CAs now get to decide who’s on the Internet

It started with a legit concern. The majority of websites were served using HTTP. HTTP is insecure. So what you might be thinking? HTTPS is used on my bank and amazon and anywhere I might spend money so it seems not a problem. Except … HTTP allows injections. Ever use some bad hotel or bad airport WiFi and get a banner injected at the top of the screen? That’s HTTP vs HTTPS. Are you sure those articles you’re reading are the originals? Maybe someone is changing words, pictures, or ads. HTTPS solves these issues.

So, the browser vendors and other standards bodies got together and made a big push for HTTPS only. Sounds great right!?

Well instead of just pushing metaphorically by putting out the word, “Stop using HTTP! Start using HTTPS” the browser vendors got together and decided to try to kill off HTTP completely. Their first order of business was to start requiring HTTPS to use certain features in the browser. Want to go fullscreen? Your site must be served from HTTPS. Want to read the orientation and motion data of the phone from the browser? Your website must use HTTPS. Want to be able to ask the user for permission to access to mic or the camera? Your website must use HTTPS.

Okay well that certainly can be motivating to switch to HTTPS as soon as possible.

Except … HTTPS requires certificates. Those certificates can only be acquired from Certificate Authorities. CAs for short. CAs charge money for these certificates. $50 per certificate or more. Often the certificates only last for a limited time so you’ve got to pay every year or 2.

Suddenly every website just got more expensive.

Okay you say but that’s still not a ton of money.

Yes but, maybe you’ve got an innovative project. One that lets any user access their media from their browser(example). You’d like to let them go fullscreen but you can’t unless it serves the media pages as HTTPS. The rules of HTTPS say your not allowed to share certs ever. If you get caught sharing your cert will be invalidated. So, you can’t give each of these people running your innovated software a copy of your cert. Instead every user needs their own cert. Suddenly your software just got a lot more expensive! What if your software was free and open source? In 2015 people were able to run it for free. In 2016 the are now required to get a cert for $50

So what do you do? Well you hear about self-signed certs. So you check those out. Turns out they require complex installation into your OS. Your family and aunts and uncles and cousins and nephews and nieces aren’t going to find that really manageable. And besides there’s the feature where anyone can come to a party at your places and queue some music videos using their phone’s browser but that’s never going to fly if they have to first install this self-signed cert. Official certs from CAs don’t have this issue. They just work.

Okay well you shop around for CA’s. Dear CA#1 will you give my users free certs? No! Dear CA#2 will you give my users free certs? No!

Oh I hear you say, there’s a new kid on the block, letsencrypt, they offer free certs.

They do offer free certs BUT, certs are tied to domain names. To get a cert from letsencrpyt you have to have a domain. Example “mymediastreamer.org”. So even if you can get the cert for free your users now need to buy a domain name. That can be relatively cheap at $10-$20 a year but it’s a big technical hurdle. Your non-tech family members are not really going to be able to go through all the process of getting a domain name just to use your media server.

Oh I hear you say, what if my software ran a public DNS server. I could issue users subdomains like “.mymediastreamer.org”. Then I can give out DNS names to the users and they can get certs. That might work … except, DNS points to specific IP addresses. User’s IP address changes. You can re-point DNS to the new address but it takes time to propagate. That means when their IP address changes it might be a few hours until they can access their media again. Not going to work.

Ok then here’s a solution. We’ll make up domains like this “..mymediastreamer.org”. That will make the DNS server even easier. We don’t even need a database. We just look at the “” part of the DNS name and return that IP address. Now when the user’s IP address changes there will be zero delay because they can immediately use a DNS name that matches. We’ll setup some rendezvous server for them so they don’t need to lookup the correct domain. It will all just work.

Great! We have domains. We can get free certs from letsencrypt.

Except….letsencrypt limits the number of certs to 240 per root domain. So once you have 240 you can’t get more certs. That means we can only support 240 users at best. But then there’s another problem. Letsencrpt doesn’t support wildcard certs. Because we added the part above we need a wildcard cert *for each user* matching “*..mymediastreamer.org”.

Effectively we are S.O.L. For our purposes letsencrypt is just another CA. “CA#3 can we please have free certs for our users?” No!

As of 2015 we could do anything we wanted on the internet. Now in 2016 we need permission from a CA. If the CA doesn’t give permission we don’t get on the internet.

To put it another way because of the chain of validation in HTTPS each CA is effectively a little king/bureaucrat who gets to decide who gets on the internet and who doesn’t. If one king doesn’t let you your only option is to go ask another king. Letsencyrpt is the most generous king as they don’t ask for tribute but that doesn’t change the fact you still need permission from one of these kings.

You might be thinking, “so what? who cares about a media streamer?”. But it’s not just streamers. It’s “ANY DEVICE OR SOFTWARE THAT SERVES A WEBPAGE”. Got an IP camera that serves a webpage? That camera wants to give you a nice interface that goes fullscreen? It can’t without certs and it can’t get certs without permission from a CA. Got some Raspberry PI project that wants to serve a webpage and needs any of the banned features? Again, it can’t do it without a cert and it can’t get a cert without permission from a CA. Maybe you have a NAS device and it would like provide web page access? It can’t do it without a cert and it can’t get certs without permission from a CA.

That wasn’t the case just 6 months ago because HTTPS wasn’t required. Now that it is these kings all just got a bunch more power and innovative products like the media streamer described above and projects like this are effectively discouraged unless you can beg or bribe a king to ordain them. 🙁

  • Eric Lawrence

    It’s interesting that you mentioned Plex: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/

  • Sam Izzo

    Also shared hosting could still be problematic, depending on whether the provider and the browser supports the TLS Server Name Indication extension. Hopefully by now that’s widespread though..

  • Yes, exactly as i described, plex got permission from one of the kings (a CA) to allow their product on the internet. I’m sure that permission cost them $$$$$$ as well.