i'm already pissed off that firefox warns people that my site is unsafe for them when i dont even stick a cookie on them and yet provide useful Free software.
But the browser oligarchy doesn't want to allow that. They want to force everything to be private, which has caused tons of issues on the internet. And actually, it has strengthened the oligarchy, by forcing us to use private services (such as DNS-over-HTTPS, VPNs, CDNs, etc) which locks more of the internet into the control of a tiny handful of super powerful companies. To the point where if one of them decides to change something, it ripples across the entire internet, and everyone is forced to adopt it or break everything.
Crazier still... HTTPS isn't even that secure! Every year there are examples of valid certs being created for MITM. There are multiple vulns that work at any time. Mitigations that are optional and only a tiny fraction of the web use. And cert expiration, HSTS, and other issues still take down sites accidentally. But they force everyone to use it anyway!
Yes, that's what HTTPS does. I don't know why you'd want to just remove the encryption part.
If you personally want plaintext locally and to cache or whatever, set up a SOCKS proxy you *consent* to. That's the core essence here, consent. Most people don't consent to their ISP collecting analytics or injecting ads, this is why we can't even entertain the idea of leaving things plaintext - the web is too hostile.
> They want to force everything to be private, which has caused tons of issues on the internet.
People also want their things to be private. Where did you get the opinion that it's not something people want.
> Crazier still... HTTPS isn't even that secure! Every year there are examples of valid certs being created for MITM.
If that's crazy then the alternatives are absolutely inane.
> There are multiple vulns that work at any time. Mitigations that are optional and only a tiny fraction of the web use.
Elaborate please.
> And cert expiration, HSTS, and other issues still take down sites accidentally.
Many things (mis)used can cause downtime. That doesn't make it inherently bad. There are just tradeoffs.
> But they force everyone to use it anyway!
You are rather free to not use HTTPS, but browser vendors are really free to warn against such sites for very good reasons.
Because encrypting every connection has caused problems.
1. You can't cache anymore. 90% of the web depends on cached content. Always has. We used to use tiers of web caches, to speed up the web, make it more resilient, reduce bandwidth requirements, etc. But encryption everywhere makes that nearly impossible. CDNs have now become the web's cache, which besides the fact that they now control more of the internet, means caching at local or intermediate networks basically isn't possible now so we lose a lot of network performance, reliability, redundancy. This matters more for users in poorer countries, remote areas, natural disasters, war zones, etc, but it affects rich pampered western users too, because ISPs have a harder time (and more expense) dealing with all the traffic.
2. Governments and companies want to inspect traffic. Yes, I get that you don't want them to. But guess what? They do not care what you think. They will force it to happen one way or another, whether it's subverting internet standards, passing laws to defeat encryption or install backdoors, secretly compromising certificate authorities, hacking into the networks of large service providers, or just straight up requiring you to install a custom CA cert (what all companies do now). All of these things, besides being really bad for our civil rights, cause technical issues that are hard to solve and waste time. Before encryption was mandatory, governments and companies were fine with passively inspecting traffic. But now they have no choice but to go full-on MITM, which now gives them the ability to inject as well as inspect, which is even worse. Again: doesn't matter if you don't want them to inspect your traffic, they are going to do it no matter what, for reasons. You may not think they're valid reasons, but the reasons are there and aren't going away, so neither is this arms-race between the people who have to inspect and the people making inspection impossible.
3. Encryption is being used as a planned obsolescence lever. Older machines and software no longer connect to web servers because of course everything now requires encryption, and the old encryption schemes inevitably become insecure and must be replaced. So now we will be even more locked in to a world that constantly requires purchasing more goods and services to do what we could have done with something we purchased 20 years ago. Creates unnecessary waste, consumerism, expense, and just an annoyance that we have to be constantly upgrading rather than using something old and stable and compatible.
4. Obviously, encryption is slower and more complicated than plaintext, increases the complexity of software and the number of bugs, and requires more powerful chips / more memory to do basic operations over a network (ex. embedded apps), but whatever.
> You are rather free to not use HTTPS, but browser vendors are really free to warn against such sites for very good reasons.
First, no, increasingly HTTP is being blocked or unsupported. But secondly, this is like saying browser vendors are really free to do anything they want, including... like I mentioned... putting in integrity without privacy. But they are also "free" not to do that, leading to all the problems I mention and more. So they are "free" to fuck us over, basically.
You can, if the end-user client consents to it. Caching is also immensely difficult to get right, mistakes cause subtle and annoying issues. Even better, how about those ISPs invest some in the infrastructure in order not to fall over (if it's actually an issue) at the microscopic (by modern standards) bandwidth regular web browsing requires.
> 2. Governments and companies want to inspect traffic. Yes, I get that you don't want them to. But guess what? They do not care what you think. They will force it to happen one way or another, whether it's subverting internet standards, passing laws to defeat encryption or install backdoors, secretly compromising certificate authorities, hacking into the networks of large service providers, or just straight up requiring you to install a custom CA cert (what all companies do now).
So if they take such illegal actions, why make it easier for them? Sounds very defeatist.
> 3. Encryption is being used as a planned obsolescence lever.
Choose better software. A TLSv1.3 stack runs on even microcontrollers with a breeze.
> 4. Obviously, encryption is slower and more complicated than plaintext
It's actually much more straightforward than what's being protected by it. If anything, attack surface is *immensely* reduced to just the rigorously tested TLS libraries instead of all the HTTP, JS or multimedia code paths.
> 1. You can't cache anymore.
> You can, if
> 3. Encryption is being used as a planned obsolescence lever.
> Choose better software.
Requiring consent of the device owner is not a problem, it's a goal.
> It matters whether a user or use case wants to continue to use an old device or software.
Not every use case has to matter for every site operator. That's such an entitled thing to expect it's absurd.
> If you start deciding for the user what they can or can't, should or shouldn't, do with their computer, now you've become an authoritarian/paternalist
No, it's not authoritarian or paternalist. You're still free to visit those sites that wish to support your use-case. It would be authoritarian if you'd force everyone to support some old shit for all eternity for no good reason.