On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia <kato...@freaknet.org> wrote:
> On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote: > > [cut] > > > > Want https? great. use it. There are times when it's handy to NOT > > > be obsessed with https (i.e., clock is hosed on your computer). > > > > > > So ... unless some developer I really respect (which is just about > > > all of them1) tells me to change this, I'm not planning on > > > changing the behavior of the machines. > > > > I did object to http->https redirects in the past, but now the web is > > unusable without working https anyway and the "INSECURE openbsd.org" > > shown on some browsers *is* a bit of an eyesore ... > > > > IMHO, the fact that corporates (Google) want to dictate what is secure > and what is not, is not sufficient to force everybody on https, at all > times. I personally don't give a toss of what Chrome thinks of a > website and its security (maybe because I have never used Chrome or > because I quit google searches more than 10 years ago...). > > There are many cases where the overhead introduced by https is really > not worth the extra bit of confidentiality you get. And we are talking > here of manpages (that are installed in your system anyway) and of > system sources (that are available for download at any time, even from > an HTTPS mirror)... > > Sorry for the rant, but if I type "http://bring.me.there"; I don't want > to find myself at "https://we.brought.you.somewhere.else";. I am not a > chimp. I know what I type in my URL box. I know what I expect. And I > want to be able to serve content via HTTP/1.0 if I need so. > Exactly. Folks often forget, or are blissfully unaware, that Google Search itself still does work over both HTTP (without the S) as well as over the legacy TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster advice given by the Google Chrome and Mozilla teams to suppress the minorities from being able to access the websites is hypocritical, to say the least. /Do as I say, not as I do./ The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise — many bots are still controlled by good people, used to do various useful things, so, you're still blocking actual people from a minority class from having access to your website. Not to mention the older phones and tablets with hundreds of megabytes of RAM and gigabytes of storage space that were abandoned by their creators and don't support TLSv1.2 and/or all the newest ciphers that are deemed to be the best practice today. The sad part is that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively brokering the planned obsolescence of all these devices on behalf of the respective vendors. C.
