On Monday, April 13, 2015 at 4:57:58 PM UTC+2, Richard Barnes wrote: > There's pretty broad agreement that HTTPS is the way forward for the web. There is no such agreement, and even if there was, that doesn't mean you get to force people to agree. > In order to encourage web developers to move from HTTP to HTTPS, I would > like to propose establishing a deprecation plan for HTTP without security. You're using the wrong word here, what you're proposing is a coercion scheme.
> Broadly speaking, this plan would entail limiting new features to secure > contexts, followed by gradually removing legacy features from insecure > contexts. Having an overall program for HTTP deprecation makes a clear > statement to the web community that the time for plaintext is over -- it > tells the world that the new web uses HTTPS, so if you want to use new > things, you need to provide security. Martin Thomson and I drafted a > one-page outline of the plan with a few more considerations here: No, it just tells the world that you're a paid shill for the SSL cert racket. This idea of yours is bad. it's bad for the reasons very articulately outlined in this blog entry: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/ the TL;DR of it is this: - TLS is broken because of the CA structure, which allows any CA to sign a certificate for any website. - SSL certificates are a racket, I think this shouldn't require explanation really. - "Free" SSL certificate providers don't exist (startcom is also a racket) - "Let's encrypt it" doesn't solve the variety of usecases (and it's setup scheme is also batshit insane) I would personally like to add a few more to the list: - The freedom of speech should not require you to buy into an expensive racket - SSL still has a non zero speed impact, which is a problem in some scenarios. - Edge-routing/CDN etc. is a very useful technique that's currently practically free to do, and allows scrummy startups to build awesome services. TLS virtually kills all of that. - Not everything is even encryptable, really not. For instance UDP packets carrying game-player positions aren't, because they arrive out of order. - There's an enormous amount of legacy content on the web you will *never* get to move to TLS, you want to throw that all away too? - Implementing and using small, dedicated, quirky HTTP servers for the variety of usecases there are is a very productive activity. Mandating/coercing TLS makes all those existing deployments impossible, and it also makes it impossible in the first place to have them at all. In summary, you're batshit insane, power hungry, and mad, and you're using double speek at its finest. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
