On Mon, Sep 15, 2014 at 5:59 PM, Richard Barnes <rbar...@mozilla.com> wrote: > On Sep 15, 2014, at 5:11 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote: >> I think the primary way for making the experience better for users >> currently accessing http sites should be getting the sites to switch >> to https so that subsequently people accessing those sites would be >> accessing https sites. That way, the user experience not only benefits >> from HTTP/2 performance but also from the absence of ISP-injected ads >> or other MITMing. > > "Just turn on HTTPS" is not as trivial as you seem to think. For example, > mixed content blocking means that you can't upgrade until all of your > external dependencies have too.
I don't think anyone is suggesting it's trivial. We're saying that a) it's necessary if you want to prevent MITM, ad-injection, etc. and b) it's required for new features such as service workers (which in turn are required if you want to make your site work offline). At the moment setting up TLS is quite a bit of hassle and requires dealing with CAs to get a certificate. But given that there's no way around TLS becoming the bottom line for interesting new features in browsers, we need to start looking into how we can simplify that process. Looking into how we can prolong the non-TLS infrastructure should have much less priority I think. Google seems to have the right trade off and the "IETF consensus" seems to be unaware of what is happening elsewhere. -- https://annevankesteren.nl/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
