>If they can, corp dev people like to turn the tables on you. They like to get you to the point where you're trying to convince them to buy instead of them trying to convince you to sell.
I worked for an established company (not a startup) and had a run in with Wal-Mart. Wal-Mart managed to buy some stuff at an ultra low discount because ... someone thought maybe if we get in there we could sell tons to their IT team.
Meanwhile I'm working with their IT guys. They hate the product. They tell me in no uncertain terms and in every unprofessional way you can imagine (that part was pretty shocking). Of course what they're really doing is just buying the minimum and pounding the hell out of support with complaints as they pump 20 gallons into 10-gallon hat of our product.
What happens? We keep providing them free services, extra services. The folks at the top think they're at the tip of a big sale, big money despite myself and others telling them "These guys don't like our widget, they don't want it... and they're not capable of even making good use of it. All while giving it to them for free, why would they pay a dime more?"
By the end I hear we've made like our 5th pitch to them that is barely profitable for us... just on the face value of the product and support. Somehow Wal-Mart convinced these guys to take a 'big sale' moment and turn it into a loss if you consider all the time put into working with them. And they were happy to do it.
Finally we had a stroke of luck, we were acquired, and the new CEO had worked with Wal-Mart before as a customer and cut them lose. Finally all that effort and energy that went into this big deal that never happened (probably for 18+ months) could be put to use with better customers.
It's amazing how some folks can over time convince other people to actually propose a bad deal... for themselves.
The company I worked for had a pretty much identical experience with Unilever: they aggressively reduced the scope of the contract, but expected all the extras anyway; then at the end of the contract made the company choose between getting paid for all the overages, or extending the contract. They never even really needed us if you ask me; we were primarily used as a tool for one group of execs trying to one-up another group who was backing a competitor. Eventually it all lead to us having to integrate with that competing company... until said competitor suddnly went out of business (helped by their Unilever deal, no doubt). Of course the management's objective was keeping them as a client at any cost because having them as a reference would open up so many opportunities (it didn't really).
It will come as a surprise to many people, but it's quite possible to lose a ton of money on a toxic client who is paying you millions. Avoid such "white elephant" clients at any cost. And really, the last thing you need in your life is getting dragged into some huge conglomerate's internal politics.
I never worked with Singapore Airlines, but people who have experience with them tell me they're even worse in the sense that they allegedly have a policy of not paying for software - you get to give them free stuff in exchange for being able to list them as a client. Huge software companies can afford to do that; your growth stage startup probably can't.
Hah, a past SaaS “big startup/small enterprise” company I worked for also had Unilever as a customer, and they were also arguably our worst, most toxic customer. Constantly draining the time of everyone they interacted with. Managed to convince our execs to build a number of custom features just for them, that we spent a huge amount of time on, and they never used them (nor did our other customers).
I've encountered similar time-wasting behaviour with large companies, although not specifically Unilever.
In most cases I don't even think it's malicious: just that if you work somewhere in the middle of a giant corporation you forget the value of time. I suspect this is perhaps because it may take you years to deliver value for any initiative or project (assuming you can do it at all). Whereas smaller companies might be able to deliver the same value for themselves in days, weeks, or months so there's always this sense of momentum and urgency.
This is related to another theory I have about large corporations which is that if you work for them too long it robs you of initiative and possibly even makes you become stupid. Again, there are doubtless parts of these companies where this is more or less true, and possibly even some where it doesn't work this way at all, but I've had to deal with too many mid-level employees at large corporations now who simply can't get anything done, can't think for themselves, and for whom even the most basic of tasks can drag out for months. (It gets frustrating endlessly having to spoonfeed and restate next steps, and correct misunderstandings and misinformation.)
I realise this is quite a jaded view so I'd be happy to hear counterpoints.
I think this is the natural destination of bureaucracies, because the entire point of a bureaucracy is to reduce risk by creating a documented process for anything you could imagine wanting to do, leaving employees with no opportunities to think for themselves or be creative. So they just get to work, watch the clock, mindlessly follow the rules, and then go home. I suspect the lack of imagination required to work such a job draws people who prioritise stability and predictability over creativity.
I've worked at a small company constantly chasing large customers. Let's say a middling customer deal was $50k. Pretty much all profit. A large customer deal would be $500k, and need $500k of very specific technical-debt inducing bespoke dev work. I didn't know why they didn't grow the number of $50k deals!
Actually I know why. It was the "If we can get walmart it'll lead to much more" mentality (but not walmart but similarly big clients).
