<!doctype html>
<html data-current="post" lang="en-GB">
<head>
<!-- COMMON TAGS -->
<meta charset="utf-8">
<title itemprop="name">Reflections on "HTTPS is Hard"</title>
<!-- Search Engine -->
<meta name="description" itemprop="description" content="The blog of Steve - Web* Developer">
<!-- Twitter -->
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Reflections on "HTTPS is Hard"">
<meta name="twitter:description" content="The blog of Steve - Web* Developer">
<meta name="twitter:site" content="@steveworkman">
<meta name="twitter:creator" content="@steveworkman">
<!-- Twitter - Article -->
<!-- Open Graph general (Facebook, Pinterest & Google+) -->
<meta name="og:title" content="Reflections on "HTTPS is Hard"">
<meta name="og:description" content="The blog of Steve - Web* Developer">
<meta name="og:url" content="https://steveworkman.com">
<meta name="og:site_name" content="The blog of Steve - Web* Developer">
<meta name="og:locale" content="en-GB">
<meta name="og:type" content="article">
<!-- Open Graph - Article -->
<meta name="article:section" content="Web Development">
<meta name="article:published_time" content="2016-03-30T00:00:00.000Z">
<meta name="article:author" content="Steve Workman">
<meta name="article:tag" content="post,Speaking,Web Standards">
<link rel="alternate" type="application/rss+xml" href="https://steveworkman.com/feed.xml" />
<link rel="me" href="https://webperf.social/@steveworkman" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>:root{--turkey:#fff0eb;--white:#fff;--blue:#1777af;--headingBackground:#bbdce8;--textColor:#282828;--visibleGrey:#ccc;--pageBackground:#fff;--articleBorder:#fff;color-scheme:light dark}@media (prefers-color-scheme:dark){:root{--turkey:#fff0eb;--white:#fff;--blue:#29b0ff;--headingBackground:#083444;--textColor:#f5f5f5;--visibleGrey:#ccc;--pageBackground:#333;--articleBorder:#2a2a2a}}*,:after,:before{box-sizing:border-box}body,html{color:var(--textColor);font-family:Avenir,Avenir Next,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif;margin:0 auto;padding:0}header{grid-area:header}main{grid-area:main}aside{grid-area:aside}footer{grid-area:footer}body{background-color:var(--pageBackground);display:grid;grid-template-areas:"header header header" ". main main" ". aside aside" "footer footer footer";grid-template-columns:auto 3fr 1fr;grid-template-rows:auto 1fr auto auto;height:100vh;max-width:50em}@media screen and (min-width:750px){body{grid-template-areas:"header header header" ". main aside" "footer footer footer";grid-template-rows:auto 1fr auto}main{max-width:37.5em}}code,p,pre{line-height:1.5}a[href],a[href]:visited{color:var(--blue)}a[href]:not(:hover){text-decoration:none}footer,header,main{padding:1em}main{margin:0 auto;max-width:100%;padding-bottom:2em}main :first-child,main>article :first-child{margin-top:0}pre{direction:ltr;font-size:14px;-webkit-hyphens:none;hyphens:none;margin:.5em 0;padding:1em;-moz-tab-size:2;-o-tab-size:2;tab-size:2;text-align:left;white-space:pre;word-break:normal;word-spacing:normal}blockquote{position:relative}blockquote:before{color:var(--visibleGrey);content:"\201C";font-family:Georgia,Times New Roman,Times,serif;font-size:6rem;left:-2.5rem;position:absolute;top:-.5rem}header>em{display:block;font-size:2em;font-style:normal;font-weight:700;margin:.67em 0}header nav ul{list-style:none;padding:0}header nav ul :first-child{margin-left:0}header nav li{display:inline-block;margin:0 .5em}header nav li a[href]:not(:hover){text-decoration:none}header nav li a[data-current="current item"]{font-weight:700;text-decoration:underline}article{border-bottom:1px solid #eee;border-bottom:1px solid var(--articleBorder);margin-bottom:1em;padding-bottom:1em}article>h1,article>h2,article>header{background-color:var(--headingBackground);border-radius:.5em 0 0 0;font-size:2em;line-height:1.2;margin-bottom:.75em;padding:.25em .5em}article>h1>a[href],article>h1>a[href]:visited,article>h2>a[href],article>h2>a[href]:visited{color:var(--textColor)}article>header>h1{font-size:1.2em;margin-bottom:.25em}article>header>.subtitle{font-size:.8rem;margin-bottom:0}article>header>.subtitle>small{display:inline-block;width:50%}article>header>.subtitle>small:last-child{text-align:right}article