The HTTPS-requirement is not smart

Quite a lot of modern browsers will display warnings when visiting websites using HTTP (and not HTTPS) or sometimes even when visiting websites on ports other than :443. I think this is a step in the completely wrong direction.

Why browsers do this

The reason why browsers do this is quite obvious: Privacy and Security. Those reasons are great, and obviously not why I am against requiring HTTPS.

HTTPS needs a central authority

HTTPS uses TLS, formally known as SSL, to encrypt traffic and ensure intact data. That's great! However, it comes at a price: HTTPS needs a central authority. This authority is required because someone trustworthy has to generate the private-key of the server, which can then be used to ensure an intact and secure connection. That's great and all, but really, it just shifts the trust from the ISP to the certificate authority (which is bad).

Not all websites need HTTPS

HTTPS is for when the data exchanged between client (browser) and server needs to be intact and private. However, websites like this one you're looking at right now don't need HTTPS to work. In fact, the only thing it helps do in case of this website is slow down the connection by adding extra data and computation. This website doesn't handle personal data, because it doesn't need to; there are no forms or login screens, no passwords to protect, and no motivation for a MITM-attack to be executed. There is simply nothing for hackers to gain by changing or reading the data sent to/from this website.

HTTPS doesn't protect your privacy very much

What actually invades your privacy are big tech companies, not HTTP. An HTTPS requirement doesn't stop tracking, it only fixes a single issue, MITM-attacks, but it adds so many more issues to the mix (usually small issues, but still issues, like the connection being slower, and it just being yet another thing devs have to set up). When you visit a website with a "Share on Facebook" button (no need to click), you're being tracked by multiple different companies (and not just facebook) which now all know about the fact that you just browsed that website. This isn't fixed by using HTTP, but HTTPS doesn't help either.

It doesn't even hide your browsing habits

You might think HTTPS protects you from your ISP or router logs showing what kind of websites you visit, but actually, it doesn't. HTTPS hides only the content of the request, not the server it goes to. The "subdomain.domain.tld" part is still fully visible as if you weren't even using HTTPS. What it hides is only the "/name.html" part and the content of the request and response (for example, the login data and the content of the page you're on).

HTTPS isn't bad

... but it also isn't the perfect thing it is often described as. Using HTTPS is good, but, similar to how VPN ads are usually only 30% truth, it isn't the miracle it is said to be.

Do use HTTPS, but don't trust it to do everything for you. Most tracking is done by big tech, not by hackers exploiting HTTP connections, one at a time.

So please, if you have set your browser to only allow HTTPS, don't.

Oh and another thing

E-Mail usually doesn't use a secure connection. It is just as safe as HTTP. Just some food for thought.

Give me some feedback

I would love to hear what you think about this blog post, so please feel free to have a conversation with me instead of sending me a DDoS attack. Here is my contact info:

Discord TudbuT#2624
E-Mail discuss-https@mail.tudbut.de
~TudbuT