nettime's_castaway on Sun, 10 May 2015 23:00:14 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Ben Klemens: HTTPS: the end of an era


< https://medium.com/@b_k/https-the-end-of-an-era-c106acded474 >

     HTTPS: the end of an era

     Ben Klemens

Mozilla, the foundation that maintains Firefox, has announced that it
will effectively deprecate the insecure HTTP protocol, eventually
forcing all sites to use HTTPS if they hope to use modern features.

This essay explains why this was such depressing news to me, why this
shift marks the death of a way of life.

Part 0: HTTP vs HTTPS

If you know the difference between HTTP and HTTPS, you can probably skip
this part.

But for those of you not into tech acronyms, HTTP is the hypertext
transfer protocol that your browser uses to talk to web servers bringing
you data. It is relatively simple, to the point that if you have a way
to inspect the packets of data as they come down the wire, you could
read the web page right off of them. Those packets are being sent down a
long series of routers between you and the web server, and there is a
not-insignificant chance that somewhere along the way they are being
inspected or stored by criminals, overly aggressive advertisers, the US
National Security Agency, or some bored creep somewhere.

Thus HTTPS, the secure version. Via HTTPS, the site you are connecting
to (herein https://example.com, because I don't feel like inventing
something clever) has some associated encryption codes, and your PC (or
phone or watch or whatever contraption you are connecting with) uses the
codes to encrypt all data before sending it, and the other side sends
encrypted data back. So all of the packets are basically illegible to
any of the many parties that handle those packets, but are legible to
you and the web server at example.com.

But what if the NSA intercepts your connection, tells you it is
example.com, and tells your PC to use NSA's preferred encryption codes?
You send data encrypted with NSA keys over the wire, the NSA decrypts
and records your data, then passes it on to example.com, and passes
example.com's requests back to you after recording those. You think
nothing is wrong, but the man-in-the-middle (the NSA) has read all your
communications, rendering all that encryption useless.

So you can't trust the data until you get the right keys, but you can't
trust the keys as being from example.com until you get some other
verification, but then how do you trust that other verification? The
solution is a signed certificate registering the identity of
example.com. There are a small number of certificate authorities
providing such trustworthy certificates, and your browser knows them by
name.

The current state of the world is that there is a mix of HTTP and HTTPS.
Your bank uses HTTPS (and if it doesn't, get a new bank immediately).
But http://www.weather.gov/ works in plain HTTP, so snoops could
determine for what locations you are checking the weather. Mozilla's
security team is taking its action to nudge the Web in the direction of
being 100% HTTPS.

Part I: The introvert

But this is a post about people, not security keys, so let's talk about
introverts.

Introverts are the dark matter of the social universe. If you measure
the world of people by easy means, like meetup groups or Facebook pages
or tweets or people who are willing to pick up the phone when an unknown
person calls with a survey, you will get a massive undercount of
introverts. Nobody ever shows up to Introvert Club meetings.

But every introvert has a family, so that is your most likely means of
running into an introvert. When somebody tells you stories about the
aunt or grandfather who doesn't get out much (invariably accompanied
with some comment about how they're a little odd), there's your
introvert sighting. Most introverts have jobs or go to a school, so you
might be able to sight one or two there. They try to stay quiet and out
of the way, and are often forgotten. At five o'clock, they disappear
from the social grid.

So, you're an introvert with some creative energy. Just because you
don't want to hang out with pals doesn't mean that you have no curiosity
about the world. What could you do?

In the last couple of decades, the answer to the introvert's dilemma was
easy: get a computer and learn to code. Like a novelist (another popular
introvert career path), you can create a new world using only words.
Being an introvert is even beneficial here, because writing good code is
time-intensive and you don't have idle socialization competing for your
time.

This is where I was as a kid. I couldn't build physical things, because
I'm a klutz and we didn't have the money for parts. I was socially
inept, to say the least. But I could spend time at the school computer
lab, and I could borrow time on the PC of a friend who probably only put
up with me because we're both named Ben.

