- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 20 Oct 2014 12:28:17 +0200
- To: Glenn Maynard <glenn@zewt.org>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Roger Hågensen <rescator@emsai.net>
Thanks Glenn. On Sun, Oct 19, 2014 at 7:35 PM, Glenn Maynard <glenn@zewt.org> wrote: > - People asking "why would this page need encryption?", which is always the > wrong question. (The right question is "why does this page need to not have > encryption?") > - People don't want to jump the hoops to get a certificate and install it. > I still have to search to find the right OpenSSL magic commands, and it > still takes fiddling to get TLS enabled on web servers. (It should require > editing two or three lines to enable it on Apache, not uncommenting dozens > of lines of sample configuration then figuring out how to sync it up to your > HTTP configuration. I suspect Apache can do this much more simply, and that > the sample configurations that come with installations are just garbage...) So these can hopefully be mitigated with better documentation and evangelism. > - People don't want to pay for a certificate. (There's StartSSL, but when I > tried it, it was so bad that I prefer to pay GoDaddy. That should say a lot > given how bad *that* site is...) We used StartSSL for WHATWG (though we had to get validated as our domain setup is complicated) and I use it for my own sites. The UX is indeed not great. Fortunately CloudFlare is now competing. Hopefully shared hosting providers will follow suit and just hand out free certificates with domains/hosting. > - They don't want the additional latency that TLS causes. I assume this is > why Amazon puts most of the storefront on HTTP, and only selectively > switches to HTTPS. (They've put a lot of design behind making this secure, > but most authors can't do that, and it still has a big privacy cost.) This > is at least a valid issue. As far as I can tell at this point the additional cost is far less significant than it used to be. And with HTTP/2 of course it's simply false. > - Some web services don't support HTTPS. (There's no excuse for this, but > saying that doesn't make the problem go away. I don't recall particular > examples.) And can actually be very problematic. The other day it was pointed out that because major OSs don't protect time synchronization, attackers can kill HSTS protection. -- https://annevankesteren.nl/
Received on Monday, 20 October 2014 11:45:49 UTC