On Fri, May 1, 2015 at 10:13 AM, <lauren4...@gmail.com> wrote: > Here we go again. Listen up, guys. There are vast numbers of legacy sites > without the technical or financial means to convert to https:,
Of course I agree that we should not be brushing aside the little guys. But from where I sit, I'm seeing lots of evidence that deploying HTTPS is getting a lot easier (Universal SSL, Mozilla TLS Config generator, etc.), and no actual owners of small sites saying that they have seriously looked at deploying HTTPS and found that they could not. Do you know any that you could get to chime in here? > nor are many serving material that fundamentally needs to be encrypted. Please keep in mind that "needs to be encrypted" is a very tough question to get right. Who would have thought that Baidu's analytics JS needed to be encrypted until Github got DDoS'ed? Who would have thought that you needed to encrypt your ads until Comcast started replacing them? A big part of the motivation for having HTTPS be the default is that historically we have gotten decisions about what needs to be encrypted wrong over and over again. Using HTTPS by default avoids having to take the risk of getting it wrong. --Richard > While I've long been a proponent of opportunistic crypto -- particularly > by leveraging self-signed certs which I know you all despise with a > vengeance -- moves to turn http: sites generally into pariahs is a display > of technological arrogance par excellence, *unless* you intend to also > provide funding and personnel to handle the conversions for legacy sites > that do not have the financial or time resources to make the necessary > initial and ongoing changes for themselves. There is crypto-reality and > crypto-religion. And what I mostly see here is the latter, with concern for > the little guys brushed under the carpet as usual. For shame. > > > --Lauren-- > Lauren Weinstein (lau...@vortex.com): http://www.vortex.com/lauren > Founder: > - Network Neutrality Squad: http://www.nnsquad.org > - PRIVACY Forum: http://www.vortex.com/privacy-info > Co-Founder: People For Internet Responsibility: > http://www.pfir.org/pfir-info > Member: ACM Committee on Computers and Public Policy > Lauren's Blog: http://lauren.vortex.com > Google+: http://google.com/+LaurenWeinstein > Twitter: http://twitter.com/laurenweinstein > Tel: +1 (818) 225-2800 / Skype: vortex.com > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
