On Monday, April 13, 2015 at 10:57:58 AM UTC-4, Richard Barnes wrote: > There's pretty broad agreement that HTTPS is the way forward for the web. > In recent months, there have been statements from IETF [1], IAB [2], W3C > [3], and even the US Government [4] calling for universal use of > encryption, which in the case of the web means HTTPS. > > In order to encourage web developers to move from HTTP to HTTPS, I would > like to propose establishing a deprecation plan for HTTP without security. > Broadly speaking, this plan would entail limiting new features to secure > contexts, followed by gradually removing legacy features from insecure > contexts. Having an overall program for HTTP deprecation makes a clear > statement to the web community that the time for plaintext is over -- it > tells the world that the new web uses HTTPS, so if you want to use new > things, you need to provide security. Martin Thomson and I drafted a > one-page outline of the plan with a few more considerations here:
For Devs who claim to be crusaders of standards, your standards last little more than 1 financial cycle until deprecated and 2 years until removed. TLS has observable overhead (more round trips) on all 2G-4G connections vs an equivalent cleartext HTTP 1.1. For privileged developers who carry venture capital funded client test devices and the most expensive dev machines that money can buy funded by Wall Street money, it is easy to throw away all users who live in developing nations on budget client hardware or lowest tier 3G or 4G networks. Cleartext has a place, and until HTTP2/QUIC can get round trips and packet size to old cleartext ways on high packet loss, 2G or satellite, or the worst monopoly "State Post and Telegraph" 3G mobile networks, HTTPS should only be used for sensitive data or stateful queries. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
