Happy new year to all our faithful blog readers! January is always the time for reflection and looking forward to the future, and while I do the personal talk on my personal site, I want to discuss the future of you connecting to this here site network here today. I’ve beaten this drum before, but I’m about ready to puncture a hole in it today, because I’m pretty sure there’s not going to be a drum to beat in the next few years.
I am seeing the death of the HTTP-only connection coming in the next year or two, and I am pissed. I will have to force HTTPS on somnolescent.net, something I have resisted at every turn so far, if we want to remain accessible to the wider Web. Think this is hyperbole? Here’s a nice throwback to ring in 2025—have a steaming hot marf rant to keep you warm in these winter months.
The foreshocks
None of those things are my problem. If people don’t want to see my site with random trash inserted into it, they can choose not to access it through broken and/or compromised networks. If other website operators are concerned about this sort of thing, they are free to use HTTPS, but I have no reason to do so. Encryption should be available to anyone who wants to serve encrypted content, but I have no interest in using it for my website. It’s a shame that people are using web browsers (note: not my website, but BROWSERS) as attack vectors. The legions of browser programmers employed by Mozilla, Google, Apple, and Microsoft should do something about that. It’s not my flaw to fix, because it’s a problem with the clients. My site does not need HTTPS.
n-gate, 2017, “Discourse on HTTPS”
A couple days ago, I peeked in my YouTube Studio’s comments feed to find someone complaining about a dead link to my site. Admittedly, the link was dead, but something was still broken when I restored it. Turns out, very recently, YouTube has forced all outgoing links to load over HTTPS, even when they start with http://. This meant my site, lofi.mariteaux.somnolescent.net, which does not have an HTTPS version (it doesn’t need one, it’s built for Firefox 2.0 and IE8), is completely unable to load from YouTube—the link redirects to a site that doesn’t exist no matter what I do.
The links worked as late as this past October, when I uploaded (with a download in the description) the Guitar Hero II MoriHime custom chart I did for Connor, but YouTube arbitrarily decided that these specific links should not work anymore.
Why? Because they could, by and large.
Consider this: if you have a website that does not use HTTPS, YouTube, without telling anyone, has decided your site no longer exists. If anyone tries to view it, it will fail. This does not serve any security benefit outside of further expanding the HTTP ghetto, the “this is dangerous and off-limits for you” zone that Google itself pushes with Chrome, which now features an HTTPS-only mode just like Firefox and will be quietly rolled out to more and more users over time. Both of these will give you scary errors about the site being insecure and dangerous and force you to click through extra bullshit just to view the site you wanted to see in the first place, clicks your average viewer are not guaranteed (or are even particularly likely) to make.
Why? Because they could, by and large.
I’ve seen this coming for a while now. I know Caby’s had issues connecting to her own site because browsers are set up to assume https:// if the http:// is omitted, receive an error, and then cache the error, thus making the HTTP-only tango even further complicated. It’s not unreasonable for beleaguered users to either start raising a ruckus or to say “fuck this” and discontinue visiting the site altogether, thus forcing webmasters to switch over—and it’s not unreasonable to assume that wasn’t the idea to begin with.
Let’s recap why this matters. You have a website, and the traffic can load over two methods. There’s HTTP, which is unencrypted—that means there’s no obfuscation of the data being sent between you and the server, and there’s HTTPS, which uses a protocol called TLS to mask what all is being sent between the server and client.
This seems like a good thing, right? It is! I have no issue with HTTPS as a concept, and it should definitely be an option—in fact, if you notice, any sites on our site network that accept passwords, like Letters, use HTTPS, because plaintext auth is for idiots. It’s not the concept of HTTPS that’s the issue, but the way that it’s become mandated, forced, and how that’s emblematic of the transition between the “tinker at your own peril” era of technology to the “we know what’s best for you” era of technology, according to the least qualified people to make those calls in all of tech history, that pisses in my hot chocolate.
And every year, this stranglehold that developers have on the choices of you, the audience member, and me, the webmaster, tightens. I have no ability to affect anything, and even if I tried, the technorati, Our Benefactors, the self-imposed guardians of keeping us safe, would simply (and often smarmily, with the tone and cadence of a condescending parent) tell me it’s for my own good and It Makes Sense.
Why I want unencrypted HTTP
Old browser support. I wrote nofi.mariteaux.somnolescent.net in HTML 3.2 with no stylesheet specifically so there’s basically no browser, even line mode browsers from the early 90s, that can’t read it. If it can get online, it can view my site and read my album reviews, essays, and stories. That makes me happy.
somnolescent.net has grown to be quite retro browser friendly in the past couple years. We test with some pretty old browsers at this point, and with retrocomputing entering its Internet era, as people realize there’s not actually a risk to taking Windows 95 online in the Current Year, it’s nice to know we’re giving them all something new to look at. That’s why we maintain a Gopher server too—because everything can look at Gopher with the right client. I’m sure even browsing Gopher on an 8088 could be a fast, pleasant experience (and super neat to boot).
