Re: Rough minutes

On Nov 10, 2013, at 11:53 AM, Julian Reschke <> wrote:

> On 2013-11-10 05:11, Yoav Nir wrote:
>> I'm stumped about #3 myself.
>> The literal interpretation is that you follow (or type in) an http://
>> link, get a response, and in the response learn that this is also
>> available with SSL. So the client attempts to upgrade to SSL, and
>> receives a valid certificate. So, yay!
>> But in that case, why is the http:// link out there at all, and if
>> anybody types it in, why not immediately redirect to https:// as pretty
>> much all sites using SSL do?
> Redirecting means changing the URI (bookmarks etc), and also implies running the service both on port 80 and 443.

Right. But that's a good thing for a site with a valid certificate, no?  Even port 80 doesn't have the same service as port 443, but just something that redirects all requests to the https equivalent. 

I just don't see why opportunistic encryption is useful for sites with a valid certificate. I think OE is needed for the 70% of websites ([1]) that don't have a valid certificate.



Received on Sunday, 10 November 2013 21:30:28 UTC