On 3/12/15 12:26, Aryeh Gregor wrote:
Because unless things have changed a lot in the last three years or
so, HTTPS is a pain for a few reasons:
1) It requires time and effort to set up. Network admins have better
things to do. Most of them either are volunteers, work part-time,
computers isn't their primary job responsibility, they're overworked,
etc.
2) It adds an additional point of failure. It's easy to misconfigure,
and you have to keep the certificate up-to-date. If you mess up,
browsers will helpfully go berserk and tell your users that your site
is trying to hack their computer (or that's what users will infer from
the terrifying bright-red warnings). This is not a simple problem to
solve -- for a long time,https://amazon.com would give a cert error,
and I'm pretty sure I once saw an error on a Google property too. I
think Microsoft too once.
3) Last I checked, if you want a cert that works in all browsers, you
need to pay money. This is a big psychological hurdle for some
people, and may be unreasonable for people who manage a lot of small
domains.
4) It adds round-trips, which is a big deal for people on high-latency
connections. I remember Google was trying to cut it down to one extra
round-trip on the first connection and none on subsequent connections,
but I don't know if that's actually made it into all the major
browsers yet.
These issues seem all basically fixable within a few years
As an aside, the first three are not just fixable, but actually fixed
within the next few months: https://letsencrypt.org/
--
Adam Roach
Principal Platform Engineer
a...@mozilla.com
+1 650 903 0800 x863
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