Also the $500k deals took a long time to land. When budgeting, whether the company made a profit or not would depend on a top salesman landing such a deal, or not.
What I notice is with larger deals and tenders the world was more cutthroat, the competition was more fierce etc, a lot of the "value" was from negotiating contracts and arguing over deadlines and shit, not actually delivering a product.
Sounds like where I ended up. We had a moderately successful company doing a lot of ~$100K deals and once we became financially sustainable we merged with a supposedly larger company in a complementary field with a view to accelerating our sales and getting access to a larger and more experienced tech team.
It turns out that they didn’t care at all about our regular little deals - the sales lead bragged to me once that he didn’t “get out of bed for less than $1M”. Long story short they spent all their time chasing much larger deals, but landing far fewer of them, and like your experience, the bigger deals are more complex and expensive to service. It was all driven by ego instead of logic, and it ended pretty badly.
I worked for a defense contractor that turned their nose up at $200M NASA contracts. Then after shenanigans from an unrelated division of the parent company all the big contracts started to dry up as punishment.
I had two of these moments, both with former top 3 tech giants (they were both far removed from the top by the time we talked).
The first gave us all sorts of access to their products first, presumably to see how our product would utilize them. And we used this as selling point to customers, not recognizing that we were kind of doing advertising for that other company as well as removing a barrier to customer acquisition. Nearly eight months in and that relationship petered out.
Second was more exciting. They came in loud and excited and had recently made some 9 figure acquisitions. They wanted to move quick so they started some technical evaluations. Tons of questions, requests, ideas, meetings, handoffs, etc. After four months of this we kind of got sick of doing their bidding without any timeline for how the process might go. After pressing a few times, they went cold. Our assumption was they were initially interested in a deal but moved into make-it-feel-like-we'll-be-family-soon-so-they-share-way-too-much mode.
I believe the second group was intent on just replicating what we had but I watched them closely and nothing materialized. I suspect given the resources they devoted the project collapsed there or was repurposed to a subsidiary.
I wonder if there are any gropus out there anymore with the intention of becoming successful by making good product for users, serving the client?
I read articles like this, stories like yours, talk to startup owners recruiting who answer "Sold to someone." when you ask them "Where do you see your company in 5 years?" and I have doubt the product and users are in focus. And organizations proud themself being series n founded next to or before the success of their product (which many time is just missing in fact). Seems like product and users, the functionality is an unavoidable circumstance only, one of the many, something to consider like office space or tax returns.
I don't know why but somehow the Boeing story comes to mind, how they shifted focus from engineering to business in the passenger plane line when McDonnell Douglas managers bought themselfs into Boeing management with Boeing's money. And the 737 MAX.
From the other side of this, if a company has been charging you $20 for something, why are you suddenly going to pay $100 for three times as much?
Working for places that are trying to do what your company was trying to do is how people get burnout. Congrats on the external perspective. Most places don’t get that lucky. Sunk cost fallacy and all.
Stay with the companies that are your size, until you’re big enough to land the big fish. Then charge them the same as you charged everybody else. If you lock the biggest fish in at an unsustainable rate, how do you intend to make up the difference on volume?
I don’t think credibility is the right word. I agree that a well known customer can help the sales process up to a point. But I f you are in a b2b business and you have 100 customers on your books then having a name-brand customer is probably not that important.
In fact, if you have 100 customers on your books then it’s likely that customer number 101 has heard of many of them even if the regular guy on the street has not.
That one big customer - especially if it’s an early one - can really screw up your relationships with the customers that actually spend money with you - and what happens to your credibility when they quit?
I don't doubt it for a start up... but I also wonder what value that is vs. 18 months of work and turn that into a deal that is really a loss, and the customer struggles to use the product ... and now you've got a big dominating customer who is going to continue to eat up time ...
I wonder how many profitable customers could be had in that time.
I've lived situation. Large co bought one of our systems, as their internally built systems weren't up to the task. We sold it at effectively break even. This was in part due to my business partner's view that we could turn this into a bigger deal.
Well, no. We couldn't.
The "customer" wanted specifically to see how we did what we did, in order to copy this. It took me a while to figure it out, but I did, and we wound up walking away from it. Partner was angry, but it was absolutely the right business decision to terminate the interaction.
PSA for any small startup firm with real differentiation: BigCo will, absolutely, positively will, try to see if they can replicate your value on their own rather than buy from you. Patents won't stop this. Pretty much nothing will, apart from an architecture and implementation that they don't understand. They will mess with you. Approach with extreme caution, and be prepared to cut bait quickly.
