W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Chris Palmer <palmer@google.com>
Date: Tue, 9 Dec 2014 10:31:38 -0800
Message-ID: <CAOuvq22N4TpppHWNDof=KRqcxKkOJoRd0Hw=E+Lj-6qQo2T1+g@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "Eric J. Bowman" <eric@bisonsystems.net>, Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
On Mon, Dec 8, 2014 at 7:23 PM, Melvin Carvalho
<melvincarvalho@gmail.com> wrote:

> IMHO, People prefer utility and convenience over security, in most cases.

...if that is true, perhaps it is because people believe that we
engineers are not so insane as to broadcast their passwords, cookies,
and email over the airwaves in the clear. But we have historically
been that insane.

We've been lying by omission since the web was born. For example, we
show no connection error or bad indicator for plaintext,
unauthenticated communications. So of course people assume that basic
safety is taken care of, and then they look for utility and
convenience.

We engineers have a lot of explaining to do. We can't self-justify by
claiming to know what people want while keeping them unaware of
reality.

> The long tail of innovation among developers require an easy way to get up
> and running.  HTTP provides that, but HTTPS currently does not.  It's
> expensive and still in many cases painful to set up and maintain.

Have you tried recently? Amazon EC2 + SSLmate.com is not significantly
harder than EC2 alone. Even I can do it.

And, yes, Let's Encrypt will make things better yet (in some ways,
it's just SSLmate for $0 instead of $15). Everyone's on board with
that.
Received on Tuesday, 9 December 2014 18:32:05 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC