Letters from Somnolescent February 2, 2021

The Death of HTTPS (on somnolescent.net)

by mariteaux

One of my biggest pet peeves with being a webmaster is HTTPS. The way that HTTPS is handled on the backend is so invasive, so exclusionary, that it regularly gets in the way of some very basic things I’d like to be able to do around here.

By the end of this year, with few exceptions, somnolescent.net will be going HTTP-only. I’m writing this post in the hopes of staving off any upset or confusion on behalf of you, our loyal readers (and also you, the Somnolians).

To introduce HTTPS (and why it irritates me so much)

I get the feeling most of the people who peek at somnolescent.net are probably already webmasters or techy people, but in case you’re uninitiated, I’ll explain what makes HTTPS so special as compared to regular HTTP–and why it’s such a nuisance for our purposes.

You’ve probably heard of HTTP, which is basically a way for files on a server to get to your computer without data being lost. HTTP was never built to be “secure”–secure meaning two things, essentially:

  1. No one can sniff the datastream and see what you’re downloading
  2. No one can tamper with the datastream

HTTPS is meant to, in a very limited scope for a very specific angle of attack, solve these issues. It uses a host of methods to encrypt (scramble) your connection, so everything you do looks like a stream of gibberish to prying eyes. HTTPS is a totally separate protocol, and your site can work over both. You probably most recognize HTTP or HTTPS by a cute little padlock icon or an ominous “Not Secure” in the URL bar of your browser:

A demonstration of what HTTP and HTTPS sites look like in a modern browser
(Ignore the fact that security breaches still happen all the time even over “secure” connections, mind you.)

HTTPS is more important when it comes to uploading data–say, buying stuff that involves your credit card number. You, admittedly, do not want to be sending this stuff over clearnet.

I have many, many issues with the reductionist way Big Technology people have tried to boil down internet security so laypeople can understand it (like that padlock), and I’ve already gone over that on the Scratchpad, so I won’t belabor that point. HTTPS is worse than useless for us. It’s “security” we don’t need and never asked for. And I genuinely hate how these people want to remove your ability to choose what you do with your site.

Let’s get into some major reasons why we’re getting rid of HTTPS:

Old browser support

This is the big one. We really enjoy testing our sites and seeing them work in browsers far, far older than the current, bloated crop. Seriously, anything from NCSA Mosaic onwards, I’ve tried to peek at our sites with. What’s the point of all the table layouts if you’re not gonna do that? Outside of the novelty, we do often use older computers, and if we want to grab something on our sites (say, on w2krepo or archives), we’d have to use a proxy if HTTPS was mandated.

mari's PS1 Recommendations WIP
How could I live without the perverse enjoyment of seeing IE4 load my brand new page without a hitch?

The cruel irony of a site like Neocities is that, for as many people try to recapture that classic web glory, Neocities actually isn’t accessible using browsers older than about 2013 or so! Most major sites no longer support anything below TLS 1.2, which means the oldest browsers that can talk to those servers are from 2013 to 2015. This wouldn’t be as big of an issue if these sites still supported the basic HTTP protocol, but a lot of them force a secure connection–something I’ll get back to.

Juggling both HTTP and HTTPS versions of a site is a chore

Of course, you might wonder why if we can support both a secure and insecure protocol, we wouldn’t at least give people the option. That’s because HTTPS tries to monopolize every single setup it touches, and even when it doesn’t, it’s so fundamentally separate from HTTP that it causes a lot of overhead and headache.

When we make a subdomain on our hosting, we’re given the option of a Let’s Encrypt certificate to make HTTPS function. Once you say yes, it’s practically impossible to turn it off. For one thing, DreamHost “tries” to mandate HTTPS for that subdomain, and there’s even documents on its site about forcing it through an .htaccess if that doesn’t work.

