From mboxrd@z Thu Jan 1 00:00:00 1970 From: gtaylor@tnetconsulting.net (Grant Taylor) Date: Tue, 8 May 2018 13:54:26 -0600 Subject: [TUHS] unix "awesome list" In-Reply-To: References: <20180508151722.49CFC18C079@mercury.lcs.mit.edu> <92064c68-1ab9-085f-3259-10efdf94da11@kilonet.net> Message-ID: On 05/08/2018 01:37 PM, Dave Horsfall wrote: > I'll bet my website (about a few feet away from me) is smaller still :-) Props for hosting your own site. > But yeah. I've been told that I *need* HTTPS, even though the damned > site is purely passive... I think /need/ may be a strong word. I *strongly* believe in the various cache ability aspects of unencrypted HTTP. That being said, I understand and believe in the two following reasons for supporting encrypted HTTPS: 1) Encryption (from a verifiable source) makes it next to impossible for malicious actors to inject things into your site's traffic. (Think about the various JavaScript injection techniques used for ads / tracking / malware / crypto mining / etc.) 2) Creating more noise for someone with higher value signal to hide in when they really need to. Finally, things like Let's Encrypt and other free cert providers make it much less expensive to use encrypted HTTPS. I'm perfectly fine with people running unencrypted HTTP and encrypted HTTPS side by side. Even if you don't do a redirect from unencrypted HTTP to encrypted HTTPS. It's really up to each site administrator. I'm 60% for and 40% against encrypted HTTPS everywhere. -- Grant. . . . unix || die -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3982 bytes Desc: S/MIME Cryptographic Signature URL: