On Tuesday, April 14, 2015 at 1:16:25 AM UTC-4, vic wrote: > On Monday, April 13, 2015 at 4:57:58 PM UTC+2, Richard Barnes wrote: > > HTTP deprecation > > I'm strongly against the proposal as it is described here. I work with small > embedded devices (think sensor network) that are accessed over HTTP. These > devices have very little memory, only a few kB, implementing SSL is simply > not possible. Who are you to decree these devices become unfit hosts? > > Secondly the proposal to restrain unrelated new features like CSS attributes > to HTTPS sites only is simply a form of strong-arming. Favoring HTTPS is fine > but authoritarianism is not. Please consider that everyone is capable of > making their own decisions. > > Lastly deprecating HTTP in the current state of the certificate authority > business is completely unacceptable. These are *not* separate issues, to > implement HTTPS without warnings you must be able to obtain certificates > (including wildcard ones) easily and affordably and not only to rich western > country citizens. The "let's go ahead and we'll figure this out later" > attitude is irresponsible considering the huge impact that this change will > have. > > I would view this proposal favorably if 1) you didn't try to force people to > adopt the One True Way and 2) the CA situation was fixed.
An embedded device would not be using a web browser such as Firefox, so this isn't really much of a concern. The idea would be to only enforce HTTPS deprecation from browsers, not web servers. You can continue to use HTTP on your own web services and therefore use it through your embedded devices. As all technology protocols change over time, enforcing encryption is a natural and logical step to evolve web technology. Additionally, while everyone is able to make their own decisions, it doesn't mean people make the right choice. A website that uses sensitive data insecurely over HTTP and the users are unaware, as most web consumers are not even aware what the difference of HTTP vs HTTPS means, is not worth the risk. It'd be better to enforce security and reduce the risks that exist with internet privacy. Mozilla though never truly tries to operate anything with an authoritarianism approach, but this suggestion is to protect the consumers of the web, not the developers of the web. Mozilla is trying to get https://letsencrypt.org/ started, which will be free, removing all price arguments from this discussion. IMHO, this debate should be focused on improving the way HTTP is deprecated, but I do not believe there are any valid concerns that HTTP should not be deprecated. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
