Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

The costs are only part of the problem

The real problem with deploying to HTTPS is that it's a difficult process that even very knowledgeable developers frequently get wrong. Expecting the average site owner with a WordPress blog to set up an SSL certificate chain as the process is right now is unrealistic at best.

As developer and open, independent web advocate Jeremy Keith puts it: "This is for everyone ... not just those smart enough to figure out how to add HTTPS to their site." He goes on to say that Mozilla's plan: "Looks like something drafted by underwear gnomes."

To be clear, Keith is not suggesting that the move to HTTPS is bad, just that the timing is ill-conceived. "Let's make HTTPS easy first," he writes, "then we can start to talk about ways of encouraging adoption. Hopefully we can figure out a way that doesn't require Mozilla or Google as gatekeepers."

There's another major problem with the move to HTTPS: it fundamentally breaks the web as it is.

All those HTTP URLs you visit and have linked to over the years will cease to exist if the site they're a part of moves to HTTPS. Everything needs to be redirected. Again, provided you have developers who know how to do it, this is easy to do.

Unfortunately, the history of the web has already shown that few sites will bother to create redirects. The more likely outcome is that millions of URLs will die along the way.

This is the problem that led web-creator Tim Berners-Lee to plead with developers earlier this year to not “break the web". To quote him: "The HTTPS Everywhere campaign taken at face value completely breaks the web in a way it is arguably a greater threat to the integrity for the web than anything else in its history."

Berners-Lee's solution is to make TLS — the actual encryption and authentication layer in HTTPS — part of HTTP. In his plan, the HTTP protocol would be by default upgraded to use TLS without having to use a different URL prefix.

In other words, the burden to make it happen is transferred off the shoulders of developers and onto the shoulders of protocol designers, standards bodies and browser makers. Reception of Berners-Lee's proposal from those groups has been lukewarm thus far.

Whether or not Berners-Lee's solution is the best option for the web is certainly debatable, but what's not debatable is those pushing HTTPS so firmly are ignoring the reality of HTTPS today: it's expensive, difficult to set up and very likely to lead to the biggest batch of broken URLs in the history of the web.

Before HTTPS becomes commonplace the process of obtaining and setting up a secure server needs to get much simpler. At the very least the web needs the WordPress of security certificates.

Perhaps Let's Encrypt will be just that and solve two of the three problems with the transition to a secure web. But deprecating HTTP now, before very real, very fundamental problems are solved is putting the cart before the horse.

Worse, Mozilla's plan would create a divide between those who have the money and ability to purchase a certificate and those who do not. The move to HTTPS as Mozilla envisions it is counter to the entire notion of an open web. ®