As long as HTTP is supported, everything is alright. I guess at some point web browsers will stop processing js served through HTTP, so that the “this site is insecure” icon will lose its meaning and civilized people can get back to plain http for simple static sites (instead to resorting to gopher and whatnot).
It seems to me that there is a large portion of the web/browser community that would rather just drop support for HTTP altogether. Hopefully they won’t do that, because IMHO we need simpler protocols and tech, not more complex. Modern trends like HTTP/2, Kubernetes and whatnot are all adding complexity, while practically no new inventions reduce it. Sooner or later it will be impossible to understand how it all works, even dedicated experts will only understand a tiny portion of all the moving parts.
What does enabling JS have to do with the move from HTTP to HTTPS? HTTPS is about encrypting the requests/responses, not preventing XSS.
I can’t speak for anyone else, but I’m thinking of events like the one that took down GitHub a few years ago.
And everyone should be running an ad blocker, of course. The web really is this era’s equivalent to the DOS-based family of Windows.
I am a vocal proponent of using HTTP and not using HTTPS for displaying unsecure static data to the world. The increased complexity of HTTPS and its need to depend on third parties are too strong inconveniences for such a basic usage. I argue that my website is a sand castle in the beach, for everyone to look at, and I do not really care if some random visitors (“attackers”, if you want) come and put their name or whatever they want on it.
I’ve legit seen ISPs in certain regions inject ridiculous ads and track the content of HTTP pages people visit.
I’m thinking less about stealing the credit cards and more about redirecting traffic to malicious servers which can install malware. https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/
I can kind of sympathize with the author here, but OTOH, I’ve run an HTTP server starting out in the late 90s. It has required attention every 5 years or so at best. The last change I made to it was a couple of years ago to put in Let’s Encrypt certificates. It was a relatively simple change and it has been running fine since then.
Software connected to “the Internet of Hate, aka The Internet” (tm James Mickens) cannot be entirely static and stable, otherwise it will get hacked, but a simple HTTP Server serving static documents is about as low-risk as you can get, and even the move from HTTP to HTTPS is a fairly simple one that, in my experience, doesn’t need constant attention.
The complexity comes with running a rich, interactive “Web what are we up to now? dot 0” experience, where you’re letting people interact directly with your precious web server.
Doesn’t using proxies address this on top of performance and security boost?
Using proxies just pushes the problem back one layer; now you need to maintain the proxy’s TLS configuration instead of your web server’s TLS configuration, but it still has to be maintained. Or you outsource maintaining it to Cloudflare. You still can’t walk away from the server entirely and let it keep running quietly.
(I’m the author of the linked-to entry.)
“In the era of HTTP, you could have set up a web server in 2000 and it could still be running today, working perfectly well”
“And now you have to keep reasonably up to date with web server software, TLS libraries, and TLS configurations on an ongoing basis, because I doubt that the deprecation of everything before TLS 1.2 will be the last such deprecation”
This is what I’m addressing. It seemed like folks you talk about wanted these servers to keep running. These diverse and interesting setups. Then, HTTPS’s varying needs gets in the way. So, we rely on a mature proxy whose developers and/or ecosystem handle all that so HTTP or whatever it proxies to keep working without all that work. Then, the rest can keep focusing on the non-HTTPS stuff that sits behind the proxies. There’s existing tools for that.
“Another, more relevant side of this is that it’s not going to be possible for people with web servers to just let them sit.”
This part remains true. Looking at the big picture, it probably was and always will be true for a lot of things in tech and life. Just due to how our environments change constantly whether offline or online. If anything, we should be pleasantly surprised when something we build still works five years later online without changes. Even more as pace of change and extra complexities increase over time.
Heck, FTP is still kicking around! My guess is HTTP hangs on for a while longer, but like ftp may eventually be dropped by browsers and become a bit more specific to certain use-cases.