
Tim Berners-Lee: https everywhere considered harmful - CarolineW
http://www.w3.org/DesignIssues/Security-NotTheS.html
======
danjoc
First TBL accepts DRM, now he eschews HTTPS because it changes the URI
protocol and breaks the old http link?

Who are you and what did you do with the inventor of the WWW? Redirects are an
easy solution to deprecated http links. And I still wish you understood DRM.
[http://www.theguardian.com/technology/blog/2013/mar/12/tim-b...](http://www.theguardian.com/technology/blog/2013/mar/12/tim-
berners-lee-drm-cory-doctorow)

------
dh997
This sounds like a tempest-teapot scenario because he doesnt seem to know
about http/2 which includes the feature TBL is ranting about. Instead, he
comes off as fingerwagging at folks for doing something to stop-gap fix the
web because the http RFC didnt include security from the beginning. Adding tls
to http/1.x is impractical, utopian mythology because there's too much
deployed to ever change until http/2 becomes widely deployed.

Instead of ranting, downplaying the EFF and others for improving the situation
or wishing for the impossible, TBL missed the opportunity to support adoption
of http/2, which might not be perfect (PHK mentioned rushed process and
protocol complexity) but it has been touted to supersede http/1, https and
spdy.

btw: there's also unauthenticated opportunistic encryption like tcpcrypt which
works via server and client plugins.

[https://en.wikipedia.org/wiki/HTTP/2#Encryption](https://en.wikipedia.org/wiki/HTTP/2#Encryption)

[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)

------
Karunamon
So if I understand this right, Tim's main issue is that "s" is just going to
lead users to think "oh, it's secure, I'm good right?" when really web
security is a continuum, even on the level of certs - the browser doesn't
meaningfully differentiate between domain validation, identity validation, and
extended validation (EV), and less so on the technical characteristics of the
cert (signing algo, ciphers chosen, etc.)

It's not that encryption is bad, it's that the https method encourages lazy
thinking.

Call me pessimist, but I think that any method which relies on "user
education" is doomed from the start. Any UX designer can tell you that users
_do not read error messages_ and just click by them ASAP to get back to what
they were doing before the computer so rudely interrupted them.

~~~
sbierwagen
No, he only gets to the point in one of the final paragraphs:

    
    
      The problem is of course that moving things from http: space into 
      https space, whether or not you keep the rest of the URI the same, 
      breaks any links to. Put simply, the HTTPS Everywhere campaign 
      taken at face value completely breaks the web. 
    

Of course, in reality, anyone who moves to HSTS also adds a rewrite rule that
redirects incoming http vistors to the https URI. In fact, Let's Encrypt even
does it automatically:
[https://github.com/letsencrypt/letsencrypt/blob/master/letse...](https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt-
nginx/letsencrypt_nginx/configurator.py#L384)

His complaint is completely spurious.

