HTTP is dead

I really should stop with the clickbait headlines!  A couple of months ago I posted about how SEO is dead and now I’m doing it again.

Well, this time I can safely say that HTTP is not in fact dead.  But it is losing out to HTTPS, as more and more websites are going secure.

There are many many reasons why your website should be secure (use HTTPS), but that in itself is a blog post for another day.  This blog post is about the hilarious people who genuinely believe that you shouldn’t go HTTPS.

David Winer

I’m not sure how his surname is pronounced, but I’m going for “whiner”.  Man, can this guy whine.  He essentially has it in for Google, believing them to be the devil, and wanting websites to use HTTPS to somehow increase their ad revenue (can anyone follow that cosmic leap?).  His posts seem to massively confuse the fact that HTTPS is HTTP but with a secure transport layer.  He seems to think that browsers like Chrome and Firefox changing from positive indicators for HTTPS, to negative indicators for HTTP, mean that someone somewhere is “switching off” HTTP.

Of course, his website scripting.com can only be accessed via HTTP.  He doesn’t seem to mind using Twitter @davewiner though, rather than boycotting because they’re in cahoots with Google.

Maria Johnsen

This “cyber security expert” believes that a firewall is a good substitution for HTTPS, tweeting…

Server technology has become so advanced that a setting a firewall does the security trick.

“Does the security trick”!?  What planet is she on?  Clearly not one that understands the difference between a secure transport layer and preventing unauthorised access to a network, which are two polar opposite things really.  Something that a “cyber security expert” should really understand!

Rather ironically, her website maria-johnsen.com is HTTPS.  Maybe she doesn’t have the right firewall?

Neil Patel

This guy is a self-proclaimed SEO expert.  Good job he’s giving our quality security advice like this then…

If you don’t have sensitive information on your site, you’re not selling a product or a service, there is no checkout page, you don’t need a certificate

Well done for missing some of the key benefits of having a secure transport layer then, such as the guarantee that none of the content was modified in transit.

He’s not very good at taking his own advice though, as he’s got himself a certificate for his website neilpatel.com.  On the plus side, I love his company name; I’m Kind of a Big Deal, LLC.

Bryan Lunduke

Apparently, according to his website lunduke.com (HTTP only!), this guy is a “talker… dude”.  He has a YouTube series called The Lunduke Show, with some really interesting episodes titled things like…

  • HTTPS is dangerous
  • Why I don’t use HTTPS on my website

Get some popcorn and take a look, it’s good stuff.  Seriously though, he genuinely believes that HTTPS has major flaws which make it worse than HTTP, regardless of the fact that if HTTPS fails it simply downgrades to HTTP.  Ok, if you use HSTS then you can have a few issues, but just make sure you handle your certificates correctly.  He also believes that the NSA has a backdoor in SHA, because they wrote it.  A backdoor in a one-way hashing algorithm?  Even if they could reverse it (which is mathematically impossible) then all that would do it get them to the original value.  That’s not the problem, they would need to be able to use the same hash but different value in order to cause a problem (which is known as a collision, and as yet has not been done with SHA256), we haven’t seen this since the good old MD5 days!

 

Yeah, there’s some really hilarious stuff in here.

If you want to see a proper write-up, check out Scott Helme’s post on HTTPS Anti-Vaxxers.