- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Mon, 8 Dec 2014 22:26:01 -0700
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Melvin Carvalho wrote: > > IMHO, People prefer utility and convenience over security, in most > cases. But facebook got to 100 million users without turning on > HTTPS. Stealing money or identity would trump that, but is a small > minority of requests on the web, and normally has HTTPS already. > What people (especially small business owners) *really* want is for stuff to just work (like the "back" button _used_ to). A friend asked me this morning, what she could do about her FB profile returning this: "Sorry, this profile is not available at the moment. Please try again shortly." Which reminds me of another friend who recently asked me about this: "Your account is temporarily unavailable due to site maintenance. It should be available again within a few hours." This is obviously not the case for a statistically-significant number of users; otherwise, 12 hours later, this wouldn't still be the case with her profile -- or, in the latter case, three days. Really frustrating to me, as I'm no longer in the Web business but still seem to be the go-to guy for FB tech support despite never having had a FB account myself, and cited just this sort of thing when I told them not to subject their online business presence to the control of _any_ large company. Searching these issues shows them to be long-standing, and everyone else from indy devs to various support forums seems to be expected to solve it -- search the above messages on Google to see what I mean... http://www.cnet.com/news/facebook-acknowledges-access-problems/ Try getting FB to do anything about it, let alone admit anyone's having a problem, aside from one 5-year-old CNET article. What's really, really aggravating, is when clients are just trying to deliver a brochure and don't *need* encryption except where logins/transactions are involved. > > The long tail of innovation among developers require an easy way to > get up and running. HTTP provides that, but HTTPS currently does > not. It's expensive and still in many cases painful to set up and > maintain. > Therein lies the problem. I tell folks they get what they pay for, and really shouldn't rely on big players for their online presence, and that I consider all my customers to be statistically singnificant. But, and especially if we're talking HTTPS, it's more than they feel they should have to pay, for something everyone else says they need. > > I welcome Mozilla's initiative "lets encrypt" which hopefully with > provide cheap and easy HTTPS on the web. Perhaps this initiative > could get behind that effort, and other similar systems. > I'd love to see that happen, as I hate that the only solution to HTTPS is to send folks to FB and other forms of Web hosting, where all they have to do is cede control of their content, and forfeit any level of service when problems arise, to companies who simply don't care, and really can't be trusted. I doubt I'm the only independent developer whose business has literally been killed by "Transitioning the Web to HTTPS" but it's a big reason I won't have anything to do with independent Web development any more. If people didn't think they _need_ HTTPS, I'd still be in the business of providing cost-effective hosting solutions which scale through traffic flurries by way of shared public caching. -Eric
Received on Tuesday, 9 December 2014 05:26:19 UTC