Re: Draft finding - "Transitioning the Web to HTTPS"

On 9 December 2014 at 01:47, Eric J. Bowman <eric@bisonsystems.net> wrote:

> Mark Nottingham <mnot@mnot.net> wrote:
> >
> > We've started work on a new Finding, to a) serve as a Web version of
> > the IAB statement, and b) support the work on Secure Origins in
> > WebAppSec.
> >
>
> And what of arguments against HTTPS everywhere? Could this document at
> least pay lip service to potential downsides, i.e. the death of shared
> caching for resources which really don't need encryption, or the flaws
> in the CA system?
>

Thanks for sharing.

IMHO, People prefer utility and convenience over security, in most cases.
But facebook got to 100 million users without turning on HTTPS.  Stealing
money or identity would trump that, but is a small minority of requests on
the web, and normally has HTTPS already.

The long tail of innovation among developers require an easy way to get up
and running.  HTTP provides that, but HTTPS currently does not.  It's
expensive and still in many cases painful to set up and maintain.

I welcome Mozilla's initiative "lets encrypt" which hopefully with provide
cheap and easy HTTPS on the web.  Perhaps this initiative could get behind
that effort, and other similar systems.


>
> Or has the TAG deemed these arguments irrelevant; in which case, maybe
> explain why? For us Dilbert Dinosaurs with our flip phones, Windows XP
> and basic cable?
>
> -Eric
>
>

Received on Tuesday, 9 December 2014 03:23:30 UTC