TLS everywhere: how the 'net is lost through good intentions.

on blog at

It won't be too long before browsers (and search engines) stop accepting HTTP at all and getting permission from a centralized authority for your TLS cert will be required to host a visitable website. Even the most popular federated protocol, smtp, is being centralized and soon the big email walled gardens will require TLS for all transport if only to prevent surveillance. But the very means used to avoid government (and other) surveillance will give those entities complete control of our most popular communication systems.

TLS means that every single server is only allowed to exist at the end of a very long leash back to a centralized provider of certs. Even if that provider is currently benevolent, dot org shows what can and will happen with time and money. No one is going to be accepting self signed and with no other option, suddenly things are centrally controlled. Non-encrypted mail and web and everything have their place.

Sorry to harp on this subject again but I keep seeing people saying that it's time to *enforce* TLS for everything these days. Even if there's no malicious behavior enforcing TLS brings in a single point of failure you can't control. Higher-up cert authorities mess up regularly.

[comment on this post] Append "/@say/your message here" to the URL in the location bar and hit enter.

[webmention/pingback] Did you respond to this post? What's the URL?