I don't really remember what I built, and doubt any of it was very good.
I recall writing something to draw Mandelbrot sets, and some basic
physics stuff. It doesn't matter; what does matter is that I liked doing
it, and it felt better than the alternatives.

I sometimes worry that I'm stuck in fifth grade, where I got lots of
positive feedback for being good at solving little problems and writing
code-like things. I certainly still spend most of my time doing things
along those lines.

I felt that same sense of empowerment all over again when I had access
to the web. I was granted avocado.caltech.edu, back when the world was
loose enough that Caltech's sysadmins could hand out domain names like
that, and a pal and I typed up a joke site for the Caltech Divinity
School, with some verbiage about the physical chemistry of
transubstantiation. The dozen people who saw it thought it was funny.


     The Caltech Divinity School web site. It uses an HTML table which
my pal was never quite happy with.


Of course, I built my do-it-yourself site on a laptop built in a
factory, running an operating system, with a text editor and a network
stack that could serve files to users. None of that detracted from the
sense of DIY wonder of it all.

What kills that DIY wonder? Pulling out a credit card dampens it.
Filling in registration forms definitely dampens it. If a tool is so
well-built that solving the problem consists of just starting the tool
up, my sense of wonder has gone from "Look what I did" to "Look what
these other people did", which is time-efficient but not especially fun.
Building something from Legos takes enough personal effort and
small-scale creativity that it feels like an achievement when the thing
is built, but an Ikea end table is so pre-assembled that putting it
together just feels like a little chore.

Part II: The introvert on the desert island

I spent a lot of time advocating against the patenting of information
processing algorithms. If you want more detail on the history, you can
read my law review article on the matter (PDF).

In the context here, it is understandable why an introvert would oppose
software patents. If I'm sitting at home working on a project, why do I
need to even consider checking with an attorney? Now that software has
become patentable subject matter, writing code tangles you in the social
web of lawyers and patent-holders, whether you want to be there or not.
As with the NSA snooping your packets, the question is only whether
those holding the patents notice you and decide to take their option of
pursuing you.

The maintainers of Debian, a Linux distribution that emphasizes the
freedom of free software, have a number of heuristics to determine
whether a piece of software puts undue restrictions on a user, two of
which are about introverts (due to preference or circumstance). From
summaries from https://people.debian.org/~bap/dfsg-faq.html :

     The desert island test

     Imagine a castaway on a desert island with a solar-powered
     computer. To be free, software must be modifiable by this unfortunate
     castaway, who must also be able to legally share modifications with
     friends on the island.
          
     The dissident test

     Consider a dissident in a totalitarian state who wishes to share a
     modified bit of software with fellow dissidents, but does not wish to
     reveal the identity of the modifier, or directly reveal the
     modifications themselves, or even possession of the program, to the
     government.

Requiring patent licenses to use an algorithm clearly fails these tests,
unless you remembered to bring a patent lawyer to your desert island.

To give another test case, consider the "Secure Boot" issue. If you want
to have a program on your PC to make sure your data has not been
tampered with, you have to make sure the program itself has not been
tampered with, so you have to believe that the operating system (OS)
that runs the program is secure and un-tampered-with, but how do you
trust the OS? The Secure Boot solution is to bake in a requirement on
the hardware that only signed OSes may run on the hardware. The Free
Software Foundation continues to campaign against this. They have many
reasons, but we already have two on the page here: requiring
registration with the hardware maker means it is impossible for
dissidents or desert island denizens to write an operating system.

It seems like HTTPS would be an introvert's friend. Yet I run into a
great number of web sites out there that are HTTP-no-S. It turns out
that setting up encryption is really hard, and you can't do HTTPS alone.
On the part about it being hard, I invite you to work your way through
Ars Technica's guide to getting a certificate and subsequent guide to
setting up a web server to use HTTPS.

An HTTPS site can not be built on a desert island network, because you
need a signature from a certificate authority. A dissident is screwed,
because the dissident must give identifying information to the
certificate authority.


