+freaking1 On Fri, May 1, 2015 at 2:16 PM, Martin Thomson <m...@mozilla.com> wrote: > On Fri, May 1, 2015 at 11:06 AM, Eric Shepherd <esheph...@mozilla.com> wrote: >> There are a lot of things that don't need encryption, > > This assertion is made quite often in this context. It's been shown to > be false in every example I've seen. I think Richard provided several > citations where this was believed to be correct, to the detriment of > us all (great cannon being a prime example). > >> and sites that serve >> legacy purposes and/or audiences, and cannot be updated to https in the >> first place. > > There are two aspects to this: the software, and the content. > > If software cannot be updated, that a problem in its own right. The > idea that you could release your server onto the Internet to fend for > itself for 20 years was a dream of the 90s that has taken a while to > die. Just as you have to feed it electricity and packets, you have to > maintain software too. > > The content issue is a serious one, but there are several answers that > could fit (HSTS, upgrade-insecure, and maybe opportunistic security). > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform
-- Joseph Lorenzo Hall Chief Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
