W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: David Singer <singer@apple.com>
Date: Fri, 19 Dec 2014 14:56:26 -0800
Cc: Nicholas Doty <npdoty@berkeley.edu>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-id: <0E441DBE-1615-4D35-AEB2-D30A2A9E6C3F@apple.com>
To: Chris Palmer <palmer@google.com>

> On Dec 19, 2014, at 14:49 , Chris Palmer <palmer@google.com> wrote:
> On Fri, Dec 19, 2014 at 2:40 PM, David Singer <singer@apple.com> wrote:
> > Yes, for the site owner, HTTPS appears to have major costs (caching and so on, making sure certs are correct etc.) and little or no benefit (the benefits seem to be for the users). If this is what site operators perceive, we’ll need to address it head-on if we want change.
> Benefits for site operators include:
> * Having a privacy policy that might possibly be meaningful
> * Having a chance at being PCI compliant, so they can collect payment
> * Defense against having their ads replaced, which hurts ad-based monetization
> * Defense against having their UX damaged or mangled by intermediaries
> * Defending their users against pervasive passive surveillance
> * The ability to invoke powerful new web platform features
> * The ability to deploy HTTP/2 to realize performance gains
> Those are all real-world, non-theoretical problems that real site operators really face.

I am not disagreeing with you!  I just think that if we want to change the world, we’ll have to actually say these things and address the perceptions and misperceptions head-on. The people running the sites have to realize it’s not just to their benefit to change, but actually a business necessity. At the moment, I think many think it actually *un*desirable to change.

> See also:
> RFC 7258: Pervasive Monitoring Is an Attack
> NSA uses Google cookies to pinpoint targets for hacking
> Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
> How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
> Comcast Wi-Fi serving self-promotional ads via JavaScript injection

David Singer
Manager, Software Standards, Apple Inc.
Received on Friday, 19 December 2014 22:57:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC