- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Wed, 18 Jul 2012 19:54:00 -0500
- To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Cc: Tim Bray <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Very good point. When I tried to make a comment on the site, I'm prompted with an anti-spam question "Is Adolf Hitler generally considered to have been good or bad?". If I submit the form in plain http, and Hitler is snooping, I'll be in trouble. On Wed, Jul 18, 2012 at 7:13 PM, "Martin J. Dürst" <duerst@it.aoyama.ac.jp> wrote: > Hello Tim, > > On 2012/07/19 0:09, Tim Bray wrote: >> >> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear<lear@cisco.com> wrote: > > >>> This is a red herring. The real argument is around the ability of all >>> web >>> servers to get certificates >> >> >> This pattern keeps coming up. >> A: “Privacy is good” >> B: “No, because the technology is currently too expensive/unreliable” >> >> Uh... privacy is good. -T > > > Okay, Tim, here's a challenge for you then: > > If privacy is important (I'm with you here, of course), and if privacy > requires TLS (like many others on this list, I have my strong doubts, but > you seem to think so), how come that your own site > http://www.tbray.org/ongoing/ still uses http rather than https? > > Is the privacy of the readers of Ongoing just less important than the > privacy of user of the average Web site? Or is it that you just haven't > realized that was still on http? > > Why don't you actually go to the trouble of moving Ongoing to TLS, with a > chained (i.e. not self-signed) certificate, and tell us how many working > hours/days and how much money it took you to set it up. This may make for an > interesting learning experience, and an interesting blog entry. > > [This challenge is of course also for all the other people who advocate to > tie in mandatory TLS with HTTP 2.0; I just picked Tim because I know his > site and I know he likes such challenges :-).] > > Regards, Martin. > > P.S.: I have my own server for my lab (way less slick than Ongoing, I have > to admit), and I have considered using https: at least about once every > year, probably more. It would be the right thing to do. But the amount of > time it would require from me, to set it up and to make sure it's set up > correctly, is just too much. >
Received on Thursday, 19 July 2012 00:54:27 UTC