
HTTPS Deployment Growing by Leaps and Bounds - DiabloD3
https://www.eff.org/deeplinks/2016/12/https-deployment-growing-leaps-and-bounds-2016-review
======
yardie
How will this work with hotspot capture portals? I have a dwindling list of
sites I can use to check and see if my internet connection is down or just
interrupted. And Apple/Microsoft don't always register the wifi is in captured
so either I wait or I can open a browser to an unencrypted site and renew the
session.

~~~
irishsultan
That's what [http://neverssl.com/](http://neverssl.com/) is for.

~~~
yardie
Now that is a handy link to have! Wish I knew of it sooner.

~~~
diafygi
I use example.com, which has all the scenarios without redirects.

[http://example.com](http://example.com)

[https://example.com](https://example.com)

[http://www.example.com](http://www.example.com)

[https://www.example.com](https://www.example.com)

------
makecheck
I think it would be interesting to measure how well sites _maintain_ their
HTTPS too. I occasionally see improperly-configured certificate warnings (on
corporate and even government web sites!). It may be that anyone who set up
HTTPS once last month is going to have problems in 3 months or 6 months, and
may not be set up properly for the long term.

In this “modern” world, it seems past time for governments to start supplying
digital IDs. Why for instance can’t every single person have a government-
backed certificate of identity once they have done all the usual things that
it would take to obtain a driver’s license or passport? And if you can count
on a passport being valid for 10 years, why can’t you count on a government CA
(say) to continue to validate your certificate for 10 years?

~~~
riffic
> In this “modern” world, it seems past time for governments to start
> supplying digital IDs.

Good graces just stop. While this may seem like a step in the right direction
and offer a great amount of convenience, one can only imagine how this would
be abused by authoritarian powers.

~~~
234dd57d2c8db
Not just that, but the government has leaked millions of database records on
everything from top-secret clearance holders to medical records to you name
it. Their security posture is insulting.

------
HugoDaniel
It is enforced by the browsers that implement HTTP2, it would be nice to see
their adoption correlation.

------
QuadrupleA
Am I the only one not all-in about moving everything to HTTPS? It's great for
sites that track personal information and sensitive data that you wouldn't
want snooped. But for a lot of sites (like phrasegenerator.com, one of mine)
I'm not sure it makes sense - if someone in a coffee shop finds out what
random phrase generator categories you've visited it's of pretty much no
consequence. It's just an extra configuration hassle on the server, and a CPU
burden on both ends. Admittedly minor, but why add a layer of complexity when
it's not needed?

I don't know. I use Let's Encrypt for the sites where it matters, and I'm all
for it with search engines, email clients, anything with a password, etc. But
as an engineer who likes to keep things simple, this seems like another layer
of complexity borne out of one of those dogmatic 'best practice' rules that
makes modern software slower, buggier and harder to maintain than it needs to
be, despite our amazing modern hardware.

~~~
Klathmon
But it's not just for personal information.

HTTPS keeps your ISP, your wifi hotspot, a dodgy router, or anything else from
injecting ads and tracking information into your pages

HTTPS ensures that the server and information the user is requesting actually
comes from you (and not a shady middleman who might give out bad information
or just annoy the user with a slightly broken setup)

HTTPS ensures that content isn't being blocked by a bad government actor based
on it's content

HTTPS keeps bad actors from injecting malware into your javascript, your
images, even downloaded executables (there is "one click" software out there
to inject malware into any .exe download it can find on the network in real
time)

HTTPS helps protect against "dragnet surveillance". That doesn't just include
bad governments, but also an ISP which might build a profile on you based on
your browsing habits.

HTTPS treats information as "secure by default". You won't always know what is
and isn't "private" to each person. "phrasegenerator.com" might just be a fun
game to you, but to someone else it might generate a phrase that could get
someone fired, or worse, based on the content of that phrase.

And using HTTPS everywhere means that it's harder to identify "secure"
information from "insecure" information. Breaking one HTTPS connection one
time for one person and one server isn't "easy", but it's not impossible.
Breaking HTTPS for all connections to everyone every time for every server
becomes practically impossible.

The overhead is next to nothing, the complexity mostly abstracted away, and
with stuff like Let's Encrypt the "maintenance factor" is quickly getting
reduced to "fire and forget".

There's no excuse to not use HTTPS any more in my opinion.

~~~
tyingq
>HTTPS keeps your ISP, your wifi hotspot, a dodgy router, or anything else
from injecting ads and tracking information into your pages

I suspect this is the main reason Google is so gung-ho about "https
everywhere". Because of the popularity of GA, adsense, Double Click, and
Google local caches at every ISP...they already have near global tracking.
Closing the ISP MITM hole ensures that nobody else does.

Of course, "https everywhere" is good for other reasons, so not complaining...

~~~
iRobbery
i agree, though i'm worried about the security it actually offers and what
protocols and ciphers are still considered secure.

Next PCI DSS will require most services to be using (and not honoring lower
then) TLSv1.2; i'm not sure about what to do when (not matter of if, but when)
that is considering no longer secure, TLSv1.3 isnt ready yet from what i
understand.

Now that i write this i wonder, are there btw server/client solutions that
utilize PGP? E.g. send requests via encryption with public pgp key server and
response back to client with public key of client?

