11-07-2020, 11:02 PM
(This post was last modified: 11-08-2020, 11:25 AM by BronzeBeard.)
My two cents, the "Let's encrypt everything, no exceptions" movement is overkill and annoying as hell.
1) If you try to use the web without an https compliant browser, you're screwed. There is no such thing, you might profess. BS. Just an example, Dillo on Mageia is not compiled with ssl support. I ran into this issue just a couple weeks ago when I had to peg my workstation at 100% cpu and ram for couple of hours for work. I resorted to browsing gopher while I waited.
2) If my browser doesn't support the encryption protocol you're using, I can't use your site. This is an issue I have with my BlackBerry Passport, older Android devices, and many other EOL OS's and devices. Pretty much cutting them off from the web.
3) If you're ever in remote places of the world, with spotty hardware and spottier connections, https connections are slower.
4) There are cache issues on some browsers/implementations. See #3 as to why this is a problem.
5) General consumers think that because a website is encrypted, it's safe. Even worse, because CA's are free now, they can become a vector for phishing. 99.5% of users have no idea that the "lock" in their address bar just means that the connection is encrypted or even what that means. False security is bad security.
This might sound like I'm saying not to use SSL. That is completely wrong. My argument is against unneeded redirects. Websites should be accessible to EVERYONE. Websites should offer their content in http and https. Your browser should be responsible for redirecting you to the HTTPS page. It's not the websites' responsibility. Personally, I believe redirects should be built in browser functionality, but seeing the browsers people use these days, good luck with that ever happening.
The only pages that should force redirection are anything to do with money and logins. That's it.
The rest of these pages, this forum, etc are public information. There is no need to force everyone to be behind encryption because YOU think it's a better idea.
Finally, the argument is always injections and man in the middle attacks. My response to this is always, if you have this problem with your ISP, then your problem is your ISP, not the website. I would be more worried about the other crap they're doing besides injecting ads into your connection. Change ISPs, sue them, contact your politician, contact your public works commissioner, or just tell your browser to always use https...
1) If you try to use the web without an https compliant browser, you're screwed. There is no such thing, you might profess. BS. Just an example, Dillo on Mageia is not compiled with ssl support. I ran into this issue just a couple weeks ago when I had to peg my workstation at 100% cpu and ram for couple of hours for work. I resorted to browsing gopher while I waited.
2) If my browser doesn't support the encryption protocol you're using, I can't use your site. This is an issue I have with my BlackBerry Passport, older Android devices, and many other EOL OS's and devices. Pretty much cutting them off from the web.
3) If you're ever in remote places of the world, with spotty hardware and spottier connections, https connections are slower.
4) There are cache issues on some browsers/implementations. See #3 as to why this is a problem.
5) General consumers think that because a website is encrypted, it's safe. Even worse, because CA's are free now, they can become a vector for phishing. 99.5% of users have no idea that the "lock" in their address bar just means that the connection is encrypted or even what that means. False security is bad security.
This might sound like I'm saying not to use SSL. That is completely wrong. My argument is against unneeded redirects. Websites should be accessible to EVERYONE. Websites should offer their content in http and https. Your browser should be responsible for redirecting you to the HTTPS page. It's not the websites' responsibility. Personally, I believe redirects should be built in browser functionality, but seeing the browsers people use these days, good luck with that ever happening.
The only pages that should force redirection are anything to do with money and logins. That's it.
The rest of these pages, this forum, etc are public information. There is no need to force everyone to be behind encryption because YOU think it's a better idea.
Finally, the argument is always injections and man in the middle attacks. My response to this is always, if you have this problem with your ISP, then your problem is your ISP, not the website. I would be more worried about the other crap they're doing besides injecting ads into your connection. Change ISPs, sue them, contact your politician, contact your public works commissioner, or just tell your browser to always use https...