[cocktailpeanuts]

There really is no absolute right or wrong to this issue.

HTTPS is indeed more secure for users, but it does have some cost, and I think OP has a sensible argument.

If you really think HTTPS is the best thing ever and is absolutely better than HTTP in every sense, you're just looking at it superficially.

When you start looking into how the entire Internet works and what role each party plays in the ecosystem, and how much "real" power each party has, you'll find that HTTPS is THE biggest centralization force of the web. If you think centralization and oligopoly by big tech companies is awesome, fine.

But there are people who don't like that direction for a good reason.

[tylerhou]

How is HTTPS a centralization force? Just because large, centralized tech companies like Google are pushing for HTTPS doesn't make HTTPS itself inherently centralized -- apart from certificate authorities, but that's because DNS and the domain name system itself are already inherently centralized. And Let's Encrypt does exist, an organization which has published an open protocol for certificate negotiation (ACME) as well as an open implementation whose root certificate is accepted by all major browser vendors.

Saying HTTPS is centralized is like saying PGP is centralized. If it is, it's only because the underlying technologies (HTTP itself and DNS) are centralized, not an encryption and document-signing protocol layered on top of it.

Even if you can argue that HTTPS is a centralization force, it's almost certainly hyperbole to argue that it's the biggest centralization force on the web today. Surely network effects (Facebook, Amazon), huge amounts of capital, and control over a huge amount of information (Google) are far bigger factors?

[anfilt]

I can agree that CA are a point of centralization. A web of trust in my opinion is better such as used in PGP.

However, the whole dns system is centralized. Any alertanative dns root is kinda ignored as well. Its kinda sad.

Also there only a handful of browsers. Even less browser engines. This is also sad, and partly to blame is how complicated the standards are these days.

[userbinator]

you'll find that HTTPS is THE biggest centralization force of the web

This, very much this. Plaintext doesn't require what is essentially authorisation from a central authority in order to communicate.

[Spivak]

I think you'll find that even without the CA system that you need the blessing of at least a few people to get your content on the internet.

- Your address needs to be given to you by your ISP or ARIN.

- Major ISPs need route to your address and/or accept your BGP announcements.

- You probably need a name which is bought from a few large DNS management companies or their resellers.

- You're required to have an email address to field abuse complaints which means you most likely will be paying an email provider.

- If you're not running your own hardware you will have to pay a hosting company.

- If your site is large you'll probably need a CDN to handle the traffic of which there are only a few major players.

- Although it's a blacklist you effectively need Google's blessing to not appear on the SafeBrowsing list.

Is the CA system really that much more of a hurdle? No question it's a little scummy at times but it's cheap and relatively low maintenance.

[tyler_larson]

You misunderstand what CAs are. Or, indeed, what their certificates imply.

CAs don't provide permission, they vouch for an identity.

Saying that CAs give you permission to communicate is like saying notaries give you permission to sign a contract. You can assert your identity without verification as long as the other party in the relationship is fine with the increased risk of fraud.

Similarly, you can use HTTPS without a signed certificate (precisely as you can use HTTP without HTTPS) as long as you and the other party is happy with the risk that Verizon could be "sanitizing" your speech or injecting your real-world identity into all your HTTP requests without your knowledge.

But both the site operator and visitor stand to lose from someone tampering your traffic. And increasingly, it's the users that are getting burned in this relationship.