Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Firefox shop Mozilla recently became the latest in the long line of companies big and small trying to push the web from HTTP to the more secure HTTPS protocol.

In the post-Snowden world, where everyone from the NSA, GCHQ to your ISP is inspecting and sometimes altering content, HTTPS (which makes such things nearly impossible) makes sense.

Let's make that doubly clear: moving to HTTPS is a good thing.

However, the timing and way in which Mozilla, and to a lesser degree Google, would like to rush the web into HTTPS is all wrong.

Like Google before it, Mozilla wants to encourage developers to deploy new sites using HTTPS. Unlike Google, which has thus far used only carrot-like methods to entice developers, Mozilla is bringing out the stick to beat the web into HTTPS.

Mozilla plans to depreciate HTTP by first making "new features... available only to secure websites". Then, at some point it will be "gradually phasing out access to browser features for non-secure websites". A site without HTTPS won't work with HTML5 features in Firefox.

Mozilla's plan, therefore, is to break the web for Firefox and hope that convinces developers to get on board with HTTPS. It doesn't seem to be concerned with the idea that users might just switch to a browser that actually works.

In some cases it makes sense to force the subject. The geolocation API should have been HTTPS-only from the beginning. Some existing HTML APIs, like Service Workers, are already HTTPS-only. All of which is to say, again, HTTPS is a good thing, but making it the only thing, as Mozilla proposes to do, is fraught with problems.

The first problem is that it means the web is no longer free as in beer. Obtaining an SSL certificate is not free. In a follow up FAQ statement (bizarrely, a PDF file) Mozilla does some hand waving about the question of HTTPS costs and contends that StartSSL offers free certificates.

That is technically true, you can obtain a certificate from StartSSL for zero dollars up front. But StartSSL charges to revoke certificates, even when those certificates turn out to be vulnerable to security threats like Heartbleed.

In other words, practically speaking, StartSSL is not free. If you can't revoke a certificate for free it isn't free. StartSSL is free in the same way that the first shot of heroin is always free. You'll be back and when you are you'll be paying for everything you do. StartSSL and others using the same pricing model know this, that's why they offer "free" certificates.

I run a number of HTTPS domains using certificates issued by StartSSL because there is no upfront cost. I do not, however, consider the service to be free. It also happens to be the most challenging thing I've ever tried set up on a web server in twenty years of running servers.

There are some efforts underway to create a service that's both trusted by browsers — so visitors don't get the scary message about "self-signed" certificates — and free. The most notable is Let's Encrypt, which Mozilla is a part of, but (while it sounds nice) Let's Encrypt is just vaporware.

The move to pure HTTPS has costs that Mozilla has not credibly shown can be overcome. The HTTPS-only web Mozilla is envisioning is one where only the rich are welcome.