Improved privacy is one benefit https provides. There are two other benefits worth considering: authentication and integrity. Without https, there is no way trust a site's identity, and no guarantees the data you're receiving was not modified in transit.

Don't forget to weigh those other two factors when judging https adoption. Your goals are understandable and worthwhile. They're also still achievable with appropriate client management software.

Consider this: in a world without https, your children could visit a valid, approved domain and be served malicious or undesirable content because someone modified the content in flight or intercepted the connection. There is literally no way for you to have any guarantee what's served to your children.

In a world with https (and appropriate client management software), you can be confident they really are only receiving approved content because the connection is authenticated and traffic cannot be modified in flight. (And your children are less easily tracked by unknown 3rd parties, to boot.)

Authentication and integrity are often forgotten when discussing https, which is unfortunate because those are two incredibly important benefits that further motivate widespread https deployment.

You can still do that with HTTPS. Squid supports HTTPS proxying. Basically, you create your own root CA, distribute it to all endpoints on your network, and use squid to MITM all connections. That's (essentially) how most corporate proxies work.

Yes, I'll be setting that up soon. But if the cert is truly bad from the website, there doesn't seem to really be an easy way to check it since squid either outright accepts it or just rejects it depending on the config.

If Squid can't proxy sites with bad certs in a reasonable way, that's Squid's problem, not a problem with HTTPS.

The fact that some open-source software can't do what you want it to do doesn't mean that there's anything wrong with other people trying to be secure. The most obvious solution would be to fix Squid, pay someone to fix it if you can't, or at the very least write a bug report to let other people know that you need it fixed.

It appears Squid can do this. See:

http://wiki.squid-cache.org/Features/MimicSslServerCert

> quickly fly through google maps because most of the images were in cache, even with only 1mbs internet. Then it went HTTPS only.

How is that related? Your browser caches files if the right headers are set. The protocol doesn't make any difference here.

The only thing you gain via external cache is potentially sharing that cache with other devices at home. But I'm not sure how realistic the improvement is - either you're looking at a one-off location, or multiple times at the same one. In the first case no caching can help, in the second you're looking at stuff multiple times anyways - just let it load the first time.

I listened to an interesting opinion on the BBC the other day that the internet wasn't fit for purpose and that no sane parent should ever allow their child on it at all[1].

Her argument is that we don't expect parents to police their children all the time in real life, shop owners have legal responsibilities to stop children accessing inappropriate products, children are stopped from purchasing alcohol in bars, etc. and yet on the internet somehow it's the parent's responsibility all the time all of a sudden. And if your child is with other people, those restrictions may be totally waived.

The problem is, it is trivial for a child to access incredibly disturbing and PTSD inducing material that is accessible to any child with ease, beheadings, murders, the most vile and disturbing porn you couldn't even imagine, all two clicks of a button away from your 11 year old.

She definitely has a point. I'm not sure what the solution is as I love the internet being open, but a huge proportion of the planet is made up of children and they can go watch ISIS behead someone or a woman shit in the mouth of a man whenever their classmate dares them.

[1] http://www.bbc.co.uk/programmes/p039wy7f

>The problem is, it is trivial for a child to access incredibly disturbing and PTSD inducing material that is accessible to any child with ease, beheadings, murders, the most vile and disturbing porn you couldn't even imagine, all two clicks of a button away from your 11 year old. She definitely has a point. I'm not sure what the solution is as I love the internet being open, but a huge proportion of the planet is made up of children and they can go watch ISIS behead someone or a woman shit in the mouth of a man whenever their classmate dares them.

I'd much rather have my children see that and talk to me about it because they trust me rather than not mentioning it because they worked around a web filter (which is inevitable [check out my ubuntu live usb stick, or my ssh tunnel]) and are afraid of getting in trouble.

> Her argument is that we don't expect parents to police their children all the time in real life

Up until the child starts hitting double-digit ages, we actually do expect just that. Long gone are the days of society being okay with parents letting 7-year-olds roam free and play.

Yes, it is an issue. And worse, the web has become something so important that you can't just outright deny all access to it. Yet it is still akin to dropping your child off on the wrong side of town unattended and simply "hoping for the best".

The old saying used to just be "have the family computer in a public room (living room,ect) and don't allow private access". But with every phone, tv, game console, alarm clock, whatever, all having their own web browsers, the only way to truly filter is from the single source of the ISP connection.

7 years ago I had an idea to make web filtering routers and ethernet bridges. But even then it was becoming too hard to reliably do. And I didn't want to market something for family protection that I couldn't 100% reliably guarantee works.

And most recently, a somewhat home constrained neighbor that lived by me wanted me to secure his internet "the way mine is". He was tired of fighting porn addictions. I set him up the best I could, but within a year I had gotten word that he had convinced another friend/relative to buy him a smart phone with unlimited internet access...

I'd say the number one real danger on the Internet are child predators -- and there's no sane way to protect from that, just like there's no sane way to protect from that in the real world. But education and dialogue (with your children) helps.

I'd probably be more worried about all the porn that your 11 year old watch, than the beheadings. Staying ahead of the curve wrt healthy sex ed. is a real challenge.

Caching - this is already taken care of by your browser. Desktop browsers can store GBs of cache. How does using another cache layer speed up anything?

Filtering - this can still be done by just using SNI (server names) which are part of the https handshake.

You want to deny me privacy because of, "Think of the children"?

How about NO.

People talk about "privacy" here in this abstract way (HTTPS provides no absolute privacy), and right now there is this: https://news.ycombinator.com/item?id=10711737 at the top of HN.

I thought that the "why hide if you have nothing to hide" argument was dead and buried when it came to privacy issues.

> But because of a huge push of people that need to do (mostly) wrong, I can no longer do what is right

This is just unspeakably wrong about the importance of HTTPS. You're basically equating HTTPS to criminal activity.

There are two reasons for me. First tech-related, second political. (main reasons anyway, there are more)

1. If you allow any website which has a login/payment/refer link to download over HTTP, you potentially lost the security game. It doesn't matter that the payment site is secure if the site that directed you to the shop was on plain HTTP and changed in flight. Making things secure by default is not solving everything, but definitely helps.

2. For keeping privacy, imagine you're doing 99% of your browsing via the default HTTP. Only connections to 1-2 servers ever go over HTTPS. Which are the connections you're trying to keep private? Now compare that to browsing 99% of the time via the default HTTPS. Which are the connections you're trying to keep private?

Privacy isn't the only argument in favour of HTTPS everywhere. There's way too much unencrypted metadata even in a HTTPS connection - just the destination IP alone gives away a lot. The main argument for me is authenticity - no one between the web server and me can inject ads or malware.

> Oh and make my internet faster.

Also, this site would disagree with you on the speed question: http://www.httpvshttps.com/

That's really an HTTP vs. HTTP/2 comparison, with the deck stacked for HTTP/2 (hundreds of tiny files).

You missed my point. I am speaking of squid caching, which won't normally work with HTTPS.

Paying thousands? It's $5 or less per year for a certificate like the one Let's Encrypt provides at other sites.

Interesting. I'd never thought about the potential issues with HTTP/2 being only HTTPS based. Though seems that self signed certs could still be used or is that disallowed?

It's not like HTTP/1.1 is going anywhere for decades. HTTP/2 barely arrived and has benefits mainly for large sites, not everyone.