i got yelled at once for saying i should be able to disable https if i want in some cases. how dare i encroach on security!!!!!!
99% of the time you don't need shit to be secure. you won't care. but i find that it's increasingly like those public cctv and security cameras you see everywhere: it's suffocating, and critically, it also kills off every alternative, old client out there.
like, great, yeah. you require tls 1.3, and the latest certs to be installed. anything that's too old to get an update now? dead. there's nothing you can do. an end user is completely unable to do anything about these issues outside of buying a new device.
you have something retro you want to get online? too bad. have fun setting up a bunch of weird proxies to get around things. you want to download old software? guess what: it's often also hosted on these sites with higher requirements. you can't download k-meleon on older systems, a browser that tries to support newer encryption protocols specifically for older shit, because... the download system requires the modern ciphers and refuses anything else.
i think the most damning thing of all is that, as much as Google is leading the charge in enforcing these, showing scary NOT SECURE!!!!!!! if you dare to use http for anything... their shit still works with it. i'm pretty sure if you dump google.com in windows 98 internet explorer, it will still dutifully load an old search page, that, critically, still works.
my take on it is just: do you need it? do you really need five layers of web security for every single operation you do? i'm not saying it all should go away; banks and other websites that take personal information shouldn't be insecure. but the vast majority of the web doesn't need this. your geocities-aesthetic page does not need the finest encryption the nsa can provide. 99.999999% of the time nobody is going to give a shit.
but the fact that it's on, with no option to ever turn it off, means that you have no option but to upgrade to the latest and greatest. if you have something old, it could still be fully working; but they swapped the locks on you, so you can't use it any more.
disclaimer
i can rant about these things precisely because i have no impact on them. nobody is going to read this and turn around to go "wow, we should turn https off entirely!" because i ranted about it some. if you show up and go "wow so you just want everyone to get MITMed and hacked forever, huh" i will kick you in the nuts or nuts-equivalent and push you down a flight of stairs.
if you do this you are showing up to the old guy with a waist-length beard holding a cardboard sign saying "OLD WAS BETTER" and trying to argue with them, and i will instead beat you with the sign. let me have my fun. you are never going to feel the impacts of my rants, because they don't exist. but you might feel what i'm ranting about.
There's an especially insidious wrinkle to this in web APIs. Many newer web APIs can only be used for documents served via a "secure context", which means served via HTTPS. Even for completely static single-file applications that never so much as make a single network request. Despite the claims on that MDN page, some browsers don't even allow these features to be used on documents opened from a local filesystem, and you can expect this to get locked down tighter over time.
Web-Decker will probably never be able to prompt the user to take a webcam photo, or access gamepads on firefox, or save a file in-place, because in addition to quite reasonable affirmative-consent-gating dialog boxes, there is this bullshit HTTPS constraint.
Secure Contexts are a very deliberate choice to ratchet applications toward HTTPS, and HTTPS is in turn a ratchet to kill old software.
I'm not here to argue that requiring HTTPS everywhere doesn't make things hard for old sites. It does.
But all this talk of "you don't need security all the time!" misses the point that HTTPS also provides privacy. Third parties can't see what pages you're visiting, or the contents of those pages.
Sure, maybe you're not worried about getting owned by someone MITMing your connection to a retroware site. But do you really not care about your data getting hoovered up by every single multinational megaconglomerate capital overlord too?
https is fine. https has been around for over 20 years at this point.
but i'd like to make a few counterpoints:
- the main thing is the relatively recent requirement to nuke old protocols and only enable the newest, most secure ones. this is the problem. old clients simply do not have a way to communicate. there is no fallback. there is no "okay, we can use this less secure setup".
- "best practices" also means you can't use http, at all, even if you can't use https.
- part of this is because "but then an attacker could just pretend they don't support anything newer" and like, sure, whatever, valid.
the "but do you really not care about your data getting hoovered up": every website on the fucking planet is doing this to you already. even this website has an analytic script at scripts.simpleanalyticscdn.com! no megaconclomerate is going to sit there decrypting your tls 1.0 traffic to oldshittydosgames.com.gz when it would be much faster to nab it where everyone is willingly logging their traffic.
let me rephrase my original point a little more:
forcing all clients and servers to only offer the latest ciphers and reject clients that cannot use older ones effectively disables every client older than a few years. sure hope those programs are still getting updated.
and, again: as much as google pushes it? their own flagship website doesn't do this. you can still go there with plain ol' http if you want.

