On Fri, Dec 19, 2014 at 2:40 PM, David Singer <singer@apple.com> wrote:
> Yes, for the site owner, HTTPS appears to have major costs (caching and
so on, making sure certs are correct etc.) and little or no benefit (the
benefits seem to be for the users). If this is what site operators
perceive, we’ll need to address it head-on if we want change.
Benefits for site operators include:
* Having a privacy policy that might possibly be meaningful
* Having a chance at being PCI compliant, so they can collect payment
* Defense against having their ads replaced, which hurts ad-based
monetization
* Defense against having their UX damaged or mangled by intermediaries
* Defending their users against pervasive passive surveillance
* The ability to invoke powerful new web platform features
* The ability to deploy HTTP/2 to realize performance gains
Those are all real-world, non-theoretical problems that real site operators
really face.
See also:
RFC 7258: Pervasive Monitoring Is an Attack
<https://tools.ietf.org/html/rfc7258>
NSA uses Google cookies to pinpoint targets for hacking
<http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/>
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
<http://www.wired.com/2014/10/verizons-perma-cookie/>
How bad is it to replace adSense code id to ISP's adSense ID on free
Internet?
<http://stackoverflow.com/questions/25438910/how-bad-is-it-to-replace-adsense-code-id-to-isps-adsense-id-on-free-internet>
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
<http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>