Mozilla recently announced their intent to deprecate the insecure HTTP protocol in Firefox in favor of HTTPS ( https:// ). In practice, they plan to do this by gradually removing the ability for HTTP websites to use various web features. They're joined by the Chrome security team, who declared something similar in December.

Mozilla's announcement has gotten a lot of attention, more than Chrome's, and much of it negative. There have been various laments, but the most sincere and helpful one is Ben Klemens' "HTTPS: the end of an era":

But the Mozilla foundation’s HTTPS requirement is, to me, the real end of the DIY era. This is not a closed-source corporation, or a startup pushing its new tool, or the arrogant guy at the hackathon, but the Mozilla Foundation — “Our mission is to promote openness, innovation & opportunity on the Web” — saying that if you are building web pages using tools from your desert island, without first filling in registration forms, then you are doing it wrong.

I understand the fear of raising the barriers to entry. As a child, I too fell in love with an internet made by everyone, and have spent my career, my volunteer work, and my hobbies trying to share what that love has taught me. I want children everywhere in the world to grow up feeling like the internet that permeates their lives is also in their service -- a lego set in real life that you can buy with a week's allowance.

Yet as an adult, I also understand that power for ordinary people is hard to come by and hard to keep. The path of least resistance for human society is for money to buy more money, and might to demand more might. Democracy is designed not so much to expand freedom as it is to give people tools to desperately hold onto the freedom they have.

Put another way: power has a way of flowing away from the varied, strange, beautiful little leaf nodes on the outer edges and into the unaccountable, unimaginative, ever-hungry center.

TCP/IP, DNS, and the web were each tremendous reversals of this trend, freely giving the means of production to all of us little leafs. It felt like the powers that be just didn't realize what was happening until it was too late.

But when I look at the last few years, I see a very different web than the one I was introduced to:

And then there's government surveillance. Still here, still real, and not getting better:

When I look at all these things, I see companies and governments asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to "interpret censorship as damage".

In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.

What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.

As problematic as the certificate authority (CA) system that underlies HTTPS may be, its relative centralization allows for one of the very few systems of encryption available today that Just Works for regular people. In many ways, it's no different than registering a domain: you pay a nominal fee to a usually for-profit organization to participate in a mostly centralized system.

Richard Barnes, the author of Mozilla's HTTP deprecation announcement and policy, responded to Ben, saying:

As I've said in some other threads on this topic, I'm under no illusion that HTTPS or the CA system is perfect. But to quote the great sage Mr. Rumsfeld, "you go to war with the army you have, not the army you might want or wish to have at a later time." Our long experience with HTTPS shows that it’s strong enough to carry the web, and it looks like its weaknesses can be patched. Which is enough, at least for me, to get the movement started.

Starting that movement doesn't happen in a vacuum. Chrome is there, the IETF and W3C TAG are there -- even the ad industry is getting there, with the news media right behind them. That kind of movement can become self-fulfilling, motivating more people and work than anyone thought possible at the start.

Many have said that HTTPS configuration and the CA system need to become painless before we can make it the new standard. However, this has cause and effect backwards: the only way to motivate the investment and market demand necessary to make HTTPS free, easy, and everywhere is to first make it part of the baseline, like DNS is today.

The transition to HTTPS won't be painless, but it is necessary, and it's already getting easier every year. The web will evolve, and when it does we'll have pushed some of its power back out of the center and into its edges for another generation to wield, love, and defend.