I used to say that our customers were our biggest competitors. You have to execute 10x better and be ½ the price if you want them to buy your product rather than replicate it. Or (better) you have to know something they don’t — and keep it to yourself.
My guess is basically yes. Once they copy your small startup features and you go bust, what is really left to do? Spend an inordinate amount of time and money that you might not have chasing some compensation? How feasible is that.
Amazon (often) demands a year of free service from a vendor, and requires an NDA and charges a fee to cancel the NDA so you can claim them as a customer
I've worked with (but not in) CorpDev in two large enterprises, and I've had a startup acquired via CorpDev. Paul is overstating his case to the point of it becoming bad advice.
Just like there are good VCs and bad VCs, there are good CorpDev teams and bad CorpDev teams. The mistake many founders make, however, is confusing the quality of the brand with the quality of the CorpDev team.
The best approach is not a simplistic "never meet with CorpDev" but to ignore the brand power and first treat a CorpDev team the way you would an unknown VC. Do some research. Ask other founders about their dealings with the team.
I've been on both sides of the CorpDev table. Just like VCs, there are plenty of people who will waste your time, but there are also people who are very generous with advice and introductions.
The trick is to ignore the brand and learn about the people you will be dealing with.
Edit:
It's also good to remember that many large enterprises have multiple (sometimes competing) teams working on investments and acquisitions. Quality can vary widely even within the same company.
> Do some research. Ask other founders about their dealings with the team.
For a founder who doesn’t otherwise have interest in talking to corp dev, what is this if not a waste of time?! This 100% takes focus away from building your business.
I was courted by corp dev from a big public company. It was quite an experience -- events, dinners, wine, private meetings, large groups of the corp folks hanging on every word. They got pretty pushy, demanding to know trade secrets to keep going with a negotiation. At the end of it I pulled the plug because it was clear they were not working in our interest. (The word "pillage" comes to mind.)
The experience was nice to have, but as the essay claims, it ultimately was a poor use of time.
Yup. Had a similar experience with a BigCo and an investment. Part of the terms they were insisting on was an irrevocable global license to use our tech, name, trademarks, etc. for them and their partners. Our lawyers said they were trying to buy us on the cheap.
Time is cheap, relatively to focus, IMO. I think it takes a pretty seasoned businessman to pursue or negotiate (even half-seriously) an acquisition... and paying the "price" in time only.
Points not covered in this piece, but worth noting:
(1) If a counterparty is interested in you, it can help accelerate valuable partnerships you care about
(2) You may want someone to invest in you, not to buy you; or you may want them to invest in you in the future
Now, for CorpDev, a conversation about investment is always a sliding scale... n% (invest) <--> 100% (buy you). But whether it's from the corporate balance sheet or as a referral to the corporate VC arm, there can be value there, and value in the relationship building, depending on circumstances.
As with so much, the risk is not knowing what you want and getting carried along by the process -- lettings things "happen" to you. If you have a conversation with corpdev, you're trading some information and receiving some information. Is that ride worth the price of admission? You have to decide based on the circumstances. This piece has an edge that helps to provoke and draw attention to the themes (don't let others shape the narrative of your business engagement) and that's fine.
There are places and indicators that a CorpDev conversation is 200% M&A, and there are times when it has more BizDev dimensions. Many companies want to develop partnerships first to determine if a potential acquisition is accretive. And, those partnerships can actually be valuable to small companies, even if there have tricky strings that can trip you up. ¯\_(ツ)_/¯
I've started and run five companies. I've had nothing but great experiences with Corp Dev and nothing but horrible experiences with VCs. Corp Dev wants to give you cash (usually!) for your company. VCs want to put you into their portfolio of companies, and they know ahead of time that they will destroy nine out of ten of their portfolio companies in order to coddle the tenth to Google-dom.
I wonder how analogous this is to “don’t talk to VC associates” advice. Corp dev is interested in buying a company, any company, at a low price but even once corp dev is sold they’ll have to sell the deal to someone who matters. People confuse “this corp dev person is interested” with “this company is interested”.
If you’re not actively looking to sell, _definitely_ don’t bother taking the meeting unless there’s a champion high up who is personally interested.
