Anne, Le 28 sept. 2014 à 19:26, Anne van Kesteren <ann...@annevk.nl> a écrit : > I'm not sure where you see me making that argument in this thread. I > simply recommended we move to require TLS for privacy-sensitive APIs.
I'm usually pushing privacy (or more exactly opacity) very hard, almost in a paranoid way. There are trade-offs to what you are proposing which is tied to complexity and locality. And because you set up your initial arguments on the need of privacy, let's take a step back. Living with a 10 inches metal armor around our communications is not a very appealing scenario for the future of the Web. It also makes it harder for those creating Web sites, experimenting, etc. Imagine if I home developing my own little Web app on my computer, I need to get through the hops of deploying TLS. This becomes a non-starter and raises the bar of Web development which increases the issues of industrialization. Right now, our issues with communications security are basically due to the game of big players having nets for catching communications going through very narrow spaces (a kind of single point of failures). Asking everyone to adopt TLS is a bit like asking everyone to switch to XML. It doesn't visibly and directly improve the life of people. In the big scheme of things, it gives an additional layer of security on their communications, but not privacy. Even more so, telling to people that they have more privacy because the communication is secure end-to-end is deeply misleading. Secured geolocations end-to-end to an aggregator such as FourSquare, Google, Facebook, etc. doesn't change anything about your privacy. Do you see any way to have a system, where the API in local circumstances can use simple HTTP and in other needs to go through HTTPS? -- Karl Dubost, Mozilla http://www.la-grange.net/karl/moz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