Let’s say you made it mandatory at one point (as we have), and now want to turn it off. DreamHost keeps around your Let’s Encrypt certificate, just in case you change your mind, even past the renewal date. Since HTTP and HTTPS are totally different things, if you were to go HTTP-only by manually revoking the certificate, as there’s no redirect by default, all browsers trying to visit your site over HTTPS get an ominous red error page instead.

Chromium-based browsers warning of a certificate error
Looks a whole lot like a phishing attack or something, huh? That’s by design. It’s a scare tactic.

Click through that anyway, and you’ll see that the site now “no longer exists”!

DreamHost saying a site that does exist doesn't
“Oh, I guess Somnolescent is gone. We should celebrate.”

If you have people who’ve linked to your site, those links all error out, and you’re fucked. You’ll need to find some way to get those people to all update their links. Who knows what it’ll do to Google rankings. (This also occurs if you try to go to the HTTPS version of a site that’s HTTP-only, but you’d basically have to try to get the error page in that case.)

Even if it was never made mandatory, we now have, functionally, two identical copies of a site. Aside from being messy, it’s a nightmare for logging purposes. DreamHost logs the HTTP and HTTPS versions of a site separately. Site statistics for HTTP and HTTPS are counted separately. Google gets pissy about multiple copies of a site and demands you designate one as canonical.

Even if you accept all that, the HTTP version now has a degraded experience thanks to the magic of mixed content errors! You see, browsers are explicitly built now so your freedom of choice simply does not fucking matter, so, if you have a site over HTTP that can work over HTTPS try to load, say, a script or a font, none of it loads without you going out of your way to allow it in the HTTP header. Why? Because it’s an attack vector, ostensibly.

A big middle finger to Big Technology

And that attack on freedom of choice pisses me right off. A lot of people in this world have tunnel vision, this bizarre concept that, because the thing that matters to them (like security) gets improved by a decision, that decision is now automatically worth the tradeoff and everyone should be subjugated to it. They write cute little condescending sites about it, and get indignant when you disagree with their conception that their safety is worth your freedom.

Browsers have become these huge, ugly, hulking attack vectors because of all the bullshit they’ve tried building into them, so rather than reducing the attack vector by making the scope smaller and the product simpler, they’ll simply mandate more nonsense “for your safety”. Read this (if the fucking abysmal site design doesn’t scare you off) and tell me it doesn’t strike you as a bit bureaucratic in nature:

“We’re committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional,” said Thyla van der Merwe, cryptography engineering manager at Mozilla.

What the fuck are you gonna do about it? Build your own browser? Fat fucking chance of that. Teams as big as Opera Software are practically contracting out and rebranding existing browsers because the job of maintaining one is so big. What the fuck are you gonna do, you dumb serf?

And God forbid you’d try to go back to a simpler time–when a browser was just an HTML parser on top of a network stack. Sure, it’s just TLS 1.0 on the chopping block–now. Who’s to say it’s not pure HTTP tomorrow? Remember, your safety is not an option. You consume content how we want you to consume it.

Is it really that necessary for our purposes?

Okay, so it’s a fucking nightmare if you have HTTP and HTTPS both supported. We can’t just use an older version of HTTPS because no one supports it anymore. Mandating HTTPS means we can’t do the things we want to do with our computers.

At the end of the day, what benefit does HTTPS serve us? We’re mostly serving static pages here. There’s nothing to secure–no passwords to steal, no bank account information to obtain, not even anyone’s lewd search history. I nodded to the one actual use of HTTPS being to protect user credentials–and certainly, that’s good for our WordPress installs, but beyond that? It’s a moot point.

Frankly, one of the most weirdly enlightening things came after I set up a site for Caby’s brother (cramble.somnolescent.net), and when I asked about a certificate, he said something to the effect of “I don’t really need one, do I? It’s just some pages.”

It is, indeed, just some pages.