Come to think of it, recruiters aren’t all that far off this either…
He actually didn't even cover one of the worst parts about the whole process - fake buyers who just want to steal your tech. I was working at a startup with a ground breaking product no one had released before, we had shipped hundreds of prototypes and gotten good reviews and had plenty of orders, but board redesigns and setting up a factory assembly line for the production models was eating into our cash and runway. A big company in an adjacent space made it known they were willing to buy us. We set up a data room, gave them tours of the office and technology, intros to all the staff, and they liked everything they saw. Offer never came through. A year later they announced they would be developing a knock off. Entire process just seemed like a way to get internal development info for their own clone they were starting development on.
Amusingly, I've seen this process go the other direction in the finance world. Sometimes an employee will go out and interview with another fintech company, pretend they are willing to jump ship, and pick up as much information on how their competitor works as they can at the fake job interview. Employee then happily continues at the fintech startup with the extra knowledge.
It usually takes an experienced engineer a 15 minutes tour around a building watching the machines to know exactly how you have done anything. It takes years an millions of dollars for your company to iterate on the specific layout, from the infinite possibilities.
I have seen so many derivatives of this system, like courting/buying the gatekeeper with expensive gifts (laptops, very cheap vacations) or compliments in order to gain access.
It is relevant here to talk about what Apple did with DropBox. They invited those guys to a tour around Apple HQ(probably with bed sheets over machines), but Steve Jobs got angry when the people of DropBox did not reciprocate and invited Apple folks to a neutral place instead.
It became clear Apple just wanted to know all the internals in order to copy them strait, just with mountains of money.
Oh, I've experienced this, not with a fake buyer, but a fake partnership deal.
I was contacted by someone at CrowdStrike (yep, I'm naming those bastards), who wanted to setup a meeting about a potential partnership. We had a chat, and then had a long meeting with several CrowdStrike people, including some software engineers.
I demo'd our product, and all the way through, the devs were asking these really detailed questions - they wanted to know precisely how everything worked.
In my naivety, I assumed this was all in good faith, despite alarm bells starting to ring with some of the questions.
Anyway, all through the demo they went on about how great the product was, and sucked me dry of information - and then ghosted me. I reached out by email a few times after, and every time all I got was "yeah, we're busy, so...".
I learned a valuable lesson that day: don't assume others are as principled as you.
Possibly, but even if it's airtight, good luck with actually filing a lawsuit about it, getting it through the courts, getting a decision in your favor, and actually enforcing it against a corp with a much bigger legal budget than you before they eat you for breakfast in the market.
Most NDAs do include prohibitions on either disclosure of information or use of information (for any purpose other than the contemplated transaction).
But some big SV companies refuse to include the second prong, which means they won’t tell anyone your secrets but are free to use them to squash you. Intel’s NDA is notorious for this.
In my opinion (as a startup founder and former lawyer), it's actually less unreasonable when two BigCos leave out the non-use provision. It's not like one FAANG is going to somehow get the scoop on the other FAANG, since they're both big and the one providing the information presumably has a head-start already.
It's much more of a concern for a small company that could be wiped out by a BigCo that decides to enter their market with a wealth of intelligence gained under NDA.
Now...can your more or less thinly financed startup litigate against, say, Apple to enforce your rights? Because there's no magical moment where you say "But NDA!" and the other side says "Aw, you got us...here's your bags of money".
We are currently talking with a few potential buyers for our SaaS, and had talks in the past as well... Here's my lessons learned:
One didn't proceed at the very last step, without any explanation or feedback, so I have become very careful when engaging into these kinds of conversations.
All of our serious negotiations are small and medium sized organizations,
both customers and competitors where we can extend their offering or have an important tool that generates a lot of their leads, so we usually don't reply to exotic candidates.
We had a few chats with large organisations, but this was mostly a bullying kind of relation, so we did not proceed... I think this is a bit like a poker game: to maximize your odds of winning you need to play in your own league...
The advantage is that, in this "little league”, discussions tend to take anywhere from 3 to 5 meetings and some emails, nothing more; that's the advantage of talking with the company owners directly and not with a big-corp M & A cell...
IME you can be blunt and open, and I strongly suggest to avoid a technical due diligence until the latest phase.
No need to exaggerate numbers, just be open and explain your valuation model; this might be anything, but it needs to buy them good ROI, time, a competitive advantage or a decrease in risk. IME it works the best if they have the capacity to scale up your product, so it's a win-win.
I haven't considered a 10% deposit, but I think this might be a bit too aggressive for European standards in the early talks. However, I think it is a good idea to go through with it once you have an LOI.
It is a challenging process that's not over until the fat lady sings, so try to manage your expectations and be prepared to walk away if it is not a win-win. If you fail to see what their motivating factors are in the deal, just walk away...
