Ah. I see the issue, the HTTPS-Only mode of Firefox and the Encrypt-all-sites mode of HTTPS-Everywhere thinks that you do, because closed TCP ports on your server don't respond to TCP SYN requests at all, whereas normally servers indicate connection refused by sending a TCP RST packet. So anything trying to access HTTPS on your site will just time out.
Thank you for that tip. Yes, I was blocking all connections to 443 on my firewall but I didn't realize that clients like those had such long timeout periods. Those connections should now be explicitly refused.
I cannot reply to your lower-level comment at the max nest level, but I disagree with you about https.
The contents of the https transaction is not available to the CA.
The data is not available for snooping for intermediaries.
And tampering, while it seems like a silly check, is actually done almost casually by ISPs for a variety of reasons. They will insert executable code into a HTTP reply.
In other words, preventing HTTPS might support the subjugation of your users by others.
Sounds silly but once RMS said "proprietary software subjugates people" and it sounded like weird over-the-top political rhetoric when I heard it. But over time I notice that indeed subjugation is a huge part of our use of computers
> I cannot reply to your lower-level comment at the max nest level, but I disagree with you about https.
You've somewhat misunderstood me, or perhaps not cared to listen to what I stated, and now you're disagreeing with your incorrect interpretation of what I said. I wish you had given a point-by-point argument to what I said, and tell me each sentence you disagreed with (I'll do that here).
> The contents of the https transaction is not available to the CA.
I never said that. I said, "both sides of the connection, and everyone in the middle, know who they're talking to." E.g. if you're talking to Google, then you know that you're talking to Google, and Google knows it's talking to you, and your ISP knows that you and Google are talking.
> The data is not available for snooping for intermediaries.
Yes, it is. See: NSA FLYING PIG. See: all bogus certificates ever issued by a CA. See: "Flame" malware that was signed using a bogus Microsoft certificate. See: <just do a web search>
> And tampering, while it seems like a silly check, is actually done almost casually by ISPs for a variety of reasons. They will insert executable code into a HTTP reply.
How did you interpret this statement? "...that is a social problem and not a technical one. Sure, some technical measures may mitigate that from happening, but ultimately the problem is social and users of that network should stop using it, or start tunneling their traffic some other way."
> In other words, preventing HTTPS might support the subjugation of your users by others.
No, if I don't want to support HTTPS then that is _my freedom_. Would I not be subjugated by a corporate CA, and would I not need to support that for the rest of my website's life? (Yes, I would.) And, again, it is not my responsibility to protect people from their malicious ISPs. The problem is obviously the ISP, not my website. And again, I offer trust and validity checks for all important files served by me in the form of PGP certificates.
> Sounds silly but once RMS said "proprietary software subjugates people" and it sounded like weird over-the-top political rhetoric when I heard it. But over time I notice that indeed subjugation is a huge part of our use of computers
That doesn't sound silly at all, what RMS said, but your interpretation of it certainly is. Do you believe conscientious objectors support war if they are not actively trying to dismantle the military?
I don't support the subjugation of users--I believe users ought to hold all the freedom themselves, including the freedom to protect their communications if they wish, but I don't have to actively participate in the obvious corporate racket of acquiring SSL certificates, and the eternal responsibility they require. I deserve the freedom, too, to host a site independently--and that is what mandatory HTTPS (without a distributed web of trust) will take away--not away from me, because I can always host a site no one visits, but away from users who won't anymore have the choice.
"we need completely distributed human-to-human trust without any corporate authorities."
Just to be clear: I'm not against HTTPS--I would love to have trust and validation to those I'm speaking with electronically. But, the way SSL is implemented today (with CAs) is not something I am willing to support for my personal website.
ok, but although HTTPS has some drawbacks, I think HTTP has many more drawbacks.
I think this is sort of like "lock you car doors". Yes, a dedicated thief can bypass the locks and open your car, but you don't have to leave your car doors unlocked and let anyone enter you car at will.
I think a reasonable middle ground might be to maintain HTTP and do HTTPS using letsencrypt. If one of the CAs does something to limit your freedom, you could redirect https to http and turn it off.
Anyway, it's good to see you're basing your argument on your principles, many people cave early and easily.
There are a few reasons, but since you worded that question ambiguously, I'm not sure if you know that HTTPS doesn't protect privacy. It can verify data in-transit is not tampered (maybe--see NSA note below), but nothing is anonymous (both sides of the connection, and everyone in the middle, know who they're talking to). Maybe the URL is private, but that's a very low bar for privacy.
There's also a problem with how certificate authorities are run which I strongly disagree with. People trust them because corporations trust them, which is already bad, because those same corporations are in-bed with NSA and probably other "security" agencies (which are hard to tell apart from criminal syndicates). If we moved to an HTTPS-only world (Universe, please forbid) there would be an absolute CA racket, and any website could be censored by having the CA revoking its certificate. I fear very much for that possibility, and I completely disagree with the direction that corporate browsers are taking by moving towards HTTPS-only, and especially false messaging like when Chrome reports websites as "non-secure". Firefox, which along with Mozilla is almost entirely funded with Google dollars, is going the same direction.
Another problem is if an ISP is tampering with a customer's connection, that is a social problem and not a technical one. Sure, some technical measures may mitigate that from happening, but ultimately the problem is social and users of that network should stop using it, or start tunneling their traffic some other way.
I provide HTTPS as a convenience for people downloading my software who otherwise wouldn't check my PGP sigs. Browsers like Chrome have false messaging claiming sites are "not secure" and techno-illiterate users don't understand what that really means, and they complained, so I listened but still advise everyone to check the signatures anyway.
Another major reason is that I don't care to support HTTPS for the rest of my life on my personal website. If I were to start supporting it, then everyone will start linking to the HTTPS version, then I could never get rid of that because redirecting back to HTTP requires HTTPS. I never collect any kind of data through my website--there are no form submissions, it's read-only and purely serves .html pages (not even server-side rendering). There's not really a purpose to a secure connection for that.
This only scratches the surface of these problems. I won't even get into how certificate authorities assign, then revoke, bogus certificates all the time--but that happens more than they will ever admit to. If you do a search for that, even just on Ars Technica, you'll find a lot of examples.
My biggest complaints may be summarized as, "we need completely distributed human-to-human trust without any corporate authorities."