The roadmap to HTTPS’ funeral

So, rant over. Until browsers do eventually kill off HTTP, it’s far less headache and far more efficient just to have things around here load HTTP-only. How’s this gonna work, and what do you have to pay attention to? It’s fairly simple, and my end goal is to make sure it’s nothing that you, my dear reader, notices.

New subdomains will not have any encryption

This is already a given for cammy, borb, cramble, archives, and autosite–the subdomains that have launched since October 2020 or so. These sites never had a certificate to begin with and never will.

Existing domains with certificates will redirect to HTTP with their certificates still valid

The majority of our existing static subdomains, like mon’s site, Misery Inspires, and valvedev.info, will continue to have valid certificates, but using a bit of .htaccess, they’ll redirect to HTTP. (mon’s already does as of writing this.)

I may or may not revoke the certificates at some later date, depending on how things are being linked to. Google respects 301 (“moved elsewhere”) statuses and updates the URLs accordingly, and assuming I don’t know of any extant links to the HTTPS versions, I’ll revoke the certificates and they’ll be HTTP-only subdomains.

Exemptions: WordPress sites and somnol.net itself

A few domains will continue to have HTTPS at least as an option. These are the domains where there be a WordPress install (caby, mariteaux, dotcomboom, and this blog, namely), as again, passwords are flying through the air on them. WordPress is especially tricky as it asks you to set which URL it loads assets from, so even with HTTPS as an option, loading stuff tends to result in mixed content warnings.

I’ll be looking into how I can potentially redirect most of what’s hosted on these subdomains to HTTP and leave just the WordPress directory served over HTTPS. If there comes an easy way to serve WordPress posts over raw HTML, I might even mandate it for the blog just to avoid the irritating warnings.

The top-level Somnolescent site is a special case thanks to our ad script, which I’ve opened up to let other people embed on their sites. Thanks to mixed content shenanigans, if anyone uses it on an HTTPS domain and somnolescent.net doesn’t also have a valid certificate, the ad script won’t load whatsoever. (The reverse, embedding on an HTTP site, is fine as somnolescent.net has the proper headers set.)

It’ll continue to be an option there unless I kill that off and rearrange everything again, in which case, it might too go HTTP-only. All depends if anyone offsite bothers using our ad script.

HTTP isn’t dead (it just isn’t)

I think even small web fans have a tendency to lose sight of the big picture. So much of the world’s data is concentrated on about 50 or so big sites, to the point where some people simply never leave them. To a lot of people, that is the web, and those sites all use HTTPS. Ergo, is HTTP on borrowed time? I’ve been alluding to them killing off support for it this entire piece, but will that really happen?

Well, I can’t predict the future, but it’d be a fucking stupid move. Have a look at my Seamount Navigator for a brief moment. As of writing this, there’s 42 sites on it. It’s not huge, but it’s a start. Do you know how many of those sites are HTTP-only? How much of those hours you can spend browsing, you can expect to do so “unprotected”?

27 of them. For those who suck at math, that’s a solid 65% of them. I didn’t grab them because they were HTTP–they just are. I grabbed them because they’re just regular people’s work, hours of it completely outside the cushy concept of the internet the vast majority of people have. Of the nine more I have bookmarked to eventually go on that page, four of them are HTTP-only. For us, the content creators–it just does not matter.

For everything the Big Technology “encrypt everything! (and let us keep stealing your data)” crowd has done to make HTTPS a walk in the park, it is still one of the most irritating aspects of being a webmaster I’ve had to deal with, precisely because I have specific needs that differ from theirs. It seems so minor, doesn’t it? Yet, it’s fundamental. It’s how the page loads. It defines what the page works on, and how you can enjoy someone else’s work.

And as of yet, aside from some passwords I never gave ALTEXXANET or a CVV I didn’t give Miss Mab, I’ve yet to see a reason somnolescent.net needs it.

About mariteaux

Somnolescent's webmaster with way too much to write about and a stack of CDs he'll never finish.

Leave a Reply

Your email address will not be published. Required fields are marked *