While I'm not opposed to providing code4lib.org via HTTPS, I don't think
it's as simple as "let's just do it!". Who will be responsible for making
sure the cert is up to date? Who will pay for certs (if we don't go with
startcom)?
Also, forcing all traffic to HTTPS unnecessarily complicates some things,
e.g. screen scrapers (and before you say, "well, screen scraping sucks,
anyway!", I think it's not a stretch to say that "microdata parser" falls
under "screen scraping". Or RDFa.). I feel a little uncomfortable with
adding the overhead HTTPS brings wholesale, when there are tools (like you
mention, HTTPS Everywhere) for those that want HTTPS. It feels a little
like the xkcd "server attention span" comic to me [0].
-Ross.
0. http://xkcd.com/869/
On Mon, Nov 4, 2013 at 1:45 PM, Ethan Gruber <[log in to unmask]> wrote:
> NSA broke it already
>
>
> On Mon, Nov 4, 2013 at 1:42 PM, William Denton <[log in to unmask]> wrote:
>
> > I think it's time we made everything on code4lib.org use HTTPS by
> default
> > and redirect people to HTTPS from HTTP when needed. (Right now there's
> an
> > outdated self-signed SSL certificate on the site, so someone took a stab
> at
> > this earlier, but it's time to do it right.)
> >
> > StartCom gives free SSL certs [0], and there are lots of places that sell
> > them for prices that seem to run over $100 per year (which seems
> ridiculous
> > to me, but maybe there's a good reason).
> >
> > I don't know which is the best way to get a cert for a site like this,
> but
> > if people agree this is the right thing to do, perhaps someone with some
> > expertise could work with the Oregon State hosts?
> >
> > More broadly, I think everyone should be using HTTPS everywhere (and
> HTTPS
> > Everywhere, the browser extension). Are any of you implementing HTTPS on
> > your institution's sites, and moving to it as default? It's one of those
> > slightly finicky things that on the surface isn't necessary (why bother
> > with a library's opening hours or address?) but deeper down is, because
> > everyone should be able to browse the web without being monitored.
> >
> > Bill
> >
> > [0] https://cert.startcom.org/
> >
> > --
> > William Denton
> > Toronto, Canada
> > http://www.miskatonic.org/
> >
>
|