting a negative connotation around HTTP seems to be the only thing that gets people interested.
What's changed since you wrote the article?
I am really pleased to see the Google Transparency Report include a section on HTTPS (blog post). An organisation with the might and engineering power of Google are still working towards HTTPS, overcoming technical boundaries that make HTTPS really quite hard. It's nice to know that it's not just you fighting against the technology.
What about "privileged apps" - you don't talk about that
The "Privileged Contexts" spec AKA "Powerful Features" and how to manage them is a working draft and there's a lot of debate still to be had before they go near a browser. I like how the proposals work and how they've been implemented for Service Worker. I also appreciate why they're necessary, especially for Service Worker (the whole thread of "why" can be read on github). I hope that Service Worker has an effect on HTTPS uptake, though this will only truly happen should Safari adopt the technology.
It looks like Chrome is going to turn off Geolocation from insecure origins very soon, as that part of the powerful features task list has been marked as "fixed" as of March 3rd. Give it a few months and geolocation will be the proving ground for the whole concept of powerful features - something that I'll be watching very closely.
Speaking Web Standards