In the hands of Big Co interests?
as rtechie wrote :
As someone who does a lot of work with PKI, I think this is an extremely
bad idea.
Making HTTPS mandatory will seriously degrade the security of existing
web sites.
Right now, the main problems with SSL/TLS have to do with bad actions by
root Certificate Authorities (like China’s CA) issuing inappropriate or
questionable certificates.
You’re assuming that site operators, and more importantly users, are
going to use HTTPS intelligently and appropriately and that’s a bad
assumption.
Forcing every single site to use HTTPS means that unless that site has a
root CA cert, users will get a browser error. And we’ve “trained” users
to avoid sites with browser errors. This will create a “gold rush” with
the root CAs as lots of smaller sites start requesting certs. This will
inevitably lead to more bad certs being issued.
And there will be a LOT more questionable certs issued.
Because you intend to block features behind HTTPS, you’re making it
impossible to TEST using HTTP, so every single internal, QA, or test site
needs a cert. Sure, they can use self-signed, but users will get a browser
error. So now either that organization has to run their own CA or get more
certs from the root CAs, which is a lot easier. That’s going to be a flood
of cert requests on the CAs.
I really need to stress what a problem it is that you’re requiring
certs for all internal web sites.
And what about intranet sites in general? Have you guys developed a
better method, of any kind, for distributing enterprise root certs around?
Right now, I have to manually install them on every PC. Now you’re saying I
have to do that no matter what.
The short version is that the core problem with HTTPS right now is that
it’s too popular. Making HTTPS mandatory will further degrade it’s
utility and put serious and important uses of HTTPS, like financial
transactions, in danger.
