Let me second Ross's cautions here. The Internet Archive made the leap
to https about 10 days ago and there are still services that are broken
because of it. c4l should be simpler because there aren't services like
sending files to Kindle or complex APIs (at least, I don't think so),
but it's still worth looking at what glitches https might introduce
before leaping off that cliff.
In principle, however, I think that a general move to https is not only
a Good Thing, it is the Right Message. Now, could we please get simple
e-mail encryption? PGP [1] was developed in 1991, and it still can't be
used by anyone who doesn't think like a paranoid engineer. Really, it's
long overdue.
kc
[1] http://en.wikipedia.org/wiki/Pretty_good_privacy
On 11/4/13 11:33 AM, Ross Singer wrote:
While I'm not opposed to providing code4lib.org via HTTPS, I don't think
it's as simple as "let's just do it!". Who will be responsible for making
sure the cert is up to date? Who will pay for certs (if we don't go with
startcom)?
Also, forcing all traffic to HTTPS unnecessarily complicates some things,
e.g. screen scrapers (and before you say, "well, screen scraping sucks,
anyway!", I think it's not a stretch to say that "microdata parser" falls
under "screen scraping". Or RDFa.). I feel a little uncomfortable with
adding the overhead HTTPS brings wholesale, when there are tools (like you
mention, HTTPS Everywhere) for those that want HTTPS. It feels a little
like the xkcd "server attention span" comic to me [0].
-Ross.
0. http://xkcd.com/869/
On Mon, Nov 4, 2013 at 1:45 PM, Ethan Gruber <[email protected]> wrote:
NSA broke it already
On Mon, Nov 4, 2013 at 1:42 PM, William Denton <[email protected]> wrote:
I think it's time we made everything on code4lib.org use HTTPS by
default
and redirect people to HTTPS from HTTP when needed. (Right now there's
an
outdated self-signed SSL certificate on the site, so someone took a stab
at
this earlier, but it's time to do it right.)
StartCom gives free SSL certs [0], and there are lots of places that sell
them for prices that seem to run over $100 per year (which seems
ridiculous
to me, but maybe there's a good reason).
I don't know which is the best way to get a cert for a site like this,
but
if people agree this is the right thing to do, perhaps someone with some
expertise could work with the Oregon State hosts?
More broadly, I think everyone should be using HTTPS everywhere (and
HTTPS
Everywhere, the browser extension). Are any of you implementing HTTPS on
your institution's sites, and moving to it as default? It's one of those
slightly finicky things that on the surface isn't necessary (why bother
with a library's opening hours or address?) but deeper down is, because
everyone should be able to browse the web without being monitored.
Bill
[0] https://cert.startcom.org/
--
William Denton
Toronto, Canada
http://www.miskatonic.org/
--
Karen Coyle
[email protected] http://kcoyle.net
m: 1-510-435-8234
skype: kcoylenet
