> Until there's a free, easy, maintainable, and actually existent solution to SSL certs, enforcing HTTPS-only is just downright extortion.
> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only
Right. In similar threads, I've seen a lot of people linking to Let's Encrypt[0]. The idea of that project is great but, at best, all we can do now is discuss how to enforce HTTPS once Let's Encrypt (or something comparable) is available. Anybody who runs a small, personal website that generates no revenue would essentially be screwed if it were enforced before then, as (and someone can correct me if I'm wrong here) there aren't really any affordable options at this point for people who don't have much money to throw towards their site.
> essentially be screwed if it were enforced before then
Let's Encrypt, if it goes according to plan, is only a few months away. It's not just some fairytale that we're hoping will come true someday. It could be reality very soon! It's got some pretty big names behind it, including one of the Big Three browsers, so I'd say that it has a pretty good chance of success.
And if Let's Encrypt fails, surely someone else will try something similar in the near future. Some registrars are already handing out a free certificate with every domain. I got ~10 certificates in the last year alone, half of them for free (StartSSL) and the other half for $5/yr (PositiveSSL). The momentum is there, it's irreversible. Even if we don't hit $0, we're asymptotically headed toward it.
Moreover, given the pace at which governments and other large organizations move, I have zero worry that HTTPS-only will be "enforced" before free certificates become widely available. Ditto for browser vendors. Chrome will not risk blocking non-HTTPS websites before the time is ripe, because if it did, people will just delete Chrome and move to another browser.
This whole debate is just a bunch of FUD concerning entirely unrealistic scenarios. Why are we spreading this sickening FUD instead of, say, supporting the two well-known organizations (EFF & Mozilla) that are trying to bring free SSL to everyone?
I actually used StartSSL. It took, literally, days to figure out how to create the certificate. The next year I renewed it; it took, literally, days to figure out how to renew the certificate.
The next year I just paid someone to do it for me.
I renewed three certificates with StartSSL yesterday. It took me literally a couple of minutes to do so.
I have also written up how the entire process works (from generating the key to creating the CSR and getting the thing signed) for a specific (non-webserver) use case and while I don't claim my writeup is perfect, several people have had no difficulty following it in under 15 minutes, even though it was the first TLS certificate they ever installed.
So your point is both that it is so easy it took "literally a couple of minutes" but so difficult "you've written up how the entire process works" that you've had to share with "several people" so they could repeat the same exercise...
Agreed. As an expert in various things, I have learned to try to shut my mouth when the topic is how easy those things are for novices.
A young friend is learning to program, so I set up a virtual server as a place for them to upload things. It was only when I went to give them the account information that I had to stop and think about how complicated the "easy" act of uploading files via SSH is. Shell commands, directory trees, working directories, the fact that the web site is in /var/www and what that means, why index.html is special, what ssh keys and asymmetric encryption are, what a bastion host is, etc, etc.
That's not contradictory at all. Plenty of system administration tasks fall into the category of "easy to perform but not self-evident to someone with no experience".
No contradiction, something being easy does not imply it being self-evident / obvious. There are many simple things that are non-obvious without retrospect.
They're still free, whereas no other company (at this time) will give you a free certificate for a single subdomain year after year. If you are using so many subdomains that generating the CSRs and pasting them in StartSSL's CSR field is too much work, then maybe a paid wildcard certificate is the better solution for you. But as long as you can count the subdomains that need a certificate on one hand, I'm not going to pay some other company $50 (maybe more? not sure) for something that takes me less than half an hour per year.
1 company where it's kinda sorta not-so-hard to do SSL is not good enough. If we're going to go HTTPS-only it needs to be as close to as easy to get them as it is to install apache on your old laptop and serve some html you wrote.
What irks me is that the biggest HTTPS-only advocates (mostly Google employees) simply do not care about this problem. They do not address it.
> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only
Right. In similar threads, I've seen a lot of people linking to Let's Encrypt[0]. The idea of that project is great but, at best, all we can do now is discuss how to enforce HTTPS once Let's Encrypt (or something comparable) is available. Anybody who runs a small, personal website that generates no revenue would essentially be screwed if it were enforced before then, as (and someone can correct me if I'm wrong here) there aren't really any affordable options at this point for people who don't have much money to throw towards their site.
[0] https://letsencrypt.org/