Currently, the NSA (and others, presumably) consider the presence of encryption as part of their is_suspicious() heuristic. Other people do have need for encryption, and by saying "I (currently) have nothing to hide", you are saying that you are fine with a high correlation between "uses encryption" and "is doing something suspicious". More than any other reason, we need to dilute that correlation until all data looks similar to remove the possibility of this kind of categorization.
As Zimmermann said, we need to socially normalize the use of envelopes instead of the postcards that are currently used. Without that social expectation, it will be possible to legislate against the use of encryption in the future.
3) It lets us (in the very long term) simply retire 80/tcp
...and plain HTTP servers in general. Sure, this is a minor benefit, but it would still be nice.
While those are all valid reasons they land on the "greater good" side of the scale, which doesn't have the obvious "what's in it for me" I think many people are looking for.
My thoughts
1. Not having secrets - MITM isn't necessarily conducted by malicious attackers, but that doesn't mean it's bad. Consider for example a company that wants to identify usage behavior and buys traffic data from an ISP. While the data may be anonymized it's still someone's usage. With https, a webmaster is limiting the info those companies can get so instead of being able to run a complete analysis on the type of text a user reads and images they see, over https they could only tell what websites you go to. It's still pretty bad, but not as bad.
2. Cost - I do see the value of cheap hosting on S3 and getting redundancy. I've been hosting servers from the days before AWS existed (I started young) and know one thing - if you can't afford something you probably don't need it.
Why does you $0.06 site need to have a multi node setup? I don't mean to sound like a jerk but if you had the kind of traffic a multi node + DSL site needs you'd probably have the funds to invest in it. It's really not very expensive considering a cup of Starbucks coffee costs 100 times what you currently pay for hosting...
If your content isn't secret why not go with a cheap SNI that can host your certificate and put that behind cloudflare (which is free)?
I'll ignore he obvious selfish nature of this question and simply point out that you may need to take advantage of that "culture of always encrypting everything at some point in the future. It is incredibly short-sighted to assume that you're not ever going to be a target.
> "not having secrets"
You can look the numerous rebuttals for this very well-known fallacy.
> Cost.
It's probably worth mentioning that I am currently living on SSDI (social security disability income) thanks to some unfortunate medical issues. I cannot actually afford any PKI cert and related costs, even $20 costs.
Well, the EFF may soon have a free solution for this, and almost all of the benefits I list are still valid even when the crypto is relying on an self-signed certificate automagically generated by apache on first use.
I would love to see more options that address the cost issue - secure communications should not be limited to those that can afford various economic barriers, but for now at least some solution exists.
You assume they are always available and always do business with everybody? I had an account with them once, but they declined to reinstate it shutdown the account. I don't know why.
Not having secrets - MITM isn't necessarily conducted by malicious attackers, but that doesn't mean it's bad. Consider for example a company that wants to identify usage behavior and buys traffic data from an ISP.
Really? Do you think we're all sheeple that are happy to have every facet of our lives tracked? You don't think that someone has a database of every taboo thing you considered buying or seen online, every contrarian political article you've read, etc? You don't think that they're sitting on this cache until they find a way to sell it to anyone that will buy it or score you some way in a Big Data metric? I know people in that industry. They tell me the public isn't ready the handle how much information is for sale about them.
Viewpoints like these feed the sheeple with naivety that they themselves are good people, so the corporations, government agencies and hackers that spy and exploit the gaping chinks in the armor of the Web would certainly have no reason to exploit such good citizens.
You may have misunderstood my point as what I was aiming at is that MITM is always bad for us even if it's not done by malicious attackers but rather by for profit companies.
By not encrypting traffic, web masters who think they don't have secrets are really just selling their users. That's bad.
>Other people do have need for encryption, and by saying "I (currently) have nothing to hide", you are saying that you are fine with a high correlation between "uses encryption" and "is doing something suspicious".
If those agencies had a problem with https, they wouldn't let a Google team popularize it.
Https is, in all likelyhood, as transparent to them as a piece of glass.
Obviously, given that the TLAs can just national-security-letter a CA (if that's even necessary). That doesn't change anything about my recommendation. You should still use HTTPS, always.
It still has an effect of making your traffic not stand out from anybody else's in a DPI. Also, the TLAs are not the only attacker, and HTTPS may not be transparent to them.
The key feature is that it requires a MitM. That is not easy or cheap, compared to simply catch everything with a simple passive beam-splitter. The idea it is easy to get bulk data with XKEYSCORE/PRISM, but requiring the use of QUANTUM, FOXACID, and other fancier tools is not something that cannot be [cheap, undetected, used against everybody] simultaneously.
Currently, the NSA (and others, presumably) consider the presence of encryption as part of their is_suspicious() heuristic. Other people do have need for encryption, and by saying "I (currently) have nothing to hide", you are saying that you are fine with a high correlation between "uses encryption" and "is doing something suspicious". More than any other reason, we need to dilute that correlation until all data looks similar to remove the possibility of this kind of categorization.
2) https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
As Zimmermann said, we need to socially normalize the use of envelopes instead of the postcards that are currently used. Without that social expectation, it will be possible to legislate against the use of encryption in the future.
3) It lets us (in the very long term) simply retire 80/tcp
...and plain HTTP servers in general. Sure, this is a minor benefit, but it would still be nice.