On Tue, Apr 14, 2015 at 8:22 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Tue, Apr 14, 2015 at 7:52 AM, Yoav Weiss <y...@yoav.ws> wrote: > > Limiting new features does absolutely nothing in that aspect. > > Hyperbole much? CTO of the New York Times cited HTTP/2 and Service > Workers as a reason to start deploying HTTPS: > > http://open.blogs.nytimes.com/2014/11/13/embracing-https/ I stand corrected. So it's the 8th reason out of 9, right before technical debt. I'm not saying using new features is not an incentive, and I'm definitely not saying HTTP2 and SW should have been enabled on HTTP. But, when done without any real security or deployment issues that mandate it, you're subjecting new features to significant adoption friction that is unrelated to the feature itself, in order to apply some indirect pressure on businesses to do the right thing. You're inflicting developer pain without any real justification. A sort of collective punishment, if you will. If you want to apply pressure, apply it where it makes the most impact with the least cost. Limiting new features to HTTPS is not the place, IMO. > > (And anecdotally, I find it easier to convince developers to deploy > HTTPS on the basis of some feature needing it than on merit. And it > makes sense, if they need their service to do X, they'll go through > the extra trouble to do Y to get to X.) > > Don't convince the developers. Convince the business. Drive users away to secure services by displaying warnings, etc. Anecdotally on my end, I saw small Web sites that care very little about security, move to HTTPS over night after Google added HTTPS as a (weak) ranking signal <http://googlewebmastercentral.blogspot.fr/2014/08/https-as-ranking-signal.html>. (reason #4 in that NYT article) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
