On Wed, Mar 13, 2019 at 2:25 AM Willy Tarreau <[email protected]> wrote: > On Wed, Mar 13, 2019 at 11:43:55AM +0800, ?? wrote: > > I personally recommend that all HTTP requests be forwarded to HTTPS; > No, this ruins accessibility and creates many useless warnings for no > valid reason ; what is presented on the site is public thus doesn't > need to be encrypted, and it's verifiable from other sources thus it > doesn't need to be authenticated either. If you need https, you are > free to use it but must not impose it on others.
Hi Willy: This thread is interesting to me. I have traditionally had the same position as you. Encrypting public information is not a requirement or best practice, and provides no real value. I am suspicious that the person who we are responding to may believe in this "no real value". I particularly dislike how people think the lock icon in their browser means more than it actually does and I am a bit loathe to encourage this incorrect belief. But, I have had some revelations after reviewing Google's plan to encrypt all the things and related projects such as the work of the EFF... In certain parts of the world that are not as free (as in freedom) as the places we live, information is used as a weapon to control people. Seemingly innocent bits of public information might be used against a person in such a regime. I don't agree with it, and I don't want to understand it, but providing people the added feature of privacy even when it is not necessary, provides a defense against these tactics. Also, if only the things that need to be encrypted are encrypted, it makes it easy for this information to be targeted for decryption whereas if everything is encrypted it makes it more it much more difficult to target. That said... the nature of IP address routing means that encryption has limited value when it comes to understanding the browsing habits of a user. A monitoring system could still determine which site you were accessing with a reasonable degree of accuracy, and the TLS headers normally still include the SNI in plain text further improving the quality of such monitoring. Since you provide both http:// and https:// you are making it the choice of the user as to which they wish to use, so you are not preventing them from having what privacy can be afforded. It's just not enabled by default. "Opt-in", effectively. And, for the regimes that truly want to eliminate privacy for individuals, they very likely act as a man-in-the-middle and decrypt the content for scanning anyways, making the request for encryption a moot point. For my own sites, I now mostly redirect to https:// as a result of the above. But, I consider this only a preference and convenience. It certainly doesn't add security for a public site with no login requirements. It only adds a layer of privacy by default as opposed to opt-in privacy. I don't have any belief that this layer of privacy is impenetrable. It's more like pulling the shades down to block the neighbours from seeing in your house. I still expect those motivated enough and funded well enough to be able to find a way past these blinds. -- Mark Mielke <[email protected]>
