* Arthur Corliss <corl...@digitalmages.com> [2011-08-28 21:40]: > My humor was perhaps too subtle, since you didn't get the > relevance of my reply. Google switching to SSL by default is as > pointless as metacpan. In the former case it's the "protection" > of delivery to/from an entity that not only doesn't have your > best interest at heart, but has a business built on exploiting > *your* information for *its* benefit. Utterly pointless.
Protecting your communication with another party from third parties needs no justification whatever. It should be the assumed default that exceptions are made from, not the exception from the rule requiring proof. If I’m having a massive argument with my personal foe #1, the fact that I distrust this person on all conceivable levels does not make you welcome to eavesdrop on the conversation. It does not matter the very least bit how trustworthy the other party is: uninvited third parties have no business knowing what you do or do not say to the other party. > In the latter case you have a search engine whose use is > basically the retrieval of information based on *published* > open source software, and highly published at that, given the > world-wide replication of CPAN itself. What exactly is metacpan > protecting? Is it that embarrasing that programmer Joe can't > remember what module function foo was defined in? Can someone > really derive significant benefit from witnessing Harry browse > the API for WWW:Retrieval::LOLCats or what have you? That’s the “I have nothing to hide” argument. It does not matter how embarrassing it is or isn’t. Irrelevant. It’s much simpler: unless they want you to know (or it affects you directly in some undue manner etc. – insert reasonable qualifiers here), you have no business knowing. How yawn-worthy that information is makes no criterion. The one criterion that does apply is whether making the channel secure against you trying to find out is too expensive relative to its sensitivity. So far, MetaCPAN seems to be less than straining under the load, so I don’t see a justification to reconsider. We used to avoid SSL unless necessary because it was expensive. I agree with the engineers who are saying that it’s time to re-examine that as a default assumption – whether they are employed by Google or not makes no difference to me as far as that statement is concerned. > So, regardless of the incremental costs of implementing SSL, > *why* is the mandatory use of SSL even considered intelligent, > rational, or any other way beneficial? I wasn't going to get > involved in this thread, but the Google bait was too spot on to > ignore. You won’t see me disagreeing that the concentration of power in Google’s hands is dangerous. But that’s a different matter, even though very important in its own right. Abolishing Google would not reduce the justification to secure communications. The two issues are independent – so the question you pose is entirely beside the point to the matter at hand. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>
