Re: [dev] TLS / HTTPS support

From: Anthony J. Bentley <>
Date: Fri, 01 Sep 2017 02:31:39 -0600

ilf writes:
> In the current setup, users who type the domain into their
> URL get HTTP cleartext. I think these users should get HTTPS.

Just print a big ugly warning over HTTP: "HTTP is not supported. Update
your bookmarks."

It's the only step that will lead people both to change some of their
old links to HTTPS and to keep them from creating new HTTP links.

Automatic redirects are pointless because they don't lead users to
more secure behavior yet can be MITMed.

And if you're going to embrace a flawed-yet-beneficial protocol like
HTTPS, you might as well go all the way.

Anthony J. Bentley
Received on Fri Sep 01 2017 - 10:31:39 CEST

This archive was generated by hypermail 2.3.0 : Fri Sep 01 2017 - 10:37:14 CEST