> > It's main unrealised potential benefit is; add *some* security by > > default to all those insecure wordpress logins. > > That's a terrible reason. And actually it's "make those insecure > CMS sites look more like they might be secure" when they're no > such thing. Because people have been trained into equating https > with security. Which is just plain wrong.
Also whilst ordering a 100 units could happen when you only want one, often the security such as for payment is a third party server which is *usually* more secure or atleast PCI compliant, haha. Strangely, payment systems (paypal started requiring it last year) often require javascript which I guess is ironically the most likely vector for ID theft in this scenario. So... why is there so much hoo har about SSL everywhere and no attention given to javascript from third party domains doing all sorts of potential things (potentially exploitation) and encouraging payment systems to be javascript free. Both SSL everywhere and javascript nowhere require encouragement and time to accomplish. So is their an agenda or just many idiots who see TLS=security and don't see lack of secure cookie usage and XSS vulnerabilities (now protected by SSL everywhere) meaning a site is likely exploitable in other ways!! Which brings us nicely back to your original point, haha ;) -- KISSIS - Keep It Simple So It's Securable
