2021-05-07
In the post-Snowden world encryption in transit is paramount to user privacy. It should be omnipresent and strong. Even a self-signed or otherwise invalid certificate is better than none at all; it simplifies Man in the Middle Attacks, but it does ensure basic protections against dragnet surveillance and prevents passwords, usernames, query strings, and requested paths to be stored in plain text in logs of every router they pass.
But no encryption scheme is future proof. We constantly need to update things for encryption to work:
Because of the way devices are upgraded today, which often is simply not at all, we end up with a lot of devices that just can't secure their connections any more.
This is a similar problem to website bloat or feature creep in apps and platforms. I've never had a smartphone that broke; they've all been obsoleted by UX upgrades, swelling apps, swelling OS upgrades, or lack of OS or app upgrades. My first smartphone still works; it just can't actually do anything or receive any upgrades because its memory is full.
As producers of software and content we can do something about bloat. We can make slimmer websites and apps, and disregard the latest flashy frameworks and CSS functions in favour of tried and tested solutions that worked ten years ago and work just as well today.
But we're kind of stuck between a rock and a hard place when it comes to encryption. Either we force modern encrypted standards and thereby obsolete old devices, or we disregard our users' privacy. Feed consumerism or surveillance. Care about either users or the environment, but not both.
How do you tackle this problem? What can we as individuals do to mitigate it? When does one side weigh more than the other?
-- CC0 Björn Wärmedal