- From: Glenn Maynard <glenn@zewt.org>
- Date: Sun, 19 Oct 2014 12:35:15 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Roger Hågensen <rescator@emsai.net>
On Sat, Oct 18, 2014 at 2:50 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > I'd be interested in hearing why sites such as forums have not made > the switch yet. If you're hosting passwords it seems downright > irresponsible at this point to not use TLS. > The most common reasons I've seen are: - People asking "why would this page need encryption?", which is always the wrong question. (The right question is "why does this page need to not have encryption?") - People don't want to jump the hoops to get a certificate and install it. I still have to search to find the right OpenSSL magic commands, and it still takes fiddling to get TLS enabled on web servers. (It should require editing two or three lines to enable it on Apache, not uncommenting dozens of lines of sample configuration then figuring out how to sync it up to your HTTP configuration. I suspect Apache can do this much more simply, and that the sample configurations that come with installations are just garbage...) - People don't want to pay for a certificate. (There's StartSSL, but when I tried it, it was so bad that I prefer to pay GoDaddy. That should say a lot given how bad *that* site is...) - They don't want the additional latency that TLS causes. I assume this is why Amazon puts most of the storefront on HTTP, and only selectively switches to HTTPS. (They've put a lot of design behind making this secure, but most authors can't do that, and it still has a big privacy cost.) This is at least a valid issue. - Some web services don't support HTTPS. (There's no excuse for this, but saying that doesn't make the problem go away. I don't recall particular examples.) -- Glenn Maynard
Received on Sunday, 19 October 2014 21:36:49 UTC