You should never force HTTPS. The win's are rather subjective and hard to confirm.
But using HTTPS give problems for regular webmaster. Website will be slower on average. Webmaster need better hardware or pay more to his hosting provider. HTTPS support is not always possible. For example some CDN's can't support HTTPS in some specific modes. Third-party resources linked in HTML can miss HTTPS support and it will cause website work incorrectly in HTTPS. And you need to monitor this forever... for all links on website! This point is valid for a huge % of websites. By enabling HTTPS-only you can easily lose 20% of visitors. Not all browsers support your certificate. HTTPS libraries vulnerability can lead to website's origin server hack. The problem here, is that libraries are just like code executed directly on server. If there are vulnerability, you can not only decrypt the traffic, but also execute code on the server. Certificates are just bunches with problems.. revocation, revalidation, libraries deprecation. And it worth mentioning, that certificate system makes web centralized. When someone visit your HTTPS website it basically query some other central server. If someone will have this server, he can get information about all your visitors. And that's shocky, i think. I am not against of encryption, but do not FORCE. HTTP is not LEGACY, it's HTTP, the protocol which should be here forever. It's good, fast, and well enough. That's really tricky question does HTTPS securer than HTTP. Encryption helps sometimes to prevent injections, but it's rather easy to bypass that. Can NSA decrypt your HTTPS? Most probably yes. Can webmater of website spy on you in HTTPS? Yes and it's even easier with HTTPS and HSTS because of HSTS super cookie. Does HTTPS protect your password? Well, there are a chance, but if you think that HTTPS is a magic cure, you are complete idiot. My vote would be never use your browser if you will deprecate HTTP. That's very easy to find an alternative or to fork you code, so think yourself how much such decision can cost you. This phrase i want also to said to Chrome dev team. Internet is live on developers. If you will start to do shit things, you will be replaced. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
