On Fri, May 1, 2015 at 11:06 AM, Eric Shepherd <esheph...@mozilla.com> wrote:
> There are a lot of things that don't need encryption,

This assertion is made quite often in this context. It's been shown to
be false in every example I've seen.  I think Richard provided several
citations where this was believed to be correct, to the detriment of
us all (great cannon being a prime example).

> and sites that serve
> legacy purposes and/or audiences, and cannot be updated to https in the
> first place.

There are two aspects to this: the software, and the content.

If software cannot be updated, that a problem in its own right.  The
idea that you could release your server onto the Internet to fend for
itself for 20 years was a dream of the 90s that has taken a while to
die.  Just as you have to feed it electricity and packets, you have to
maintain software too.

The content issue is a serious one, but there are several answers that
could fit (HSTS, upgrade-insecure, and maybe opportunistic security).
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to