Hello, On Monday, April 13, 2015 at 4:57:58 PM UTC+2, Richard Barnes wrote: > In order to encourage web developers to move from HTTP to HTTPS, I would > like to propose establishing a deprecation plan for HTTP without security. > > <snip> > > Thanks, > --Richard
While I fully understand what's at stake here and the reasoning behind this, I'd like to ask an admittedly troll-like question : Will Mozilla start to offer certificates to every single domain name owner ? Without that, your proposal tells me: either you pay for a certificate or you don't use the latest supported features on your personal (or professional) web site. This is a call for a revival of the "best viewed with XXX browser" banners. Making the warning page easier to bypass is a very, very bad idea. The warning page is here for a very good reason, and its primary function is to scare non-technical literate people so that they don't put themselves in danger. Make it less scary and you'll get the infamous Windows Vista UAC dialog boxes where people click OK without even reading the content. The proposal fails to foresee another consequence of a full HTTPS web: the rise and fall of root CAs. If everyone needs to buy a certificate you can be sure that some companies will sell them for a low price, with limited background check. These companies will be spotted - and their root CA will be revoked by browser vendors (this already happened in the past and I fail to see any reason why it would not happen again). Suddenly, a large portion of the web will be seen as even worse than "insecure HTTP" - it will be seen as "potentially dangerous HTTPS". The only way to avoid this situation is to put all the power in a very limited number of hands - then you'll witness a sharp rise on certificate prices. Finally, Mozilla's motto is to keep the web open. Requiring one to pay a fee - even if it's a small one - in order to allow him to have a presence on the Intarweb is not helping. Best regards, -- Emmanuel Deloget _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