The personal information you are required to provide to get an SSL
certificate. [ https://www.startssl.com/?app=11&action=regform ]
As the second Ars article explained, there are ways to self-sign a
certificate. The FAQ from Mozilla (PDF) points out that Firefox has a
lot of good reasons for putting up scary dialogue boxes (their term)
every time a user goes to a site with a self-signed certificate. If you
are a dissident who can't use a fully-signed certificate, then, you can
expect Firefox will put up a "scary" warning to people who come to your
site.


A scary warning.

Much like the patent system and the Secure Boot system, an HTTPS
requirement means that you have to check with a bureaucrat before you
post code you wrote to the world. A kid who wants to ditch WordPress and
make up his or her modern and hopefully more fun incarnation of the
Caltech Divinity School now has more hurdles in the way.

Part III: Introverts at Ikea

If, as I argued above, introverts are attracted to geekdom more than the
general population, then it follows that there is a greater density of
introverts in geekdom than the general population. [Formally, given
P(geek|introvert) > P(geek), one can show that P(introvert|geek) >
P(introvert).]

The fact that geekdom is heavier on introverts than other fields of
endeavor means that geekdom needs to care about introverts more than
other fields.

We already have some important linguistic ambiguity. Is "the open source
community" the full set of people interested in open source, or is it
just that subset of people who are sufficiently able to overcome
introversion to comment in (potentially hostile) forums? Decisions made
in "the community" affect introverts and extroverts alike, but
extroverts are unlikely to notice the dark matter around them. It
requires an extraordinary step to stop a lively conversation among
extroverts and ask who is present but hasn't spoken loud enough to be
heard.

The conversational asymmetry can be important because the archetype of
the introvert I've described to this point, on the desert island seeking
DIY wonder, doesn't think or work like an extrovert.

Casual conversation among modern hackers has more brand names than a
fashion show: "Try my project! You can clone the Docker script from
GitHub and it'll Beanstalk up an Arch instance to EC2 with SciPy/Pandas
using Apache Hive to pull from Hadoop, and qGIS serving up maps using an
Ngninx server."

It makes sense to build using off-the-shelf tools. If you are
hand-writing HTML, it just won't look as good as the HTML assembled by
somebody using a good framework that already encapsulates person-years
of thought about viewports, fonts, and even color selection (thx,
Medium.com). By the end of it all, you've signed up for so many services
(like Github: "Build software better, together") that registering for an
SSL certificate seems like a drop in the bucket.

I like to think I've mostly adapted, but most of the group hacking
events I go to have at least one person who learned introverted means of
assembling Lego bricks and is completely at sea in the extrovert
techniques of looking through catalogs of table legs and screwing them
together.

I don't mean to make a value judgment that the group doing work via
pulling-together is somehow morally superior or inferior to the ways of
the self-taught introvert. It's just the typical story of technological
progress. The Wright Brothers built their own plane, in correspondence
with a few other aviation enthusiasts (see this PDF paper or these PDF
slides). But would you board a plane today if somebody told you it was
built by two guys in their garage? When you buy hand-made plates or
books or furniture, you do so because it has artisanal charm relative to
the factory-made versions, but where's the market for artisanal database
back-ends?

The curtain is slowly coming down on the time when one introvert quietly
writing code could build something that flies better than anything else.
It's the extroverts who are running the startup, or even the major open
source code project, and the focus is less on DIY and more on pulling
together stock parts.

But the Mozilla foundation's HTTPS requirement is, to me, the real end
of the DIY era. This is not a closed-source corporation, or a startup
pushing its new tool, or the arrogant guy at the hackathon, but the
Mozilla Foundation -- "Our mission is to promote openness, innovation &
opportunity on the Web" -- saying that if you are building web pages
using tools from your desert island, without first filling in
registration forms, then you are doing it wrong. Mozilla Firefox will
make increasingly active efforts to block you until you obtain the
correct permissions to build modern web pages.

This statement from Mozilla describes itself as "a message to the web
developer community". The introverts on the desert island, the me of the
1990s, the kid of the present day who doesn't like WordPress and has the
energy and curiosity to try building something new, the real-world
dissidents in real-world totalitarian countries, are dark matter in the
background and not addressed directly in the announcement, but are
affected by the announcement nonetheless.


#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org