On Fri, May 1, 2015 at 2:07 PM, <scough...@cpeip.fsu.edu> wrote: > Why encrypt (and slow down) EVERYTHING
I think this is largely outdated thinking. You can do TLS fast, and with low overhead. Even on the biggest and most latency sensitive sites in the world. https://istlsfastyet.com > when most web content isn't worth encrypting? Fundamentally HTTPS protects the transport of the content - not the secrecy of the content itself. It is afterall likely stored in cleartext on each computer. This is an important distinction no matter the nature of the content because Firefox, as the User's Agent, has a strong interest in the user seeing the content she asked for and protecting her confidentiality (as best as is possible) while doing the asking.Those are properties transport security gives you. Sadly, both of those fundamental properties of transport are routinely broken to the user's detriment, when http:// is used. As Martin and Richard have noted, we have a strong approach with HSTS for the migration of legacy markup onto https as long as the server is appropriately provisioned - and doing that is much more feasible now than it used to be. So sites that are deploying new features can make the transition with a minimum of fuss. For truly untouched and embedded legacy services I agree this is a harder problem and compatibility needs to be considered a managed risk. -P _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
