On Tue, Apr 14, 2015 at 3:55 AM, Yoav Weiss <y...@yoav.ws> wrote: > On Tue, Apr 14, 2015 at 8:22 AM, Anne van Kesteren <ann...@annevk.nl> > wrote: > > > On Tue, Apr 14, 2015 at 7:52 AM, Yoav Weiss <y...@yoav.ws> wrote: > > > Limiting new features does absolutely nothing in that aspect. > > > > Hyperbole much? CTO of the New York Times cited HTTP/2 and Service > > Workers as a reason to start deploying HTTPS: > > > > http://open.blogs.nytimes.com/2014/11/13/embracing-https/ > > > I stand corrected. So it's the 8th reason out of 9, right before technical > debt. > > I'm not saying using new features is not an incentive, and I'm definitely > not saying HTTP2 and SW should have been enabled on HTTP. > But, when done without any real security or deployment issues that mandate > it, you're subjecting new features to significant adoption friction that is > unrelated to the feature itself, in order to apply some indirect pressure > on businesses to do the right thing. >
Please note that there is no inherent security reason to limit HTTP/2 to be used only over TLS (as there is for SW), at least not any more than the security reasons for carrying HTTP/1.1 over TLS. They're semantically equivalent; HTTP/2 is just faster. So if you're OK with limiting HTTP/2 to TLS, you've sort of already bought into the strategy we're proposing here. > You're inflicting developer pain without any real justification. A sort of > collective punishment, if you will. > > If you want to apply pressure, apply it where it makes the most impact with > the least cost. Limiting new features to HTTPS is not the place, IMO. > I would note that these options are not mutually exclusive :) We can apply pressure with feature availability at the same time that we work on the ecosystem problems. In fact, I had a call with some advertising folks last week about how to get the ad industry upgraded to HTTPS. --Richard > > > > > > (And anecdotally, I find it easier to convince developers to deploy > > HTTPS on the basis of some feature needing it than on merit. And it > > makes sense, if they need their service to do X, they'll go through > > the extra trouble to do Y to get to X.) > > > > > Don't convince the developers. Convince the business. Drive users away to > secure services by displaying warnings, etc. > Anecdotally on my end, I saw small Web sites that care very little about > security, move to HTTPS over night after Google added HTTPS as a (weak) > ranking signal > < > http://googlewebmastercentral.blogspot.fr/2014/08/https-as-ranking-signal.html > >. > (reason #4 in that NYT article) > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform