> The https everywhere initiative doesn't discriminate against Lynx, > but rather against old systems.
Indeed. But it's not HTTPS everywhere that bothers me, but HTTP nowhere. I have nothing against providing HTTPS; what bothers me is refusing to service public content, content that doesn't need securing against anything, over HTTP. > Once you make security important, you have to continually update > software as vulnerabilities are discovered, and that means you can't > use 18 year old software and expect it to be secure. Tossing around terms like "secure" leads me to ask "secure against what?". HTTPS provides low-to-negative security against my threat model; that's been true since, depending on which way you slant your mind, when wildcard certs were first specced, implemented, or sold. Even before that, it requires trusting the CA trust anchors, which I never have (and I've never liked hierarchical trust models in general). I'm far more concerned about countries, and perhaps even more about companies with resources on a par with countries, than I am about the people HTTPS actually is capable of stopping. So why should I have to burn the (significant) CPU cycles to support HTTPS when I do _nothing_ on the Web for which HTTPS is important or even helpful? (These days I don't do much on the Web at all, in large part because of the stampede to ram HTTPS down everyone's collective throat. But even before that began I still didn't - and even now I don't want to.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
