Kermit Project

Is This Site Secure?

Frank da Cruz
30 December 2019

Chrome says...
Chrome address bar
Firefox says...
Firefox address bar
Websites:
[The Kermit Project]
[The New Deal in New York City]
[The History of Computing at Columbia University]
Plus all other sites and pages linked to from my personal website.

Starting about 2015, popular browsers like Chrome and Firefox started to warn people that unencrypted websites such as this one were "insecure" by crossing out the padlock icon or simply putting "Not secure" in the address bar.

Is this website insecure? No. Is it dangerous to use? No. Not only is it not dangerous to use, it is infinitely less dangerous to use than almost any other website because when you visit a page here, that's all you're doing: looking at one single page. Watch the progress bar on the bottom of your browser when you visit a mass-market website like cnn.com: you'll see dozens or hundreds of addresses flash by of unknown stuff it is loading into your computer. Who knows what all of that is! And then, while "browsing" the page you wanted to look at, myriad unwanted ads and promotions pop up to obstruct your view, forcing you to try to click them away, and WHO KNOWS WHAT HAPPENS when you do that. This is 99.9999% of the Web in 2020, a gigantic money-making scheme based on getting and selling information about every single thing you do and look at.

This website doesn't do any of that. When you visit a page here, you'll see only ONE address in the progress bar: the address of the page you visited (perhaps redirected, but that's another topic).

Why is this site secure?

It's secure because (a) it doesn't store anything on your computer, no cookies, no nothing; (b) it does not collect any information from you or about you to send to some corporation or government agency that wants to spy on you or monetize your keystrokes and mouse clicks; and (c) it doesn't have ads, which are basically software programs downloaded to and executed on your computer that can do absolutely anything at all without your knowledge or permission (more about ads below).

This site that you are looking at is, by contrast, a READ-ONLY website. In the early days of the Web, most websites were like this one: information you could read, exactly like books in a library, and images you could see. One-way-traffic. Read-only websites are no more dangerous than books. Here, for example, is the very first website, made by Tim Berners Lee, inventor of the World Wide Web, on August 6, 1991;

http://info.cern.ch/hypertext/WWW/TheProject.html

If you visit it in Chrome, you will appreciate the irony of the father of the Internet being admonished by Google, a company that owes its existence to his work and that has made around a trillion dollars from it.

You can assure yourself of the security of any page on this site by looking at its source code, which in most browsers is accomplished with Ctrl-U or menu View→source. All pages on my sites are created by hand with the express goal of legibility for human readers who, when they look at their source code in the future when HTML is long forgotten, can still read them as if they were plain-text files, with most lines less than 80 characters long so they fit on a terminal screen or a printed page. Compare with (say) cnn.com, where "view souce" doesn't show any "content" at all, just program code, and the lines of code can be extremely wide (for example, in the page I looked at just now, one line was 18,773 characters long). There's no way you can tell if a page like that is secure by looking at its source code. Yes, it might be "secure" in the sense that the connection is encrypted, but what is all that code doing on your computer???

Why are the Web browsers trying to scare you?

The Web started out as a government-sponsored nonprofit public service in which anybody could put information online, and anybody could read it. But then the Web devolved into a privatized, unregulated, get-rich-quick scheme for corporations and investors. They want to make money from you. Of course you have to pay your internet service provider; fair enough, since the infrastructure of the Internet costs money to build and maintain. Similarly, in most cases the owners of the websites themselves have to pay for Web hosting. Also fair enough. Some websites (such as newspapers) even demand payment before you can access them; in a way, even that is fair enough because how else (besides ads) can they stay in business now that nobody buys newspapers at the newsstand any more?

But before long, the Internet turned from a big library into a shopping mall where everybody orders products online, and to do that the vendors had to obtain your identity and credit-card information as part of the ordering process. Since the architecture of the Internet potentially allows anybody to spy on the traffic of anybody else, your payment information had to be encrypted so lurkers couldn't capture it. Eventually, all E-commerce sites had adopted end-to-end encryption protocols between the Web browser on the user end, and the Web server at the Internet host.

That doesn't solve the problem once and for all, though, because any code can be cracked, and there are millions of people working full-time to crack whatever the current code is, and eventually they succeed. So Internet security has become a big and ongoing business, which has to be paid for. If I want to have a secure E-commerce site so I can make money, I have buy security services on top of the basic web services: an HTTPS address instead of the original HTTP — OK, fair enough.