The issue comes that these browsers do not support modern encryption protocols. Of course, over time, we find better ciphers and methods to keep the data through the pipes safe. It used to be called SSL, and then SSL was deprecated for TLS 1.0. Now 1.0 and 1.1 are deprecated, and TLS 1.3 has been supported for a couple years now (and don’t ask me what happens when TLS 1.2 gets deprecated, guh). Old browsers that don’t support these new ciphers simply throw an error. Legacy SSL and TLS support is a largely unsupported security risk thanks to certain features that allow a secure connection to fall back to using an older, easier to crack protocol, so fuck it, we won’t secure or guarantee anything about the site you’re looking at. Plain HTTP does just fine.
Except now, new browsers are trying to phase out plain HTTP entirely. I now have two choices, functionally, because supporting both is an absolute nightmare that causes links to break in various computing contexts:
- Use plain HTTP only and slowly be cut off from the rest of the Internet
- Use HTTPS only and cut off all the old browser support
I’m aware of proxies that can translate HTTPS requests on a modern computer to plain HTTP for older ones, but I shouldn’t have to tell you how aggravating it is to have a site that can work on new and old browsers just fine, and did a year or two ago, and now suddenly won’t work unless I introduce a completely unnecessary extra piece in the chain to translate between Old and Old-in-Shiny-Paper.
Why I deserve unencrypted HTTP
If your response to any of this is a list of the improvements HTTPS makes to privacy and prevention of page tampering and any of that and then to say we should be using HTTPS, you’re at best not reading too close and at worst have holes in your brain. A common Internet-y Smart Person thing to do is to go “well this is better, so you should do this instead”—and maybe when it’s “what game console should I buy”, that’s fine. I’ve done that, I’m a pasty autistic Internet-y Smart Person, and when you’re flinging shit on Reddit, it’s enjoyable enough.
We’re talking about my website here, though. This is my space that I pay for for my creative expression, and not just that—this is how you connect to it, how you are able to access it in the first place. I want it set up how I choose to have it set up, but because browser manufacturers that have no regard for me as a user of their product decided that’s not in the cards, I need to jump through hoops, fucking hoops, to have my site viewable with their product, even though there is zero reason why HTTPS should be forced other than “it’s Better And More Secure”.
I don’t want Better And More Secure. I want choice. Technology is here for my benefit, not the other way around. I would rather make the choice that would get me a trillion billion heckin’ downvoots on le Reddit, because don’t care, didn’t ask, it’s my website, and if I fuck up and break something, too bad so sad, I should’ve been smarter about it. Better than having the choice be made for me by someone I’ve never met, never agreed to make that choice for me, and disregards my perfectly valid use cases in their pursuit of perfect security that can never fucking exist.
Yeah no, all of this is ignoring the major issues with certificate holders fucking up and signing certs for fraudulent parties, or that CloudFlare is a literal man-in-the-middle, capable of encrypting and decrypting TLS traffic and injecting anything they like into pages served through its DDoS protection, one that we have arbitrarily deemed the safe snake that is absolutely not about to eat us fucking mice, because why would we have any reason to distrust CloudFlare? It’s everywhere! Everything uses it!
Computers cannot protect you from yourself, nor should they. The Internet is getting worse every single day, filled with Chinesium dropshipped bullshit, predatory ads, AI generated content to fool your grandparents, and set up to turn you into an agitated, terrified feral pig at every single turn—and yet it’s my site with a long-haired cartoon dog on it, that stores no passwords and doesn’t even use cookies, that’s the security issue we need to protect against here.
Total Google death, total Mozilla death, total advertiser death.
What’s next
I don’t fuckin’ know, mang. Monitor the situation, I guess.
Eventually I will probably give up the crusade and force HTTPS on the site network again, at least for some subdomains, and there will be a lot of capital-B Benefits to the switchover, but none of them will matter to me, because I didn’t switch for those benefits. I switched because I was basically forced to, or else the most basic function of a website, viewing it, gradually decays from between my fingers.
If anyone thinks there’s anything serverwise I can do to get around these browser restrictions, there’s unfortunately not. If a client won’t connect to a server, that server can’t do shit about it. People by and large are not configuring their browsers and eventually won’t be able to even turn off the HTTPS-only mode. I’d be asking our viewers to use a specific browser just for somnolescent.net, which is simply too tall an ask given how weird and insignificant we are.
I guess on the retrocomputing enthusiast end of things, proxies like WebOne are the way to go into the future, but something feels utterly peanut brain fucking dumb about writing a website that Netscape 3.0 can view in every context save for when it’s posted on the Web. It’s another barrier to entry too; are other retrocomputing enthusiasts gonna have the setup and know-how necessary to not only get their retro PC online, but to set up a proxy server on an adjacent modern PC just to be able to view my site for ten minutes in the browsing context I intend? Probably not. I suppose we can set up our own publicly-accessible proxy, but then we’d be responsible for what goes through it as well.
None of this is fun, and while I still absolutely love building sites and always will, the lack of easy solutions towards very reasonable ends definitely frustrates me. I guess such is life with such a niche hobby as retro Web design. I haven’t even seen much nostalgiamining anymore on the occasion I end up on Neocities—seems those kids have moved on to facsimile Web 2.0 MySpace aesthetics, and either way, it’s probably a much more blissful experience. Trying to attain the real thing and keep your lurking modern Web audience able to see your site at all at the same time is getting to be obnoxiously difficult.
I’ll keep you posted if I find a good solution.
