On Mar 10, 2012, at 12:19 PM, Luke R. wrote: > I would tend to side with the ones who said we need both. HTTPS default, HTTP > still available for those in need of it. The reason is because countries and > most definitely some wifi hotspots in my experience block HTTPS entirely. > Also some mobile browsers do not allow HTTPS (sadly!). > > A user may be able to use an HTTP proxy in his/her country to get access to > the blocked domain via HTTP (unless the http proxy also supports HTTPS? then > this may not be needed). In such cases MD5 hash checks would be very > important, as well as the non-anonymity in downloading the binary in the > first place could place a person at risk... but at least they would be able > to download it. > > Regarding the HTTPS certificate errors, continued development of this FF > extension may prove helpful: http://www.cs.cmu.edu/~perspectives/
Just thought I'd mention that cs.cmu.edu/~perspectives redirects to www.networknotary.org which appears to be down. A quick web search brought me to www.perspectives-project.org which appears to be the new site. The project looks very interesting, but IMO it won't make much of a difference until/unless it's bundled with the browser. I agree that in lieu of HTTPS, MD5/SHA hashes would be very useful. As well, Any automated update tool should also download a hash and check it before using the update (not sure if that happens now). -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120310/5ebbe1b9/attachment.html>
