On the WebSockets mailing list, there is a heated discussion going on about whether or not WebSockets should be deployed over TLS (aka â€œhttpsâ€) or not. The common misconceptions about TLS arise, of course. But it has become increasingly clear that most people view protocol security completely backwards, because of HTTP. (Thanks to Jim Roskind for crystallizing this)
- HTTP: The protocol of the web
- HTTPS: The secure version of HTTP. Cool!
But we should think of it like this:
- HTTPS: The protocol of the web
- HTTP: The insecure version of HTTPS. Yikes!
We shouldnâ€™t feel safe when we use https. We should feel unsafe when we use http.
Our vantage point is backwards because we started with the notion that security is an â€œadd onâ€. In todayâ€™s hostile networking environment, nothing could be further from the truth. Security is not a feature, but a requirement. Offering an â€œinsecureâ€ version for those that want to play risky should be the optional feature. This just becomes more true when you think of the fact that new protocols will be in use 10 years from nowâ€¦