Quoderat

SSL/TLS works pretty well on the technical side, but on the social side, it’s broken, because so many sites (especially small ones) don’t use it, requiring users to send passwords and other private information in the clear. The problem is trying to do two things at once with a single standard:

1. authentication of the server’s (and sometimes the client’s) identity; and
2. encryption of communications.

There is no question that these are both important goals, but combining them into an all-or-nothing package in browser support for HTTPS has arguably made the web less secure. Generating a local server key for encryption is easy; getting a certificate from a certificate authority is a major hassle (both in time and money) for a questionable benefit (how much verification do CAs really do for ~$100? not much).

If we had separate standards for encryption and authentication, even the smallest sites could encrypt their sensitive browser-server communications as a matter of course, making the web much safer,. especially in the era of public WiFi networks.

[Update: more results]

[Update: some results left as comments; and more.]

Thanks to everyone who posted comments on my Password-Protected RSS challenge three weeks ago. It turned out that the vast majority of feed readers can handle HTTP basic authentication for feeds.

Of course, if a feed holds important, confidential information, basic authentication over HTTP won’t be enough — you need to be able to use HTTPS to encrypt your password and data in transit. I do not have an SSL/TLS certificate for megginson.com, so I moved my test over to a different site, newmatica.com. Here’s the URL for the same RSS file, this time over HTTPS (the user id and password are still “guest”):

https://www.newmatica.com/test/blog.rss

Will your feed reader allow you to subscribe to a password-protected RSS 2.0 feed when SSL/TLS is involved? Here’s what I’ve tested:

Liferea

Prompts for a username and password, and stores the password on disk as clear text.

Bloglines

Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e. http://guest:guest@www.megginson.com/test/blog.rss

Straw

Fails: HTTPS not yet supported.

FeedValidator

Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.

Once again, I’ll be grateful for comments about other RSS readers.

Update: reports from readers

Once again, thanks to readers who have left reports in comments. Here are the results so far:

Sage

John Cowan and Tim Howland report success.

NewsFire

Peter Lacey reports success.

NetNewsWire

Brent Simmons reports success.

RSS Bandit

Dare Obasanjo reports success.

Opera (8.0.2)

Tony Coates reports success.

KDE Akregator

Douglas reports success.

FeedDemon

Brian R. Barker reports success.

Safari

Silas Hundt reports success, with username and password saved to the keychain.

The Wikipedia article on the Robertson screwdriver gives an excellent example of how clumsy use of a patent hurts innovation. The Robertson screw (square hole, slightly tapered) is the best general-purpose screw drive ever designed, and accounts for about 85% of all screws sold in Canada — if you’ve ever worked with a Robertson screw, you immediately feel the urge to kick anyone who tries to make you use anything else, especially the Phillips screw with its easy-to-strip head.

Henry Ford realized that Robertson screws would save him considerable time and expense on the assembly line, but unfortunately, after a bad experience in the U.K., P.L. Robertson was so fierce about protecting his intellectual property rights that he wouldn’t sell Ford a license to make them. Ford was too smart to bet his company on a single monopoly supplier — even if the product was vastly superior to its competitors — and to this day, more than 40 years after the last patent expired in 1964, Robertson screws are barely used at all outside of Canada. By being too inflexible about his IP, Robertson ended with up only one tiny market (Canada) and missed his chance to change to world.