On Fri, Jul 29, 2011 at 4:17 PM, David Golden <xda...@gmail.com> wrote:
> On Fri, Jul 29, 2011 at 7:58 AM, sawyer x <xsawy...@gmail.com> wrote: > > I like to work in HTTPS (and we should, really, in a secure world). Many > > websites already moved to it by default such as github.com, all google > > sites, workflowy.com, foursquare and more. > > Those are all sites for which users log-in and keep lots of personal > information. They are not reference sites. > I think Google searches and MetaCPAN searches are equivalent in the way they both represent stuff you're looking to find. It's true that Google can contain personal stuff while MetaCPAN will likely contain professional (or rather "code-related") stuff, but they both have a case for allowing the user to browse peacefully without worrying about who's looking over your shoulders (via proxies, log files), whether it be your boss or competitor. I also personally see a case for "security by default". SSL prevents (or at least makes it difficult to do) proxy caching. > Agreed. That is a setback indeed for SSL. However, this can be minimized by using sub-requests in reverse proxies, and netcaches. I'm not trying to have a discussion on the technical merits of SSL. My point is merely that I support a "security by default" paradigm. I understand you do not, or at least in some situations. That's cool. > That is fundamentally bad design when the use case does > not require protection of user information. I guess I have a much broader sense of when it is necessary to protect user information. I might just be too extreme on this. > The only time MetaCPAN > should be forcing https is for author log-in and logged-in sessions. > This just seems obvious to me. Who would write an application that sends your credentials online in cleartext? (yes, I know, some might consider this to be theoretically acceptable in intranet, but I don't...) > Most of what we do online is private. Not "I want to hide this because > it's > > illegal" private, but "this is personal, so mind your own business" > private. > > SSL does not hide the hostname (and port) you are connecting to; it > will only hide the actual HTTP request and response. > Oh, I know... I think MetaCPAN is a great project and is evolving quickly, but > hyperbole doesn't serve any real benefit. > Debatable, but I'll shut up now. :) (I just personally don't see it as hyperbole) Have a great weekend! S.
