On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote: > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote: >> >> I'm all for HTTPS, but do we really want to outright *remove* functionality >> from the site? Sure, HTTP isn't secure and all "modern" web browsers support >> it. However, we would be making it harder for people to learn about Freenet >> and potentially try it out. >> > > Why? You could still access it over HTTP... and be presented with > (transparent) redirect to the secure version.
I just scratched an itch and discovered that even Lynx supports HTTPS? If it really is the case that HTTPS has become so ubiquitous that users wouldn't be affected, then sure, go ahead with it. HOWEVER: the question really needs to be restated. Are there any countries or ISPs that are known to disallow secure communications? >> In the end I think we should do what every major website does today: encrypt >> the important data and let the entire site be accessible securely, but don't >> force it onto people. >> >> -Daxter > > It's very difficult to do and most websites do it wrong. You have to think > about mixed-content errors, cookie flags, ... > > Sending credentials in cleartext like we do on the wikis, with no secure > alternative, is a disgrace. > > Florent Can you give me an example of a website that in your mind does either the mixed model or the secure-only model properly? It would be nice to compare with them. Actually, the wiki supports HTTPS right now. You'll get a certificate error, but it works. While we're on the subject (as I've never bothered with HTTPS on the site until now), turns out it's rather misconfigured. Both the wiki and the main site return a certificate for emu.freenetproject.org? That address isn't accessible--what was it, and shouldn't we get this fixed? -Daxter
