W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Passwords

From: Delfi Ramirez <delfin@segonquart.net>
Date: Mon, 20 Oct 2014 00:29:15 +0200
To: Glenn Maynard <glenn@zewt.org>
Message-ID: <a795be3f0518c1ed325a92f2a219da65@correoweb.segonquart.net>
Cc: WHATWG <whatwg@lists.whatwg.org>, Roger Hågensen <rescator@emsai.net>
 

Hi Anne, hi All: 

Here, in EEA I've noticed and see the same reasons that Glenn exposes,
with subtle emphasis on the reasons three , four and five. 

Regards 

---

Delfi Ramirez

My digital signature [1]

+34 633 589231
 delfin@segonquart.net [2] 

twitter: delfinramirez

 IRC: segonquart Skype: segonquart [3]

http://segonquart.net [4]

http://delfiramirez.info
 [5]

On 2014-10-19 19:35, Glenn Maynard wrote: 

> On Sat, Oct 18, 2014 at 2:50 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> 
>> I'd be interested in hearing why sites such as forums have not made the switch yet. If you're hosting passwords it seems downright irresponsible at this point to not use TLS.
> 
> The most common reasons I've seen are:
> 
> - People asking "why would this page need encryption?", which is always the
> wrong question. (The right question is "why does this page need to not
> have encryption?")
> - People don't want to jump the hoops to get a certificate and install it.
> I still have to search to find the right OpenSSL magic commands, and it
> still takes fiddling to get TLS enabled on web servers. (It should require
> editing two or three lines to enable it on Apache, not uncommenting dozens
> of lines of sample configuration then figuring out how to sync it up to
> your HTTP configuration. I suspect Apache can do this much more simply,
> and that the sample configurations that come with installations are just
> garbage...)
> - People don't want to pay for a certificate. (There's StartSSL, but when
> I tried it, it was so bad that I prefer to pay GoDaddy. That should say a
> lot given how bad *that* site is...)
> - They don't want the additional latency that TLS causes. I assume this is
> why Amazon puts most of the storefront on HTTP, and only selectively
> switches to HTTPS. (They've put a lot of design behind making this secure,
> but most authors can't do that, and it still has a big privacy cost.) This
> is at least a valid issue.
> - Some web services don't support HTTPS. (There's no excuse for this, but
> saying that doesn't make the problem go away. I don't recall particular
> examples.)
 

Links:
------
[1] http://delfiramirez.info/public/dr_public_key.asc
[2] mail:%20delfin@segonquart.net
[3] skype:segonquart
[4] http://segonquart.net
[5] http://delfiramirez.info
Received on Sunday, 19 October 2014 22:40:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC