I definitely understand the concerns that make people want encryption for everything -- preventing governments and ISPs from messing with your content or spying on you. I don't want that either, and I'm glad we have HTTPS to help fight that.
But everything is a tradeoff, and there are actual downsides here. Nowadays, Chrome and Firefox try pretty hard to make you think all non-HTTPS sites are bad for you. What about old web servers that people never bothered to update? They effectively become "broken" without actually breaking. There's tons of great information on sites without updated certs that becomes that much harder to access because of this.
There's also the concern about your actual codebase. Hypothetically, if you're building an HTTP client from scratch, you can write, know and understand every line of code in your project yourself. If you want HTTPS support, you're basically forced to link with OpenSSL, and this is almost guaranteed to take the total percentage of "your code" in your project from 100% to less than 10%. (Probably more like 1%.) You no longer actually know what's going on in your program anymore. Maybe this isn't a concern for most people, but it does matter to me -- and I suspect there are a lot of people who would care a bit more if they thought about it for a few seconds.
So yeah, HTTPS is great. But everything is more complicated than it seems.
You're already linking against far larger libraries that you probably don't understand completely anyway! For example, glibc... So I don't think this is a valid excuse against the "HTTPS Everywhere" initiative.
That's not always true, especially if you're working in an embedded environment or you have other needs (business or legal requirements, even just preferences) to control the libraries you link with.
In the case of this video series, I won't be using any C runtime library functionality at all -- just Windows API calls. Of course, there's always the operating system, which is big and opaque. IMO, there's a difference between interfacing with the platform and dragging in a bunch of other people's code. That's a personal call: it's not a clear cut line, obviously.
Speaking personally, I more or less know, in general (and for Windows, in specific) how operating systems work. I don't have a strong understanding of encryption, which is heavily mathematical. In the case of OpenSSL, I am not likely to understand what it's doing. In the case of message queues, threads and blitting bitmaps, there's not much mystery there.
Also, the comments I'm making are specifically about this project, not generally about how I think everyone should work. It's clear that this is an art project and not industrial software.
I don't think I disagree with you in principle, but since you are linking in the windows socket library already, isn't there built in support for SSL (`WSASetSocketSecurity()`, etc)?
I agree there are good motivations behind the "encrypt everything" argument, but at the end of the day I'd like my browser to be first and foremost a tool for ME, not a tool for Google to manipulate website administrators.
I understand the implications of visiting a non-encrypted HTTP site. Every time my browser throws up a "this site isn't safe" roadblock and makes me perform extra clicks, I cry a little. Lately those extra clicks take me to a different browser.
_You_ understand the implications of visiting a non-encrypted site because you are a technologically savvy user. Unfortunately, the vast majority of the world does not have the experiences you and I have. Overall, it's a major plus that this is currently happening, honestly.
> You understand the implications of visiting a non-encrypted site [...]
> [...] the vast majority of the world does not have the experiences [...]
Soon enough of the "vast majority" will probably try to ban "HTTPS for everything" because of the "implications" (read as: additional CO2 footprint or something like that)
SSL is a pretty terrible hack to patch over the fact that we don't have a internet protocol version "7" that guarantee point-to-point secure (ie: encrypted, authenticated) communication.
This is the reasoning behind http2/3 - you pretty much never want "get me this thing with this name, show it to everyone, and let everyone on the wireless lan, my isp, their cdn etc modify everything I send and receive".
The biggest problem with ssl everywhere is that it complicates the elegant multilevel caching http easily allows - and I think an easier opt-out of this privacy aspect would be good (an easier way to set up a caching squid proxy on your lan that transparently caches os updates, package updates, Netflix episodes, world of War craft patches, news site front pages...). It's more or less still possible - but it's all or nothing: if you allow ssl stripping, the proxy gets your web mail even if you just want it to cache os updates and a handful of web sites.
At any rate, you're still using the os network stack, so maybe you're running ppoe and ipsec down there.. As "part" of your web browser...
But everything is a tradeoff, and there are actual downsides here. Nowadays, Chrome and Firefox try pretty hard to make you think all non-HTTPS sites are bad for you. What about old web servers that people never bothered to update? They effectively become "broken" without actually breaking. There's tons of great information on sites without updated certs that becomes that much harder to access because of this.
There's also the concern about your actual codebase. Hypothetically, if you're building an HTTP client from scratch, you can write, know and understand every line of code in your project yourself. If you want HTTPS support, you're basically forced to link with OpenSSL, and this is almost guaranteed to take the total percentage of "your code" in your project from 100% to less than 10%. (Probably more like 1%.) You no longer actually know what's going on in your program anymore. Maybe this isn't a concern for most people, but it does matter to me -- and I suspect there are a lot of people who would care a bit more if they thought about it for a few seconds.
So yeah, HTTPS is great. But everything is more complicated than it seems.