ilf writes:
> In the current setup, users who type the domain suckless.org into their
> URL get HTTP cleartext. I think these users should get HTTPS.
Just print a big ugly warning over HTTP: "HTTP is not supported. Update
your bookmarks."
It's the only step that will lead people both to change some of their
old links to HTTPS and to keep them from creating new HTTP links.
Automatic redirects are pointless because they don't lead users to
more secure behavior yet can be MITMed.
And if you're going to embrace a flawed-yet-beneficial protocol like
HTTPS, you might as well go all the way.
--
Anthony J. Bentley
Received on Fri Sep 01 2017 - 10:31:39 CEST