On 23/05/2025 01:14, Mouse wrote:
And, let's not forget, many browsers will actually recommend to the
user not to go to a site unless it's an https url.
Oh, that's_really_ obnoxious.
I don't seem to have received the message mentioned in the inner quote,
but my understanding is that the mainstream browser community all agreed
on this a year or two ago.
I think the aim was to protect the general public, given that most web
site operators don't understand security, and nor does the general
public. I think the idea was that the general public were not able to
make the judgement as to whether they should be insisting on encryption,
or not, so it was safer to remove the choice from them.
However, my view is that most security risks are introduced by marketing
people (banks are often amongst the worst), who introduce new gimmicks
without understanding that they weaken security. In the past,
Javascript was one of them. What concerns me now is the number of sites
that are completely reliant on Cloudflare maintaining their security
infrastructure securely, and the number of businesses that would die if
a few undersea cables were cut.
Something I've discovered recently is that there are plans to reduce
certficate expiries down to a month and a half, which will mean that
sites that aren't maintained by automation will die quickly.