img{display:block;margin-left:auto;margin-right:auto;max-width:100%;text-align:center}main>section>article>*{margin-bottom:.5em;margin-top:0}a[rel=tag],a[rel=tag]:visited{background-color:var(--pageBackground);border:1px solid var(--pageBackground);border-radius:.25em;color:var(--blue);display:inline-block;font-size:.625em;height:2em;letter-spacing:.1em;line-height:2em;margin:0 .5em .5em 0;padding:0 .5em;text-decoration:none;text-transform:uppercase;vertical-align:text-top}a[rel=tag]:hover{background-color:var(--blue);border:1px solid var(--blue);color:var(--pageBackground)}a[rel=tag]:last-child{margin-right:0}ul.taglist{font-size:.8em}ul.taglist li{padding-bottom:.25em;padding-top:.25em}form{display:grid;padding:2em 0}form label{display:none}button,input,textarea{font-family:Avenir,Avenir Next,sans-serif;font-size:1rem;margin-bottom:1em;padding:1em;width:100%}input,textarea{border:1px solid #000}button{background-color:var(--blue);border:1px solid var(--blue);color:var(--white);cursor:pointer}@media screen and (min-width:768px){:root{font-size:1.1rem}}.pagination>ol{list-style:none;padding:0}.pagination>ol>li{display:inline-block;width:50%}.pagination>ol>li.previous{text-align:right}table.speaking{border:1px solid var(--turkey);border-collapse:collapse}table.speaking td,table.speaking th{padding:.25em}table.speaking thead>tr{background-color:var(--headingBackground);border-bottom:1px solid var(--turkey)}table.speaking th{text-align:left}table.speaking .label{background-color:var(--headingBackground);border-radius:8px;color:var(--textColor);display:inline-block;padding:4px 8px}</style>
<script></script>
<script src="https://paulirish.github.io/lite-youtube-embed/src/lite-yt-embed.js" async></script>
<link href="https://paulirish.github.io/lite-youtube-embed/src/lite-yt-embed.css" rel="stylesheet">
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-18282110-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-18282110-1');
</script>
</head>
<body>
<header>
<em>
<a href="/">Steve Workman's Blog</a>
</em>
<nav>
<ul>
<li><a href="/" >Home</a></li><li>
<a href="/about/">About Steve</a>
</li><li>
<a href="/speaking/">Speaking</a>
</li><li>
<a href="/bookshelf/">CSS Bookshelf</a>
</li></ul>
</nav>
</header>
<main>
<article>
<header>
<h1>Reflections on "HTTPS is Hard"</h1>
<p class="subtitle">
<small>
Posted on <time datetime="2016-03-30T00:00:00.000Z">30 March 2016</time> by Steve Workman
</small>
<small>About 4 min reading time</small>
</p>
</header>
<p>Over the last few months I've been putting together my talk for the year, based on a blog post that is titled "HTTPS is Hard". <a href="https://blog.yell.com/2016/03/https-is-hard/">You can read the full article on the Yell blog</a> on which it is published. There's also an <a href="https://medium.com/@steveworkman/https-is-hard-377f2baf2580">abridged version on Medium</a>. It's been a very long time coming, and has changed over the time I've been writing it, so I thought I'd get down a few reflections on the article.</p>
<h4 id="it's-really-long%2C-and-took-a-long-time-to-write" tabindex="-1">It's really long, and took a long time to write</h4>
<p>This is firstly, the longest article I've written (at over four thousand words, it's a quarter of the length of my dissertation) and it's taken the longest time to be published. I had a 95% complete draft ready back in September, when I was supposed to be working on <a href="https://speakerdeck.com/steveworkman/adapting-for-the-times">my Velocity talk for October</a> but found myself much more interested in this article. Dan Applequist has repeatedly asked me to "put it in a blog post, the TAG would be very interested" - so finally, it's here.</p>
<p>The truth is that I'm constantly tweaking the post. Even the day before it goes live, I'm still making modifications as final comments and notes come in from friends that I've been working with on this. Also, it seems like every week the technology moves on and the landscape shifts: Adobe offers certs for free, Dreamhost gives away LetsEncrypt HTTPS certs through a one-click button, Netscaler supports HTTP/2, the Washington Post write an article, Google updates advice and documentation, and on and on and on... All through this evolution, new problems emerge and the situation morphs and I come up with new ways to fix things, and as I do, they get put into the blog post. Hence, it's almost a 20 minute read.</p>
