Richard Barnes wrote: > There's pretty broad agreement that HTTPS is the way forward for the web. > In recent months, there have been statements from IETF [1], IAB [2], W3C > [3], and even the US Government [4] calling for universal use of > encryption, which in the case of the web means HTTPS. > > In order to encourage web developers to move from HTTP to HTTPS, I would > like to propose establishing a deprecation plan for HTTP without security.
With all due respects, the HTTP->HTTPS *isn't* entirely a web developer's choice; but the web server administration choice (unless the person is wearing both hats). Just because the US Government is calling for encryption (i.e. HTTPS over HTTP), it doesn't mean people can and/or will do it. Why? Why do people need to be forced to use HTTPS when it's overkill for their website? I mean.. would a run-of-the-mill-with-no-shopping require HTTPS? Like, i.e http://www.ambrosia-oysterbar.com/catalog/index.php HTTPS is a secured method of transporting information. For the above website, https would mean absolutely no sense and would be akin to getting BRINKS to transporting a T-bone steak dinner to you. Can you do that? Sure possibly if BRINKS doesn't ignore you right out. Why would you do that? Like everything, HTTPS is a tool and it's a bad idea to force people to use HTTPS when they don't need it. When do they need it? Who decides when they need it? Certainly not you, or anyone else other than themselves. So like the NetworkInterface issue... please stop wasting resources doing these 'busy' things when you can be doing something else that gives more choice to the user. I mean.. doing the things right vs. doing the right things and I believe it was the late Peter Drucker that wrote that. > Broadly speaking, this plan would entail limiting new features to secure > contexts, followed by gradually removing legacy features from insecure > contexts. Having an overall program for HTTP deprecation makes a clear > statement to the web community that the time for plaintext is over -- it There is nothing wrong with plaintext just as long as it isn't something credential-like. Also, what you're doing will only make a clear statement to the web community that you are forcing something on them and limiting THEIR choices of broadcasting their information as they see fit. IOW, "deprecating HTTP" is not a good idea. :ewong _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
