On Friday, April 24, 2015 at 1:03:00 AM UTC-4, butrus...@gmail.com wrote: > On Monday, April 13, 2015 at 4:57:58 PM UTC+2, Richard Barnes wrote: > > There's pretty broad agreement that HTTPS is the way forward for the web. > > In recent months, there have been statements from IETF [1], IAB [2], W3C > > [3], and even the US Government [4] calling for universal use of > > encryption, which in the case of the web means HTTPS. > > > > In order to encourage web developers to move from HTTP to HTTPS, I would > > like to propose establishing a deprecation plan for HTTP without security. > > Broadly speaking, this plan would entail limiting new features to secure > > contexts, followed by gradually removing legacy features from insecure > > contexts. Having an overall program for HTTP deprecation makes a clear > > statement to the web community that the time for plaintext is over -- it > > tells the world that the new web uses HTTPS, so if you want to use new > > things, you need to provide security. Martin Thomson and I drafted a > > one-page outline of the plan with a few more considerations here: > > > > https://docs.google.com/document/d/1IGYl_rxnqEvzmdAP9AJQYY2i2Uy_sW-cg9QI9ICe-ww/edit?usp=sharing > > > > Some earlier threads on this list [5] and elsewhere [6] have discussed > > deprecating insecure HTTP for "powerful features". We think it would be a > > simpler and clearer statement to avoid the discussion of which features are > > "powerful" and focus on moving all features to HTTPS, powerful or not. > > > > The goal of this thread is to determine whether there is support in the > > Mozilla community for a plan of this general form. Developing a precise > > plan will require coordination with the broader web community (other > > browsers, web sites, etc.), and will probably happen in the W3C. > > > > Thanks, > > --Richard > > > I think this is very very bad idea. There are many resources which are not > worth being protected by HTTPS. Moreover, it doesn't make sense e.g. for > resources in the local network. And there are devices which CANNOT use HTTPS, > e.g. a webserver on a 8-bit MCU (like > http://tuxgraphics.org/electronics/200611/article06111.shtml). > > So, please, let it be the responsibility of the webmaster and/or the user > whether to use HTTP or HTTPS!
To be clear, we are not proposing to remove that choice, only limiting the set of web features that non-HTTPS pages can use. There are also plenty of small platforms that can support HTTPS. Slightly bigger than what you're talking about, but still small. http://hypernephelist.com/2014/08/19/https_on_arduino_yun.html --Richard > > P. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