Just a small addendum: these negotiations are mostly about buying a percentage of our shares as a commitment for a serious engagement, mostly intertwined with something acqui-hired-ish.
To sell all of it, they'd have to "make an offer we can't refuse" ;)
The only response you should make to these sorts of things are "Give me a number, if it is close we can go to the next step." That is it.
If they give you a number, then you say "Put it in a MOU where you will pay us 10% of that number if these discussions break off for ANY reason."
Only after you have a number you would actually sell the company for, and you know that if they are wasting your time you will still get enough cash to cover the extended runway you will need to keep going after they leave, then it is possible they have enough skin in the game to be aligned more with your interests.
> "Give me a number, if it is close we can go to the next step."
If they reply that they need to know your revenue, expenses, number of sales, etc., before they can even guess at a number, then what? Do you give them your financial info? Or do you stick to your guns and ask them to come up with some number by themselves before you engage with them at all?
I don't give them any of that. They ALREADY know what they think it would cost them to get into your space. They figured that out long before they called you and talked to you. That they called you means one of two things; Either the number they came up with was large and so they are looking to see if they can get a discount by buying something, or there are some employees in your company they want for their effort.
This litmus test will tell you which it is. If their number is reasonably high, they know it will be hard to get into your space. If the number is low, they just want to poach employees.
There is zero value in talking to them without a number you like on the table. You must defensively reduce the information asymmetry in any way possible.
If corpdev is interested in a startup acquisition they're looking to complement their offering to gain an advantage against their own competitors, a startup little sales figures are irrelevant to them, they're after the product, the talent or the user headspace and have a pretty good idea of what your company is worth to them.
Anchoring negotiations to your business value and not the synergic value of your product in their offering is a mistake, usually.
So no they don't really need your economics. Also, if they came to acquire a company without knowing the cpany worth or without it being part of a bigger strategy, chances are they're the bad kind of corpdev
Yes, and it what a much better experience than companies where I had to watch people make the mistake of thinking that BigCorp's interest was based on the quality of the CEO's talents and wasted months doing due diligence which did nothing but slow us down.
This is from 2015? Wow. My memory had it much earlier than that. Feels like the world has changed a lot since then.
I wonder if pg would revise the advice today, given how big M&A has become. I suspect it's all still relevant, except that actual deals are more common and prices are higher. That might change the balance, but the general description of what you're dealing with is still valid.
Companies constantly flirting with acquisition though... I feel like this sort of thing is way more prevalent now.
I think there are good perspectives in here that are accurate, and worth the read for the perspectives, but I don't spot any great advice. In other words, no pithy strategy that is testable. Difference between the 2 explained here: https://breckyunits.com/wisdom-a-tiny-language-for-great-adv....
I think I've really gotten into the habit of disagreeing with Paul Graham's blogs lately but this one felt different. Felt like a lot of practical, common sense advice that is just barely beyond the horizon that most people consider. Of course, it won't apply in every situation but it felt hard to disagree with the overall sentiment.
Note: I say I've been disagreeing with him lately and, of course, this blog wasn't written "lately." So maybe that says something.
Yep, this one is on the shortlist of YC advice that's useful to founders.
The list:
- Launch now
- Build something people want
- Do things that don't scale
- Find the 90 / 10 solution
- Find 10-100 customers who love your product
- All startups are badly broken at some point
- Write code - talk to users
- "It’s not your money"
- Growth is the result of a great product not the precursor
- Don’t scale your team/product until you have built something people want
- Valuation is not equal to success or even probability of success
- Avoid long negotiated deals with big customers if you can
- Avoid big company corporate development queries - they will only waste time
- Avoid conferences unless they are the best way to get customers
- Pre-product market fit - do things that don’t scale: remain small/nimble
- Startups can only solve one problem well at any given time
- Founder relationships matter more than you think
- Sometimes you need to fire your customers (they might be killing you)
- Ignore your competitors, you will more likely die of suicide than murder
- Most companies don't die because they run out of money
- Be nice! Or at least don’t be a jerk
- Get sleep and exercise - take care of yourself
This was _precisely_ my reaction. "Life Is Short"[0] remains a great piece that I return to time-and-again, but most of his other stuff that I've read recently seems to miss the mark - unlike this one.
This is a good one. I can immediately identify many "bullshits" in work and life. But I then realize that the key is that I need to have something to be passionate in so that those time saved from bullshits can be used on them.
I’ll disagree then because Corp Dev, like most tags, can mean something else like a group at a corporation responsible for strategic decisions to grow and restructure its business, establish strategic partnerships, and/or achieve organizational excellence.
