- From: Delfi Ramirez <delfin@segonquart.net>
- Date: Mon, 20 Oct 2014 00:29:15 +0200
- To: Glenn Maynard <glenn@zewt.org>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Roger Hågensen <rescator@emsai.net>
Hi Anne, hi All: Here, in EEA I've noticed and see the same reasons that Glenn exposes, with subtle emphasis on the reasons three , four and five. Regards --- Delfi Ramirez My digital signature [1] +34 633 589231 delfin@segonquart.net [2] twitter: delfinramirez IRC: segonquart Skype: segonquart [3] http://segonquart.net [4] http://delfiramirez.info [5] On 2014-10-19 19:35, Glenn Maynard wrote: > On Sat, Oct 18, 2014 at 2:50 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: > >> I'd be interested in hearing why sites such as forums have not made the switch yet. If you're hosting passwords it seems downright irresponsible at this point to not use TLS. > > The most common reasons I've seen are: > > - People asking "why would this page need encryption?", which is always the > wrong question. (The right question is "why does this page need to not > have encryption?") > - People don't want to jump the hoops to get a certificate and install it. > I still have to search to find the right OpenSSL magic commands, and it > still takes fiddling to get TLS enabled on web servers. (It should require > editing two or three lines to enable it on Apache, not uncommenting dozens > of lines of sample configuration then figuring out how to sync it up to > your HTTP configuration. I suspect Apache can do this much more simply, > and that the sample configurations that come with installations are just > garbage...) > - People don't want to pay for a certificate. (There's StartSSL, but when > I tried it, it was so bad that I prefer to pay GoDaddy. That should say a > lot given how bad *that* site is...) > - They don't want the additional latency that TLS causes. I assume this is > why Amazon puts most of the storefront on HTTP, and only selectively > switches to HTTPS. (They've put a lot of design behind making this secure, > but most authors can't do that, and it still has a big privacy cost.) This > is at least a valid issue. > - Some web services don't support HTTPS. (There's no excuse for this, but > saying that doesn't make the problem go away. I don't recall particular > examples.) Links: ------ [1] http://delfiramirez.info/public/dr_public_key.asc [2] mail:%20delfin@segonquart.net [3] skype:segonquart [4] http://segonquart.net [5] http://delfiramirez.info
Received on Sunday, 19 October 2014 22:40:23 UTC