- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 10 Dec 2014 10:37:40 +0100
- To: "Eric J. Bowman" <eric@bisonsystems.net>
- Cc: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
- Message-ID: <CAKaEYh+zBApp3nnCvRcdXk9ird-k+Yvj_RjfDacurLz3vhasEQ@mail.gmail.com>
On 9 December 2014 at 06:26, Eric J. Bowman <eric@bisonsystems.net> wrote: > Melvin Carvalho wrote: > > > > IMHO, People prefer utility and convenience over security, in most > > cases. But facebook got to 100 million users without turning on > > HTTPS. Stealing money or identity would trump that, but is a small > > minority of requests on the web, and normally has HTTPS already. > > > > What people (especially small business owners) *really* want is for > stuff to just work (like the "back" button _used_ to). A friend asked me > this morning, what she could do about her FB profile returning this: > > "Sorry, this profile is not available at the moment. Please try again > shortly." > > Which reminds me of another friend who recently asked me about this: > > "Your account is temporarily unavailable due to site maintenance. It > should be available again within a few hours." > > This is obviously not the case for a statistically-significant number > of users; otherwise, 12 hours later, this wouldn't still be the case > with her profile -- or, in the latter case, three days. > > Really frustrating to me, as I'm no longer in the Web business but still > seem to be the go-to guy for FB tech support despite never having had a > FB account myself, and cited just this sort of thing when I told them > not to subject their online business presence to the control of _any_ > large company. > > Searching these issues shows them to be long-standing, and everyone > else from indy devs to various support forums seems to be expected to > solve it -- search the above messages on Google to see what I mean... > > http://www.cnet.com/news/facebook-acknowledges-access-problems/ > > Try getting FB to do anything about it, let alone admit anyone's having > a problem, aside from one 5-year-old CNET article. What's really, really > aggravating, is when clients are just trying to deliver a brochure and > don't *need* encryption except where logins/transactions are involved. > > > > > The long tail of innovation among developers require an easy way to > > get up and running. HTTP provides that, but HTTPS currently does > > not. It's expensive and still in many cases painful to set up and > > maintain. > > > > Therein lies the problem. I tell folks they get what they pay for, and > really shouldn't rely on big players for their online presence, and > that I consider all my customers to be statistically singnificant. But, > and especially if we're talking HTTPS, it's more than they feel they > should have to pay, for something everyone else says they need. > > > > > I welcome Mozilla's initiative "lets encrypt" which hopefully with > > provide cheap and easy HTTPS on the web. Perhaps this initiative > > could get behind that effort, and other similar systems. > > > > I'd love to see that happen, as I hate that the only solution to HTTPS > is to send folks to FB and other forms of Web hosting, where all they > have to do is cede control of their content, and forfeit any level of > service when problems arise, to companies who simply don't care, and > really can't be trusted. > > I doubt I'm the only independent developer whose business has literally > been killed by "Transitioning the Web to HTTPS" but it's a big reason I > won't have anything to do with independent Web development any more. If > people didn't think they _need_ HTTPS, I'd still be in the business of > providing cost-effective hosting solutions which scale through traffic > flurries by way of shared public caching. > +1 Im all for a secure web, but I think the demerits of HTTPS are under stated, and I'm glad you brought a few of them up. Let's not forget that the X.509 / CA system was designed to offer a low-cost decentralized web of trust, which has not to date emerged. I hope that forward thinking initiatives by Mozilla, can be pioneers in this area. I welcome some of the positive reactions and ideas, from TAG members, in this respect. > > -Eric >
Received on Wednesday, 10 December 2014 09:38:11 UTC