In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.It's a clever setup. Basically, if you want to take advantage of new features on the web, you'll have to encrypt.
Meanwhile, it appears that Netflix has separately announced that it is moving forward with plans to encrypt all of its infrastructure with HTTPS to better protect your privacy as well:
with our existing server infrastructure and the up to 50% capacity hit we had observed, driven by our traffic mix.In short, yes, deploying HTTPS at that scale is expensive, but the benefit to users is tremendous and worth it.
At that time, we were uncertain of the gains we could achieve with software and hardware optimization and of the timescale for those. I'm pleased to report we have made good progress on that and we presented our FreeBSD work at the Asia BSD conference. We now believe we can deploy HTTPS at a cost that, whilst significant, is well justified by the privacy returns for our users.
So, as we mention today in our investor letter, we intend to roll out HTTPS support over the coming year - for both our site and the content itself - starting with desktop browser tests at scale this quarter.
It's still going to take a while, but we're getting closer to reaching that tipping point where an unencrypted web is a historical anomaly and that's a very good thing.
Permalink | Comments | Email This Story
No comments:
Post a Comment