Re: [dev] TLS / HTTPS support

From: hiro <>
Date: Thu, 31 Aug 2017 18:59:11 +0200

> Clients who do not wish to connect via HTTPS but HTTP can just ignore
> the STS-header, but browsers who can could expose a configuration
> setting for the user to determine how to behave when being confronted
> with a HSTS-header in an HTTP-context.
> This would completely rid us from the need for extensions like "HTTPS
> Everywhere" and we would still keep HTTPS optional.

With HTTPS Everywhere *the user* gets to decide when to use https.
With all http based solutions anybody between you and the legit server
will decide whether you get to use https or not.
Received on Thu Aug 31 2017 - 18:59:11 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 31 2017 - 19:00:59 CEST