May 23, 2014

Security Standards and Name Changes in the Browser Wars

The Netscape/Microsoft browser wars in the mid-90's were really vicious and competitive. They really had it out for each other.

Netscape had developed the SSL protocol. The initial version had cryptographic flaws and was broken pretty quickly, and never released. The first production version was SSL 2, which was in use for a few years. (I don't know the exact versions of Navigator it shipped in.)

SSL 2 had some flaws, both cryptographic and practical; not dramatic enough to make replacing it a crisis, but it clearly needed some work from early on.

As a part of the cutthroat competition, Microsoft decided to revise the SSL 2 protocol with some additions of their own, and specified a protocol called "PCT" that was derived from SSL 2. It was only supported in IE and IIS.

Netscape also wanted to address SSL 2 issues, but wasn't going to let Microsoft take leadership/ownership in the standard, so they developed SSL 3.0, which was a more significant departure.

Various people in the industry & community didn't want a fork, so we (Consensus Development, where I worked with Christopher Allen at the time, and where I had written the SSL 3.0 reference implementation under contract to Netscape) hosted a meeting between representatives from Netscape and Microsoft; I forget everyone who was there, but I recall that Bruce Schneier was there (before he was famous), and probably Paul Kocher, who had designed the SSL 3 protocol; Barbara Fox represented Microsoft. And we negotiated a deal where Microsoft and Netscape would both support the IETF taking over the protocol and standardizing it in an open process, which led to me editing the RFC.

As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn't look the IETF was just rubberstamping Netscape's protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1). And of course, now, in retrospect, the whole thing looks silly.

The Quality of News

Here's a comment I wrote in response to this post on Facebook from Mike Hudack:

As long as an ad impression on a "serious story" pays as much as an ad impression on a listicle and people are more interested in viewing listicles than real news, this will likely continue. Facebook accelerates the problem, but is not its core source. And the media outlets that produce this crap are just following the incentives: if they don't do it, someone else will (and that someone else will be all over your social media feeds).

America's tradition of quality journalism stems from two sources: bundling and the fact that some fraction of media outlets were owned by families and businesses who were interested in their reputations, not just their bank accounts. Serious news has never sold well, but as long as you had to buy a newspaper to get both the front page and the sports page, one could support the other, and it was in the interest of the families that ran those papers to be seen as serious; they funded the news desks to maintain that image. This worked, particularly when newspapers had strong, well-defended businesses which weren't vulnerable to disruption, and the bundling helped everyone hide the truth about what components of the bundle the audience actually cared about.

Now, however, people consume content one page view at a time: bundling has vanished, and brand value is low. Anyone can start a media outlet, and there's no audience loyalty. Advertisers pay pretty much the same amount for an ad view regardless of what content it's next to. And programmatic buying has eroded any value advertisers gave to serious brands: now they just want to find the audience, wherever they are. The revenue and cost of a serious news piece vs. a cheap slideshow is clearer than ever and easy to optimize. So it's a race to the bottom, and devil take the hindmost.

There's plenty of great content out there—probably more than ever—but it doesn't get a lot of attention, particularly on social media.

Personally, I think the most likely way out is charging readers for quality news and surviving the sharply reduced audience that will imply. It will entail focusing reporting on concepts that can't be easily "aggregated" by other outlets. The free media will still be a sewer, and most people will only read that. But maybe we could develop a supportive and self-sustaining ecosystem for quality reporting for the people who care about it. That said, it's hard to get there.