Mozilla’s internal dialog on HTTPS
Nik Cubrilovic sent me a link to the page on Mozilla’s project management system where they decided to put a big red X through the icon for sites that are using HTTP, the standard protocol of the web, instead of their preferred HTTPS.
Interestingly, it’s both an argument for and against government control of utilities like web browsers.
- It’s an argument against control because Mozilla is acting like a government. They have decided that if you want to continue to publish to users, you must comply with the new regulation established by Mozilla. If not, we’ll mark you as unsafe, and make sure everyone knows you’re not to be trusted. And this is just the current iteration. When that fails to alter user behavior, or cause sites to convert, what next? Will they stop displaying them altogether? As Google does when they encounter a site that it thinks has malware embedded?
- At the same time, Mozilla is most definitely not a government. They are a private company. And they have not disclosed the impact of shutting down access to a huge part of the web. I likened it to book burning but on an unprecedented scale. As a user of the web, both as a publisher and a reader, I want protection from this kind of power grab. The web does not belong to Mozilla. What if it works? Most of my own sites will disappear, and lots of sites that I care about.
I wonder if they’ve even tried to quantify the outages they’ll cause. So many sites are simply residing on a hard disk somewhere, served by an ancient version of some unknown and not maintained server software, chugging along as someone keeps paying the electric bill, and replaces a broken hardware component when needed. The people who created the site might not have understood HTTPS or how to deploy it, and many are long gone. Some of course are dead. We are certainly not all sitting around doing nothing waiting for a handful of programmers on a mail list to make us perform a ridiculous act of security theater for our blog posts written in 2002.
Most of these sites do not need HTTPS. It isn’t an issue for my ancient blog posts. Or yours.
In the thread there are some very reasonable alternatives offered, that help Mozilla achieve their goal, without burning all those sites. For example, if the browser sees a form that contains a password or a credit card number being transmitted over a non-encrypted connection it could warn you with a big dialog box, saying hey dummy, your ISP or their ISP can read that stuff. Are you sure you want to send it? That would actually communicate clearly to the user what the issue is without the confusion at the point where security matters.
It was also pointed out that some users are going to think the browser is broken. Smart users! They are right. The browser is broken. It has totally the wrong idea of its role.
Imagine Honda or Ford tried to do something like this. It noticed you were stopping at a McDonald’s. Your Civic stops and a big red X shows up in your dashboard. When you ask why it says “McDonald’s is not good for you Davey. Go somewhere healthy like Panera or Whole Foods.” You might say who the fuck is Honda to tell me where to get my comfort food? And you would be right. Only in tech would they be so arrogant as to think they know better, when (get this) — they don’t.
If we had government oversight, they might require the equivalent of an Environmental Impact Statement. How many sites will disappear as a result of what you’re doing? Maybe require them to disclose that so their users have a chance to switch to a browser that is less opinionated.
The web isn’t their property. They are just providing a tool. They have too much power if this goes through. I suspect once they start putting red X’s on sites that people care about, and their support people start handling calls saying the browser is broken, they might put this back on the list, as an urgent bug, and find a nicer way to help users stay safe, one that doesn’t require sacrificing large pieces of the web.