I think it's more worrying atm that nobody can be bothered to even deploy what we do have: TLS, OCSP stapling, HSTS, HPKP, DNSSEC. This stuff isn't difficult to deploy at the individual level.
That’s because this stuff is difficult.
TLS: The Let’s Encrypt[1] ceremonies seem to be going apace, perhaps to be finally launched a month from now, but in the meanwhile you get only 1 free certificate per year that actually works with most clients: The StartSSL product.[2]
Which means you can encrypt only 1 hostname. Have multiple domains? Too bad, you pay money. Have multiple hosts? Same thing. One of the things that made tech so accessible is that you didn’t need to pay to start playing, and TLS breaks that.
Also, want to support Android Gingerbread clients? Then you need an IP address per TLS certificate. No SNI for you. You do know we’re in an IPv4 address space crunch, right?
OCSP, HSTS, HPKP: Need a functioning TLS, first.
DNSSEC: Have you actually tried to implement DNSSEC? My personal domain is validated using DNSSEC. A whole lot of pain for dubious gain.
And these security technologies are not set and forget. Microsoft seems fond of getting TLS maintenance wrong, causing failures in cloud services[3] or the basic security model[4]. DNSSEC also is supposed to do regular key rotations. Which individual has time for all of that?
That’s if you even have access to enable security. A whole lot of content is now published in centralized silos: Twitter, Facebook, Google, Wordpress. No federation, no outside control: no need for individuals and organizations to care about privacy. You are totally free to set up or join a diaspora* pod,[5] but you will find yourself forever alone.
I think technology can be developed to make privacy easier, and I think insecure defaults and fallbacks should be eliminated, but I am convinced that it will not be easy.
Wosign are giving away gratis SHA256 certs valid for up to 3 years, and supporting up to 100 AltNames[0]. They're in all the major trust stores, and cross-signed by Startcom (StartSSL).
I believe free basic wildcard certs will come. Someone will eventually break formation.
> want to support Android Gingerbread clients?
No. Gingerbread is down to <5% of the Android user share and lots of apps already don't support it. XP is arguably more of a problem at 10-12%.
IPv4 exhaustion is still mostly a problem of allocation. Big vendors already have a glut of IPs. Even the budget VPS providers don't seem to care if you spin up a dozen VMs just for the IP space, which isn't much more expensive than the $2/mo many charge for additional IPs.
That’s because this stuff is difficult.
TLS: The Let’s Encrypt[1] ceremonies seem to be going apace, perhaps to be finally launched a month from now, but in the meanwhile you get only 1 free certificate per year that actually works with most clients: The StartSSL product.[2]
Which means you can encrypt only 1 hostname. Have multiple domains? Too bad, you pay money. Have multiple hosts? Same thing. One of the things that made tech so accessible is that you didn’t need to pay to start playing, and TLS breaks that.
Also, want to support Android Gingerbread clients? Then you need an IP address per TLS certificate. No SNI for you. You do know we’re in an IPv4 address space crunch, right?
OCSP, HSTS, HPKP: Need a functioning TLS, first.
DNSSEC: Have you actually tried to implement DNSSEC? My personal domain is validated using DNSSEC. A whole lot of pain for dubious gain.
And these security technologies are not set and forget. Microsoft seems fond of getting TLS maintenance wrong, causing failures in cloud services[3] or the basic security model[4]. DNSSEC also is supposed to do regular key rotations. Which individual has time for all of that?
That’s if you even have access to enable security. A whole lot of content is now published in centralized silos: Twitter, Facebook, Google, Wordpress. No federation, no outside control: no need for individuals and organizations to care about privacy. You are totally free to set up or join a diaspora* pod,[5] but you will find yourself forever alone.
I think technology can be developed to make privacy easier, and I think insecure defaults and fallbacks should be eliminated, but I am convinced that it will not be easy.
[1]https://letsencrypt.org [2]https://www.startssl.com [3]http://blogs.msmvps.com/peterritchie/2013/03/01/azure-table-... [4]http://arstechnica.com/security/2015/03/microsoft-takes-4-ye... [5]https://diasporafoundation.org