HTTPS is expensive security theater
Friday, December 18, 2015 by Dave Winer

Nieman Lab has a piece about HTTPS, and how 2015 wasn't the year it happened across the web. They hope it will happen in 2016, but it won't happen then either, because the web is too big and HTTPS is fraught with difficulty.

As an experiment I looked at all that I would have to do to support it on just one of my sites, and found the cost to be much higher than any potential benefit.

Let's say I wanted to do it for my main site, scripting.com

First I'd have to move it off Amazon S3. But I like having it there. It took a lot of iteration to get it there in the first place. It's a huge site for a blog. It's been around since 1994 -- over 20 years. A few years ago I put all that static content in a bucket on S3 and forgot about it. It's just there. Served very cheaply. And I don't have to worry about scale. My RSS feed is there. God knows how many bots are reading it every five seconds. I don't know and I don't (have to) care. Amazon just takes care of it. For very low cost. 

Second, if it were easy or even possible (I suspect it's not possible) Amazon would have already offered me the option to switch. For another $5 a month I could turn http://scripting.com/ into https://scripting.com/. But they have not made that offer. Every time I've looked into it, the cost was prohibitive, the amount of time I'd have to put into it was also prohibitive, and the benefit, insignificant. Frankly if the Chinese want to add or remove stuff from my blog, go ahead, have a party. I'm sure they don't care. Honestly, I don't care either. 

No money changes hands on any of my sites. I don't ask for credit card numbers or any information anyone could conceivably think of requiring security. When you log on to one of my sites, you're using Twitter's identity system, and they use HTTPS so if it's secure, then so am I.

But apparently HTTPS is not secure. Apparently there are holes in it. So please tell me this is more than security theater? I think the proponents of HTTPS are being as honest with us as the TSA, which is to say not very honest. 

My net take -- it's a pointless fire drill. We're meant to prove that we're really here taking care of our sites. But I have a couple dozen sites that are just archives of projects that were completed a long time ago. I'm one person. I don't need make-work projects, I like to create new stuff, I don't need to make Google or Mozilla or the EFF or Nieman Lab happy. 

Let's have a discussion about this, but a realistic and respectful one. HTTPS is not the answer to a problem that I have. So I don't have any intention of adapting my sites to support it. 

PS: Yes, I've heard about all the things that supposedly make it easy to support. They all have missing pieces. They may get you closer to supporting it, in certain situations, but none of them could take me all the way there without major work on my sites. See above for reasons why I'm not going to undertake that work.

PPS: A discussion on this emerged on Facebook.