HTTPS: the end of an era — Medium
Mozilla, the foundation that maintains Firefox, has announced that it will effectively deprecate the insecure HTTP protocol, eventually forcing all sites to use HTTPS if they hope to use modern features.
This essay explains why this was such depressing news to me, why this shift marks the death of a way of life.
Part 0: HTTP vs HTTPS
If you know the difference between HTTP and HTTPS, you can probably skip this part.
But for those of you not into tech acronyms, HTTP is the hypertext transfer protocol that your browser uses to talk to web servers bringing you data. It is relatively simple, to the point that if you have a way to inspect the packets of data as they come down the wire, you could read the web page right off of them. Those packets are being sent down a long series of routers between you and the web server, and there is a not-insignificant chance that somewhere along the way they are being inspected or stored by criminals, overly aggressive advertisers, the US National Security Agency, or some bored creep somewhere.
Thus HTTPS, the secure version. Via HTTPS, the site you are connecting to (herein https://example.com, because I don’t feel like inventing something clever) has some associated encryption codes, and your PC (or phone or watch or whatever contraption you are connecting with) uses the codes to encrypt all data before sending it, and the other side sends encrypted data back. So all of the packets are basically illegible to any of the many parties that handle those packets, but are legible to you and the web server at example.com.
But what if the NSA intercepts your connection, tells you it is example.com, and tells your PC to use NSA’s preferred encryption codes? You send data encrypted with NSA keys over the wire, the NSA decrypts and records your data, then passes it on to example.com, and passes example.com’s requests back to you after recording those. You think nothing is wrong, but the man-in-the-middle (the NSA) has read all your communications, rendering all that encryption useless.
So you can’t trust the data until you get the right keys, but you can’t trust the keys as being from example.com until you get some other verification, but then how do you trust that other verification? The solution is a signed certificate registering the identity of example.com. There are a small number of certificate authorities providing such trustworthy certificates, and your browser knows them by name.