<p>A special thank you to <a href="https://twitter.com/andydavies">Andy Davies</a>, <a href="https://twitter.com/stopsatgreen">Pete Gasston</a>, <a href="https://twitter.com/patrickhamann">Patrick Hamann</a> and the good people at Yell; <a href="https://twitter.com/jurga">Jurga</a>, <a href="https://twitter.com/Claireslobodian">Claire</a> and the UI team (Andrzej, Lee and <a href="https://twitter.com/SupaRawr93">Stevie</a>) for their feedback throughout this whole process. I'm sure they skipped to the new bits each time.</p>
<h4 id="is-https-really-neccessary%2C-for-everyone%3F" tabindex="-1">Is HTTPS really neccessary, for everyone?</h4>
<p>Yes.</p>
<p>Every day something silly happens. Today's was from generally-awesome tech-friendly company Mailchimp. They originally claimed that "Hosted forms are secure on our end, so we don't need to offer HTTPS. We get that some of our users would like this, though" (tweet has since been deleted). Thankfully, they owned up and showed CalEvans how to do secure forms.</p>
<blockquote class="twitter-tweet" data-lang="en"><p dir="ltr" lang="en"><a href="https://twitter.com/CalEvans">@CalEvans</a> We apologize for the inaccurate info from earlier, Cal. It is actually possible to use HTTPS with our hosted forms by grabbing the</p>— MailChimp (@MailChimp) <a href="https://twitter.com/MailChimp/status/714905486118793216">March 29, 2016</a></blockquote>
<script src="//platform.twitter.com/widgets.js" async charset="utf-8"></script>
<p>Still, it's this kind of naivety that puts everyone's security at risk. A big thumbs up to Mailchimp for rectifying the situation.</p>
<h4 id="if-i-were-to-have-started-today%2C-would-https-still-be-hard%3F" tabindex="-1">If I were to have started today, would HTTPS still be hard?</h4>
<p>Yes, though nowhere near as hard. We'd still have gone through the whole process, but it wouldn't have taken as long (the Adobe and Netscaler bits were quite time-consuming) and the aftermath wouldn't have gone on for anywhere near as long if I'd have realised in advance about the referrer problem.</p>
<h4 id="if-you'd-have-known-about-the-referrer-issue%2C-would-you-have-made-the-switch-to-https%3F" tabindex="-1">If you'd have known about the referrer issue, would you have made the switch to HTTPS?</h4>
<p>Honestly, I'm not sure I would have pushed so hard for it. We don't have any solid evidence to say it's affecting any business metrics, but I personally wouldn't like the impression that traffic just dropped off a cliff, and it wouldn't make me sign up as an advertiser. Is this why Yelp, TripAdvisor and others haven't migrated over? Who can say...</p>
<p>This is why the education piece of HTTPS is so important, because developers can easily miss little details like referrers, and just see the goals of ranking and HTTP/2 and just go for it.</p>
<p>The point of the whole article is that there just isn't the huge incentive to move to HTTPS. Having a padlock doesn't make a difference to users unless they sign in or buy something. There needs to be something far more aggressive to convince your average developer to move their web site to HTTPS. I am fully in support of Chrome and Firefox's efforts to mark HTTP as insecure to the user. The only comments I get around the office about HTTPS happen when a Chrome extension causes a red line to go through the protocol in the address bar - setting a negative connotation around HTTP seems to be the only thing that gets people interested.</p>
<h4 id="what's-changed-since-you-wrote-the-article%3F" tabindex="-1">What's changed since you wrote the article?</h4>
<p>I am really pleased to see the <a href="https://www.google.com/transparencyreport/https">Google Transparency Report include a section on HTTPS</a> (<a href="https://security.googleblog.com/2016/03/securing-web-together_15.html">blog post</a>). An organisation with the might and engineering power of Google are still working towards HTTPS, overcoming technical boundaries that make HTTPS really quite hard. It's nice to know that it's not just you fighting against the technology.</p>
