On Fri, May 1, 2015 at 11:06 AM, Eric Shepherd <esheph...@mozilla.com> wrote: > There are a lot of things that don't need encryption,
This assertion is made quite often in this context. It's been shown to be false in every example I've seen. I think Richard provided several citations where this was believed to be correct, to the detriment of us all (great cannon being a prime example). > and sites that serve > legacy purposes and/or audiences, and cannot be updated to https in the > first place. There are two aspects to this: the software, and the content. If software cannot be updated, that a problem in its own right. The idea that you could release your server onto the Internet to fend for itself for 20 years was a dream of the 90s that has taken a while to die. Just as you have to feed it electricity and packets, you have to maintain software too. The content issue is a serious one, but there are several answers that could fit (HSTS, upgrade-insecure, and maybe opportunistic security). _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform