On Tue, Mar 17, 2015 at 12:05 PM, Aryeh Gregor <a...@aryeh.name> wrote: > 1) SNI is reportedly still not usable if you care about IE on XP. > This means HTTPS is not usable on shared hosting, which is most small > sites, unless you don't care that your site doesn't load in IE on XP. > This is also a problem for larger sites whose content is accessible > via multiple domains (even just www.foo.com vs. foo.com), unless they > want to get an IP address per domain. For instance, Wikipedia serves > a whole bunch of second-level domains (wikipedia.org, wikimedia.org, > wiktionary.org, etc.) from the same servers, and to support HTTPS, > they needed to reconfigure their site so that all of these were > different IP addresses.
I'm not sure that IE on XP is worth caring about (also, IE7 is OK). > 2) If you want to support access via both HTTP and HTTPS for whatever > reason, you have to make sure your content uses protocol-relative URLs > exclusively, which means making modifying the software that runs on > your site. Otherwise users will click a link and get sent back to the > insecure site without noticing. This could include user-provided > URLs. You could just use HTTPS exclusively, but that's a somewhat > bigger step to take. HSTS. > 3) If you include third-party scripts that are not available over > HTTPS, at least Chrome will helpfully break your site until your users > click through a permissions dialog, if I remember correctly. Upgrade is coming (see webappsec). > 4) According to the O'Reilly book linked from istlsfastyet.com, > best-case TLS usage still adds a round-trip to every connection. > Common non-best-case scenarios are worse (e.g., IE < 10 apparently > doesn't support False Start). This is a nontrivial performance > penalty. TLS 1.3 can have data in the first flight sometimes. Or you could avoid most of the connection setup issues and use HTTP/2, which for the general case will improve performance (unless your site consists of too few resources to benefit, that is). _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