But if I am not trying to sell anything, and I never attempt to solicit or capture information from visitors, I don't need the security services, any more than books need to be encrypted.

But that means I'm not paying money to a security company every so often to maintain my "security certificate". So now, the makers of some Web browsers have decided to coerce all websites to be secure even when they are read-only and don't need to be. This understandable in Chrome, for example, because it's from Google and its only purpose is to generate revenue. So Chrome pioneered in scaring Web users every time they visited a read-only website, to blackmail the authors of those sites into making periodic payments to remove the scary warning that visitors see. Probably browser makers like Google get "rewards" from the security companies for adding this feature.

Not fair enough! Consider the consequences:

So eventually the only information available will be corporate information. And of course even that will come and go, just as do the corporations themselves.

Am I being watched even when I visit a read-only website?

The discussion above applies only to the websites themselves. It does not apply to the browser on your own computer or cell phone: Chrome, Edge, Safari, Firefox, or whatever you are using. Your browser can, and almost certainly does, monitor everything you do and (with the possible exception of Firefox) send the information back to the parent company to use, bundle, or sell however they see fit. There's nothing a website author can do to prevent this because it doesn't involve the website itself. However, aside from the top browsers, others exist that claim not to track your activity; search Google (irony) for "browsers that don't track"; read, download, install, and use at your own risk.

How should Web browsers handle read-only sites?

Web browsers such as Chrome and Firefox mark pages as insecure if they have an HTTP address instead of an HTTPS one. They could do better: your own browser knows when the page asks you to provide information, such as a password or credit-card number, or is about to transmit information from a locally-stored cookie. THAT is when it could (and should) inform you of the security risk and give you a choice of how to proceed by popping up a dialog. At a read-only site, you'd never see this dialog. But I doubt that a change like this is forthcoming because there's no money in it.

A better approach would have been for the Internet itself to incorporate security in its basic structure, as part of the TCP/IP definition, so that all end-to-end connections would be secure automatically. This should have happened decades ago, when it first became evident that the Internet was becoming a playground for hackers, criminals, and spies. Instead, elaborate security protocols were developed for use at the application level, forcing every single software maker to implement them in each software product that made or accepted Internet connections: Web browsers, Web servers, Telnet and FTP clients and Servers, terminal emulators, email clients and servers, distributed file systems, chat programs, instant messaging, telephony, programming languages, voting machines, home security systems, cell phone apps, and on and on. Every time a flaw in the security protocols is discovered, all of these applications have to be "updated". Something that tends not to happen, leaving increasing numbers of individuals, companies, and institutions vulnerable to attack.

Advertisements and Watermarking

Watermarking example
None of my websites have advertising. However, because the sites are not encrypted, sometimes you'll see an ad anyway, as in the example shown at left (click to enlarge). The ad is not from the website; rather, it is inserted into the datastream — after it has left the Web server as it streams the web page to your computer — by your own Internet Service Provider (Optimum in my case). This is called "watermarking", a variation on the classic Man-in-the-Middle attack. So far it's an infrequent occurrence and not a major problem, and so far not a security risk, just Yet Another Annoyance.

Posterity

The original World Wide Web in the early-to-mid 1990s was for disseminating, sharing, and further developing scientific and scholarly information. The new, commercial web is for making money and it's leaving real information behind. There are billions of websites, and some of them are the only remaining source for information that might be valuable to humanity, and these are doomed to disappear since there is no reliable support for public resources that don't generate profits.

In an ideal world, there would be a place to store this information and keep it accessible "forever". The US Library of Congress recognizes the problem and is trying, in a small way, to do something about it; see this page. But one single organization with a limited budget and small staff can't possibly fill this role. By "going digital", humanity has literally thrown its heritage to the four winds. I should also mention the Internet Archive at https://archive.org, a massive and truly noble effort to preserve snapshots of Internet content over time, but it is not a basic service of the Internet itself, but rather a volunteer effort supported by partnerships, grants, donations, and fund-raising drives, meaning it could disappear at any moment; read more about the Internet Archive here.


  Last update:  Mon Feb 15 07:22:04 2021