Deprecating HTTP - Lessons from SSH/Telnet

Recently, both Firefox and Chrome has been coming down hard on HTTP websites. According to this article, HTTP will be labelled as "Not Secure". This is hardly the first step, HTTP only websites have already had their search ranking penalised, and more stringent measures will surely be put in place. But will HTTP die out completely? I doubt so.

Taking a lesson from the history books, we observe a similar happening with Telnet and SSH some years back. Telnet has been around since the infancy on the internet, back when everyone knew everyone else on the network and where there were no security concerns. SSH came around in the 1990s, when the internet started growing exponentially and there were concerns of traffic sniffing by malicious actors in semi-trusted networks such as universities and internet cafes. Telnet is still very much alive today. Most network devices have them built in, the cheaper routers given out by your ISP likely even has them enabled by default.

I believe HTTP will very likely follow the path of telnet and will never die out completely. One reason being, the beauty about protocols like Telnet and HTTP is its simplicity. Apart from some control characters, both protocols are in plaintext, which makes debugging simple. I can easily open a TCP connection to port 80 of a web server, send GET / HTTP/1.0 and receive a readable output. The situation is not as simple with HTTPS. As we move forward with SSL/TLS, old protocols will start getting deprecated. I have seen web servers in public supporting only TLS1.1/1.2, which causes cipher mismatch issues on quite a lot of older browsers. The complexity extends beyond that, there is SNI, cert pinning and other issues which may affect the ability to access the website.

I am definitely in favour of moving to HTTPS. My own website already has HSTS configured for quite a while. Despite that, a simple query of my access logs cat /var/log/apache2/access.log | grep -v "bot" reveal that there is still substantial HTTP traffic to my site. Guess I won't be closing port 80 anytime soon.