No, he's right on this one. Corporate Development means "the group in charge of acquiring companies." I have never seen a Corp Dev team that did anything else (and I have dealt with quite a few including my company's acquisition).
The only reason Corp Dev is establishing a partnership is because they want to buy you but they aren't sure yet, so it's like a trial. It's also a good way to convince you to sell to them while also locking out competitors.
If you have a partnership with Google, it makes a lot harder for Amazon to buy you because first they have to unwind the partnership.
It was just a contrived example. Imagine instead you have a partnership with Amazon and then Walmart wants to buy you. Both companies have made it clear they will never work with each other.
Either way, every deal, every partnership, every contract, complicates an acquisition. The fewer you have the more likely a deal is. By establishing a relationship, one company can discourage others from wanting to put in the effort of acquiring you.
I'm of the opinion that it's a mistake to think of companies as anything other than machines that maximize profit. Positive slogans, company values, donations to this cause or public support for that cause - it's all there to generate good feeling and thus maximize profit.
I don't say that to be cynical, I think using that as a mental model really clarifies how we should approach corporate regulation. Saying a company "should" do this or that is no more useful than saying my laptop "should" do this or that. They will try to maximize profit, we ( the public) need to find ways to make negative activity unprofitable. Hauling Mark Zuckerberg in front of Congress doesn't do anything, we need to get into the machine and change the way it works.
If you're genuinely asking: when companies get controlled by greedy people then morals take a back seat compared to financial gain (for those people). The greedy people have the money, they can structure society using the power they have because of it, they can corrupt others (who are also greedy) to support them. The people whose ancestors weren't as greedy, or lacked the violent capabilities to satisfy their greed, lack the resources to oppose the greedy. The greedy people get rewarded with more power to continue being greedier; they pass on their moral outlook and power to those who are similarly greedy.
The pattern seems to be that after a lifetime of wealth acquisition one buys a cloak of respectable benevolence by donating a fraction of that wealth to good causes (which you'll probably carefully choose to provide the best tax benefits and as a marketing tool to help the next generation of super-wealthy to get a good start).
Any company prepared to be sold off, if profitable, will be acquired by greedy people.
People who want a quiet unassuming life living in harmony with those around them don't acquire the wealth in the first place, they have the morals to run companies for good, they don't have the wealth to acquire them.
Capitalism appeals to [immoral] greed, it's a natural successor to feudalism.
For the same reason many companies software gets lower quality over time. They grow and hire people who don't care. Everyone who did care leaves to start their next company that cares.
Evolution and survival of the fittest. On a long enough time scale, all the companies which don't behave psychopathically are outcompeted and replaced by the ones which do.
The purpose of a corporation is to fulfill their chosen corporate mission. Corporations are no more bound to choose financial accumulation _above all else_ than are any of the people that form those corporations.
Cooperatives and public interest companies are corporations, for example.
There's a good documentary about this called "The Corporation". It compares a corporation to a psychopath or sociopath. Corporations don't have ethics and morals - people do.
But people in groups also don't have morals or ethics because being in the group allows them to not take responsibility for their actions, ie, "the group decided", not "I decided".
That just hasn’t been my experience. Most industries have a sense of right and wrong. That sense is certainly informed by market dynamics, but it’s still there.
It’s also often propagated by big players who are thinking long term. In practice it tends to favors insiders over disrupters.
Think Facebook suddenly caring about consumer privacy.
But that doesn’t mean it’s fake. Many people at Facebook honestly do care about consumer privacy.
I actually sent him a cold e-mail in Nov/2020 on that matter to which he promptly replied (in less than 1h) that his site "just doesn't have https". So he's aware of that. IMHO it'd be a small effort for improving his readers experience (and security).
Two things, first readers wouldn't receive that browser security warning (which is a bad experience) and second the transmitted content wouldn't be vulnerable to manipulation (such as ISPs injecting adds or attackers trying to deceive you).
I don't know, how do you know someone hasn't hacked into his server and changed the text there even if he had HTTPS? There are things to worry about, and there is a simple text blog not using HTTPS.
The reasons to use HTTPS on a blog or everywhere regardless of whether there is data that needs to be secured are mainly to fight against things like censorship or ISP surveillance.
If you really don't think your website is going to be censored, that leaves the problem of ISPs injecting content. Maybe he doesn't feel that is a big problem, or that there is another way to fight it.
The big push for everything to be https is about making it hard for governments or ISPs to say that some site or another should be an exception.
