On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote: [cut]
> > Want https? great. use it. There are times when it's handy to NOT > > be obsessed with https (i.e., clock is hosed on your computer). > > > > So ... unless some developer I really respect (which is just about > > all of them1) tells me to change this, I'm not planning on > > changing the behavior of the machines. > > I did object to http->https redirects in the past, but now the web is > unusable without working https anyway and the "INSECURE openbsd.org" > shown on some browsers *is* a bit of an eyesore ... > IMHO, the fact that corporates (Google) want to dictate what is secure and what is not, is not sufficient to force everybody on https, at all times. I personally don't give a toss of what Chrome thinks of a website and its security (maybe because I have never used Chrome or because I quit google searches more than 10 years ago...). There are many cases where the overhead introduced by https is really not worth the extra bit of confidentiality you get. And we are talking here of manpages (that are installed in your system anyway) and of system sources (that are available for download at any time, even from an HTTPS mirror)... Sorry for the rant, but if I type "http://bring.me.there" I don't want to find myself at "https://we.brought.you.somewhere.else". I am not a chimp. I know what I type in my URL box. I know what I expect. And I want to be able to serve content via HTTP/1.0 if I need so.