<h4 id="what-about-%22privileged-apps%22---you-don't-talk-about-that" tabindex="-1">What about "privileged apps" - you don't talk about that</h4>
<p>The <a href="https://www.w3.org/TR/powerful-features/">"Privileged Contexts" spec</a> AKA "Powerful Features" and how to manage them is a working draft and there's a lot of debate still to be had before they go near a browser. I like how the proposals work and how they've been implemented for Service Worker. I also appreciate why they're necessary, especially for Service Worker (the whole thread of "why" can be read <a href="https://github.com/slightlyoff/ServiceWorker/issues/199">on github</a>). I hope that Service Worker has an effect on HTTPS uptake, though this will only truly happen should Safari adopt the technology.</p>
<p>It looks like Chrome is going to turn off Geolocation from insecure origins very soon, as that part of the <a href="https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins">powerful features task list</a> has been marked as <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=561641">"fixed" as of March 3rd</a>. Give it a few months and geolocation will be the proving ground for the whole concept of powerful features - something that I'll be watching very closely.</p>
<p>
<a href="/tags/Speaking/" rel="tag">Speaking</a>
<a href="/tags/Web Standards/" rel="tag">Web Standards</a>
</p>
</article>
<nav>
<a href="/">Back to home</a>
</nav>
</main>
<aside>
<h2>Find me online</h2>
<ul>
<li><a href="https://webperf.social/steveworkman" target="_blank">Mastodon - @steveworkman@webperf.social</a></li>
<li><a href="https://www.threads.net/@steveworkagram" target="_blank">Threads - @steveworkagram</a></li>
<li><a href="https://www.instagram.com/steveworkagram/" target="_blank">Instagram</a></li>
<li><a href="https://www.github.com/steveworkman/" target="_blank">Github - steveworkman</a></li>
</ul>
<h2>Posts in other categories</h2>
<ul class="taglist">
<li><a href="/tags/Browsers/" class="tag">Browsers (10)</a></li>
<li><a href="/tags/Conferences/" class="tag">Conferences (1)</a></li>
<li><a href="/tags/CSS3/" class="tag">CSS3 (14)</a></li>
<li><a href="/tags/Facebook/" class="tag">Facebook (3)</a></li>
<li><a href="/tags/Genesys/" class="tag">Genesys (1)</a></li>
<li><a href="/tags/Gigs/" class="tag">Gigs (1)</a></li>
<li><a href="/tags/Google Wave/" class="tag">Google Wave (1)</a></li>
<li><a href="/tags/Hiring/" class="tag">Hiring (2)</a></li>
<li><a href="/tags/HTML5/" class="tag">HTML5 (20)</a></li>
<li><a href="/tags/Interviewing/" class="tag">Interviewing (1)</a></li>
<li><a href="/tags/iPhone/" class="tag">iPhone (12)</a></li>
<li><a href="/tags/JavaScript/" class="tag">JavaScript (14)</a></li>
<li><a href="/tags/Learning/" class="tag">Learning (1)</a></li>
<li><a href="/tags/Microsoft/" class="tag">Microsoft (10)</a></li>
<li><a href="/tags/Mobile/" class="tag">Mobile (12)</a></li>
<li><a href="/tags/Node.js/" class="tag">Node.js (1)</a></li>
<li><a href="/tags/Off-topic/" class="tag">Off-topic (11)</a></li>
<li><a href="/tags/Performance/" class="tag">Performance (5)</a></li>
<li><a href="/tags/Projects/" class="tag">Projects (2)</a></li>
<li><a href="/tags/Rails/" class="tag">Rails (2)</a></li>
<li><a href="/tags/Ramblings/" class="tag">Ramblings (20)</a></li>
<li><a href="/tags/Reading List/" class="tag">Reading List (1)</a></li>
<li><a href="/tags/Sketchnotes/" class="tag">Sketchnotes (19)</a></li>
<li><a href="/tags/Speaking/" class="tag">Speaking (7)</a></li>
<li><a href="/tags/Steel-Software/" class="tag">Steel-Software (2)</a></li>
<li><a href="/tags/Usability/" class="tag">Usability (9)</a></li>
<li><a href="/tags/USE/" class="tag">USE (16)</a></li>
<li><a href="/tags/User Experience/" class="tag">User Experience (11)</a></li>
<li><a href="/tags/User Interfaces/" class="tag">User Interfaces (10)</a></li>
<li><a href="/tags/Web Design/" class="tag">Web Design (12)</a></li>
<li><a href="/tags/Web Standards/" class="tag">Web Standards (33)</a></li>
</ul>
</aside>
<footer>
<small>
This content is © 2003-2023 Steve Workman and does not necessarily represent the views, strategies or opinions of my employer.<br>
This blog is made with <a href="https://www.11ty.io/">Eleventy</a>.
</small>
</footer>
</body>
</html>