On 11/19/14 04:50, Patrick McManus wrote:
There are basically 2 arguments against OE here: 1] you don't need OE
because everyone can run https and 2] OE somehow undermines https
I don't buy them because [1] remains a substantial body of data and [2] is
unsubstantiated speculation and borders on untested FUD.
I agree, and find the assertion of [2] to be further perplexing: it
completely discounts the fact that OE can (and ideally will) be opt-out
for most server configurations, while HTTPS remains opt-in -- even for
the Let's Encrypt setup.
There's a radical difference in penetration between opt-in and opt-out,
and we base substantial portions of our privacy decisions on this fact.
I'm a bit baffled that it's not immediately obvious to everyone in this
conversation that this distinction translates to the deployment of
encryption.
I'm all for the drive to have authenticated encryption everywhere, and
am very excited about the Let's Encrypt initiative. But there's no
reason to leave traffic gratuitously unencrypted while we drive towards
100% HTTPS penetration.
--
Adam Roach
Principal Platform Engineer
a...@mozilla.com
+1 650 903 0800 x863
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
