Sunday, February 25, 2018

Why can't we turn off HTTP?

Currently, I'm sitting in a library not able to access HTTPS (probably... I guess it depends when you're reading this) for a particular website.

I like to spend time in libraries. Especially libraries in exotic far off places. Surrounded by book-smell, and curious people learning. Unfortunately some libraries have shockingly bad internet. Some of them decide they will filter which websites people can look at so that they are safe from viruses and nasty stuff which damages their computers.



It's exciting that 60-70% of internet connections to some websites are encrypted these days. But why not turn HTTP off and force everyone to use HTTPS?
Indeed. Why not turn off HTTP completely? I'll try to answer that here (for pygame.org; your website may be different).



Unfortunately these filters in libraries are sometimes pretty terrible and ancient. And when you travel, and spend time in libraries and use hotel internet you begin to notice that the internet that you know at home or work is kind of not the same all around the world. A shocking revelation I know things are different in different places. Soon there will be research funded to confirm this for you in ten years.

One thing they do is have proxy servers that jump in the middle between the browser and the server. Sometimes in strange ways that don't quite work.



Oh. So this is why I can't internet-all-the-things whilst sitting in a hammock on a small island.



Universities are another type of place I've had bespoke-internet-experiences.

So, this is one reason I like to still offer things over normal HTTP, because some people are blocked from HTTPS. A person can still choose already to use HTTPS (which technically still does have a MITM attacks going on from university/corp/country proxies and the like). We could also use HSTS (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) which is the proper solution rather than redirects, but that means HTTP doesn't work. Because leaving HTTP on means it's possible HTTPS can be worked around.

If you're privileged enough to have good internet then, please take our EFF friends advice and use the https-everywhere addon for your browser. Unfortunately some things will still break for you. https://www.eff.org/https-everywhere

However, could we still do better? And still make it accessible for those people who are stuck with horrible internet connections. Yes, of course!

So, now pygame.org URLs permanently redirect to https://www.pygame.org/, and the login URLs even on non-HTTPS point to HTTPS. Additionally, I've updated lots of links in the docs and on the internet to HTTPS URLs, and will continue doing that where possible. Search engines always link to HTTPS (if available) it seems, and adding canonical HTTPS link tags in the headers is being tracked here: #34



I would like to update hundreds of mixed HTTP/HTTPS documents to turn all the HTTP links to new HTTPS links... but instead I chose life. Is there a header for that? Yes there is... pop on over to https://w3c.github.io/webappsec-upgrade-insecure-requests/ and learn all about it.



Browsers are now rolling out HTTPS upgrade headers, where they send a hint that they can go to a HTTPS URL when one is available. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
You can also make a content security policy which allows the browser to upgrade old unecrypted links to HTTPS ones. You're telling the browser "Dear browser, everything should work with HTTPS, but I haven't updated all the URLs yet". Seems to be at 77% of browser support at the moment, and even the latest version of Edge supports it. https://caniuse.com/#feat=upgradeinsecurerequests

But remember, even if a browser supports it, it doesn't mean it hasn't been configured to use a proxy in the middle which has issues with HTTPS. Or that 500ms latency turns those several extra back-and-forths HTTPS requires into an unbearable thing to use. With three 500ms round trips, that turns into more than 1500ms. Compared to 20ms*3==60ms for someone on a fast connection nearby.

The reason we can't have zero round trips with HTTPS everywhere I hear you ask? That should would be good for people in far off lands with bad internet connections. Let me tell you my friend those same proxies, and Idiot of Things with ancient buggy HTTPS stacks. Blame your old printer.
 
But I've enabled 0-rtt and HTTP/2 anyway, and the reason is that those same broken internet connects are going to be broken anyway. Might as well make it slightly faster and safer for everyone else, and the broken connections can use HTTP which they would have to do anyway.



Is TLS fast Yet? Yes. Sort of. https://istlsfastyet.com/



With these changes, there's been a 30%(handwavy-made-up-stat) increase in HTTPS connections, and now the majority of connections are using HTTPS. Hopefully as more links are updated (18 years of links on the interwebs might not ever be upgraded).
Cloudflare (which pygame.org is using for HTTPS) supports HTTPS on some pretty ancient computers (we are paying for the pro plan). Even my android 2 phone works with it. https://support.cloudflare.com/hc/en-us/articles/203041594-What-browsers-work-with-Cloudflare-s-SSL-certificates-
 
www.pygame.org is still open for business fun on HTTP however, even though most people probably won't go there 'soon'.  The people in far off places with weird internet connections, and those retro computing people with the browser user agent string "AmigaVoyager/3.2 (AmigaOS/MC680x0)" will still be able to download their files.

pygame.org is //retro computer friendly// after all. But we're also friendly to people in far off lands sitting in hammocks and to people who like book-smells + learning.

Thanks for reading.

No comments: