This website is available without encryption, and yours should be too
Over the last decade, the internet has seen a major roll out of encryption of the data transmission. Every website got a certificate and URLs suddenly started with "https".
Encryption of the transmission protects against eavesdropping and provides a degree of trust that the party at the end of the connection is who we believe it is. For this, certificates are required, and encryption protocols must provide strong encryption.
As always, this comes at a price. The implemention of encryption technologies not only adds protection, it also creates a barrier and shuts people out.
When we allow our websites to be visited both over an encrypted and an unencrypted channel, we empower the visitor to choose which method to use.
Trusting certificate authorities
For certificates we require trusted certificate authorities (CAs), but who decides which authority is to be trusted?
For websites in most cases it is the producer of the web browser (e.g., Microsoft, Apple, Google, or Mozilla) that decides which authorities are to be seen as trusted.
According to Wikipedia, these are the current top five CAs (based on market share):
| CA | Country |
|---|---|
| Let's encrypt | USA |
| GlobalSign | Belgium |
| IdenTrust | USA |
| Xcitium | USA |
| DigiCert | USA |
Four out of five of the top CAs are from the USA, one from Europe.
Given the current global tensions, a more even distribution around the world is desirable.
Encryption standards
Aside from providing trust, encryption is applied in order to protect against unauthorized access, like eavesdropping. This requires strong encryption.
When a weakness in an encryption standard is uncovered it is replaced with a stronger standard. This results to an ongoing drive to improve and strengthen standards.
The moment a new encryption standard is adopted, both the servers and the clients must follow. This is a problem when running older software. without updates it will be unable to participate any longer.
There are several reasons for running older software.
- For older hardware only an older operating system might be available.
- For older hardware often only older versions of a client or a server is available.
- New software is available, but out of reach, f.e, because of license fees.
If older hardware is good enough for the task at hand there is in fact no need to upgrade, except that not all software will be supported and receive new updates.
Keeping hardware in use rather than replacing it is generally the best choice for the environment.
Encryption and privacy
One argument for encrypted transmission is the protection of privacy. It makes it harder for internet provider to log what websites you visit. The impact of this is relative, many websites are infested with privacy invading surveillance marketing technologies.
In the case of self hosted blogs, websites or other elements of the smol net, usually there aren't many different sites running on the same server. Even when the transmission is encrypted, the IP address of the server gives away enough information.
Barrier
A server that demands a client to trust its certificate and to work with up to date encryption methods raises a barrier and shuts people out.
When a user needs to supply sensitive data or authenticate with credentials like a username and password, it is understandable that a secure channel is used.
Most web pages however don't require the transmission of sensitive data. When for those pages an unencrypted method is available, less people are shut out.
Offer both
Why not offer both an encrypted channel ("https"), as well as a unencrypted channel ("http")? This is what we did when the first websites got encryption, and we can still do that today.
Made with ♥ by a human — no cookies, no trackers.
Proud member of the 250kb.club,
the no-JS.club,
the Blogroll.Club,
and the Bukmark.Club.