Great! Now both irc and site force it. NSA won't be able to read our chats about taking over the government and creating a new one based around the #mopar channel.

i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.

yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security

Quote from: Davidi2 on October 23, 2015, 07:52:42 PM

Quote from: t4 on October 23, 2015, 07:38:53 PM

i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.

yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security

So you're suggesting that it should be up to the user to enable secure transmissions?

Yes, that is exactly what I'm saying. Or rather, users should be able to disable it if they wish. If the option is there, im pretty sure any modern browser will default to https.

Awesome

You guys who want it to be optional need to appreciate the benefits of HTTPS-everywhere internet. Namely the gross amount of noise created to assist in obscuring the transmissions of people living under less fortunate regimes.

Soon Moparscape will be illegal under the current Cameron regime.

No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??

Maybe it's Maybelline.

For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.

Ok, you can ask "Why?", but the exact same can be asked about not supporting HTTP as a fallback. Why? Nobody is denying the upsides of HTTPS here. You can keep it enabled and it'll stay default. But still, I see absolutely no reason for this website (and I do use 'this' on purpose, because some websites should force https) to not offer http as an option if https is already enabled and default. As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"

Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security.

Really? I personally believe you need to factor in everything when you weigh the pros/cons of implementing any type of security. Not every worksite needs ID badges and fingerprint scanners if the benefit doesn't outweigh the hassle. Obviously when you deal with more sensitive information, you implement more security, no? We'll just assume you were speaking strictly about TLS though, because like it's been said the hassle is pretty low and probably wont be noticeable if everything goes as it should. So yes, I think it's fair to say there is no reason to not implement SSL.

When you go from 'implement' to 'require' though, you have to reevaluate everything. You say "no negatives", but you listed one right there? If a cert expires, I don't really care whose problem it is, do I? Now it's my problem, because I can't access the website. Sure, it's not "directly" a negative of SSL, it's a negative of inattentiveness. Whatever. If only I had a HTTP version of the site to access in the meantime. So now we have one negative. We wont talk about any others because personally I don't know if the caching or ad-related mixed mode issues are still there. So now we weigh the benefits of enforcing TLS over allowing TLS, taking into account that it is used by default if available. What are those benefits? That's what I haven't heard yet, which why I am not yet convinced that the benefits of enforcing it outweigh even the slightest chance of something like an expired cert.


As a side note, I was getting NGINX errors when trying to access the site early today. What was that?

Hey, I said it was a slight chance. But even 0.00001 is greater than 0 if there's no benefit to enforcing over implementing it as a default. Which is what I'm asking about

the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015.

I guess I just disagree then. I see nothing wrong with supporting unencrypted comms in -insert year-, if that's what the client has explicitly requested. Whatever, it's done. I'm sure it wont actually cause problems, it's just a principle thing that I disagree with I guess.