It's kind of like, wearing masks.. before the policy was that everyone should wear a mask, best to keep it simple and not try to make exceptions that way we will get the most adoption.. except for sites like this, it's like you never actually talk, and have been vaccinated so you are not worried about catching anything and don't wear a mask.
The other part of this is that for people like me who have been serving http for so many years, the campaign for https just doesn't hit as hard as for young people who really grew up with that mindset being preached to them constantly.
But in the end, I think that it is better if everyone does it. Just maybe not quite as severe a problem as you think if a few people slip through the cracks.
side note - I have some misc content that is http today in 2021 - I feel that the original HTML spec is better than modern web in some ways, therefore I like sticking to http here and there, when I chose, based on first principles
These words "secure" and "insecure" when used as synonyms for "encrypted" and "plaintext" obscure more than they illuminate and have done a lot of damage to the world of software security. They stop thought. You would not believe how many times I've talked to a company with some complex webapp and asked for their security policy and they respond with some statement about using TLS. It's absurd. Then even in books or standards, you are starting to see chapters called "security/cryptography". As if encrypting something was a type of security pixie dust.
I am not trying to relitigate the battle of SSL's naming scheme, that battle was lost, and now people associate "security" with encryption. Who knows, maybe in the future they will associate "security" with bitcoin. But it's certainly not true that every plaintext connection is an insecure connection in the sense of actual security. Not everything needs to be or should be encrypted, and many things obtain no benefit whatsoever from being encrypted.
In TLS context, “secure” and “insecure” don’t just mean (un)encrypted, but also whether the connection is authenticated, i.e. whether you can be fairly sure you’re looking at the “real” website. This is a far more important property of a site using https.
Especially in a world full of disinformation, authenticity and integrity of information are often a much greater good than confidentiality.
I understand what TLS does, but an argument that "we live in a world of disinformation" is not a substitute for having a well defined threat model and for many websites, particularly sites that broadcast information or download binaries which might already be signed or have hashes distributed via alternate means, there does not need to be a threat that requires TLS to address it.
Like it or not, it is up to the information owner to determine their threat model and which mitigations are suitable for that threat model. If someone is broadcasting a message containing information that is public, they may not consider someone intercepting a response and altering it to be a threat that needs addressing, or they may consider alternate mitigations as sufficient -- e.g. the fact that many people can independently verify the information from different sources. For the vast majority of sites, this is a reasonable assumption. Just because you may be worried about this threat doesn't mean the information owner needs to be. Of course you as an information consumer have your own threat model, and if you are really worried about someone targeting you and altering http responses sent to your browser, then you may not want to visit unencrypted sites. That is also legitimate. The information owner can't force their threat model on you anymore than you can force yours on them. But words like "secure" and "insecure" make sense only with respect to a given threat model, they are not attributes of an http connection.
Like others have said, I agree that stating that TLS does not garuntee security. But, plain unencrypted HTTP does mean insecure.
For a good discussion into why _all_ websites should use HTTPS, and the many different ways that not having the connection secured is actively harmful and why should not be done in the modern era.
Not having your site as HTTPS puts all of your website visitors at risk. Even US ISPs like that of Comcast use these very same practices to inject warnings into insecure web traffic[0], some of which look more like advertisements than warnings. And like mentioned in the article, promises from ISPs not to use it for advertisements are just that, promises, and those can be broken in an instant. And when you have the power to inject anything without notice, you can do anything and everything with the website experience. You can attempt to force a download, present scam pages that look like antivirus warnings or software updates, one of the easiest ways to have users fall for malware.
We should _never_ expect regular non-technical users to have all of their threat models in mind, nor should they be expected to understand all of these differences. Website owners should be expected to protect all of their visitors as best as possible and one of the easiest ways to start is by protecting their website with modern HTTPS encryption. Otherwise, it would be like a chef leaving the bones in a salmon before serving to a customer. You could do leave them in, but a customer might not know they are there and you have left a choking hazard.
> I agree that stating that TLS does not garuntee security. But, plain unencrypted HTTP does mean insecure.
No, it does not. These are bold statements made without evidence that your personal preference should override the threat model of information owners -- that they must worry about something they have looked at and chose not to view as a threat. I once had a website that had Hebrew drills, so you could look up the construct forms of various nouns and other grammatical information. I did not care if an attacker in a coffee shop or other public network was trying to intercept that site and give a victim incorrect Hebrew words. It was not a threat in my threat model. So I did not use https. My website, my information, and I know the threat model to use. My site would not have been more "secure" if everything was encrypted. There would be no meaningful benefit to anyone from me doing that, and being a security professional, I was not interested in security theater, but only actual security.
> We should _never_ expect regular non-technical users to have all of their threat models in mind
Correct. That is why the threat model of the information owner is what determines what a site serves. Information owners generally do have a threat model in mind. It is, after all, their information, their website, and their security policies that matter. They are the ones in a position to decide whether they care if their http responses are altered or not in targetted attacks on public networks. Obviously a site that accepts credentials or displays sensitive information is very different from a site that displays verbal patterns. The fact of the matter is that in many cases, there is no need to care and no real security benefit to encrypting the site.
> Correct. That is why the threat model of the information owner is what determines what a site serves. Information owners generally do have a threat model in mind. It is, after all, their information, their website, and their security policies that matter.
Except it's often the user who is on the hook for the risk. You mustn't outsource your threat model to someone who doesn't necessarily care about you. Unless you're a sufficiently qualified security expert to be able to judge whether this instance is safe, the only reasonable policy is to never connect to a http website (or one that uses cloudflare, since they offer fake https to their customers).
It's definately easier nowadays to do it, but you still have the issue of services becoming unavailable because certs expired - something that routinely happens, so it adds some operational overhead that - in the examples I described -- provides no benefit. This operational complexity is there even if the certs themselves are free.
More importantly, security theater is something that should be avoided as it creates bad habits and promotes irreality in a field already rife with the same. I'm not sure why cryptography struggles so much with this, but there are a lot of people who don't understand what benefits, if any, cryptography provides to their application but decide to add it in anyways.
This should be considered a bad practice. Imagine if someone told you to add a function to a codebase just because other codebases had it, and what harm can it do, even if this function served no purpose and doesn't require too many CPU cycles. Most software developers would oppose the idea, they would want to add code only when it is needed, and would favor the removal of unneeded code as beneficial, given that this simplifies the codebase. The same is true for encryption, which requires a lot of CPU cycles, and adds non-trivial complexity. So the idea that it should be added everywhere even where it's not needed is something we should resist.
In the time it took you to write this reply you could have set up an auto-renewing certificate for your site with let’s encrypt. Or you could have pressed a button and have it served behind cloudflare.
The nuance of if encryption is really required in this specific case is pointless when it is so easy and readily available. The effective direction becomes “just blanket serve everything over HTTPS” because there isn’t much downside.
my super-smart and hardworking admins just lost a dozen services over the weekend because one of the hundred "easy" certs they manage expired, was not refreshed for whatever reasons, and the node happened to be an LDAP services node.
at some point, "easy" and "instant" becomes "needs constant attention"
Not having your site as HTTPS puts all of your readers at risk. Even US ISPs like that of Comcast use this very same practice to inject warnings into insecure web traffic[0]. And like mentioned in the article, promises from ISPs not to use it for advertisements are just that, promises, and those can be broken in an instant.
This article is controversial and shows a distorted and incomplete point of view. For example, https sites are more vulnerable to some types of censorship. A CA can censor your site by unilaterally revoking your certificate. It routinely happens already. Promises from CAs not to censor you are just that, promises, and those can be broken in an instant.
I worked for an established company (not a startup) and had a run in with Wal-Mart. Wal-Mart managed to buy some stuff at an ultra low discount because ... someone thought maybe if we get in there we could sell tons to their IT team.
Meanwhile I'm working with their IT guys. They hate the product. They tell me in no uncertain terms and in every unprofessional way you can imagine (that part was pretty shocking). Of course what they're really doing is just buying the minimum and pounding the hell out of support with complaints as they pump 20 gallons into 10-gallon hat of our product.
What happens? We keep providing them free services, extra services. The folks at the top think they're at the tip of a big sale, big money despite myself and others telling them "These guys don't like our widget, they don't want it... and they're not capable of even making good use of it. All while giving it to them for free, why would they pay a dime more?"
By the end I hear we've made like our 5th pitch to them that is barely profitable for us... just on the face value of the product and support. Somehow Wal-Mart convinced these guys to take a 'big sale' moment and turn it into a loss if you consider all the time put into working with them. And they were happy to do it.
Finally we had a stroke of luck, we were acquired, and the new CEO had worked with Wal-Mart before as a customer and cut them lose. Finally all that effort and energy that went into this big deal that never happened (probably for 18+ months) could be put to use with better customers.
It's amazing how some folks can over time convince other people to actually propose a bad deal... for themselves.