Let me second Ross's cautions here. The Internet Archive made the leap
to https about 10 days ago and there are still services that are broken
because of it. c4l should be simpler because there aren't services like
sending files to Kindle or complex APIs (at least, I don't think so),
but it's still worth looking at what glitches https might introduce
before leaping off that cliff.
In principle, however, I think that a general move to https is not only
a Good Thing, it is the Right Message. Now, could we please get simple
e-mail encryption? PGP [1] was developed in 1991, and it still can't be
used by anyone who doesn't think like a paranoid engineer. Really, it's
long overdue.
kc
[1] http://en.wikipedia.org/wiki/Pretty_good_privacy
On 11/4/13 11:33 AM, Ross Singer wrote:
> While I'm not opposed to providing code4lib.org via HTTPS, I don't think
> it's as simple as "let's just do it!". Who will be responsible for making
> sure the cert is up to date? Who will pay for certs (if we don't go with
> startcom)?
>
> Also, forcing all traffic to HTTPS unnecessarily complicates some things,
> e.g. screen scrapers (and before you say, "well, screen scraping sucks,
> anyway!", I think it's not a stretch to say that "microdata parser" falls
> under "screen scraping". Or RDFa.). I feel a little uncomfortable with
> adding the overhead HTTPS brings wholesale, when there are tools (like you
> mention, HTTPS Everywhere) for those that want HTTPS. It feels a little
> like the xkcd "server attention span" comic to me [0].
>
> -Ross.
>
> 0. http://xkcd.com/869/
>
>
> On Mon, Nov 4, 2013 at 1:45 PM, Ethan Gruber <[log in to unmask]> wrote:
>
>> NSA broke it already
>>
>>
>> On Mon, Nov 4, 2013 at 1:42 PM, William Denton <[log in to unmask]> wrote:
>>
>>> I think it's time we made everything on code4lib.org use HTTPS by
>> default
>>> and redirect people to HTTPS from HTTP when needed. (Right now there's
>> an
>>> outdated self-signed SSL certificate on the site, so someone took a stab
>> at
>>> this earlier, but it's time to do it right.)
>>>
>>> StartCom gives free SSL certs [0], and there are lots of places that sell
>>> them for prices that seem to run over $100 per year (which seems
>> ridiculous
>>> to me, but maybe there's a good reason).
>>>
>>> I don't know which is the best way to get a cert for a site like this,
>> but
>>> if people agree this is the right thing to do, perhaps someone with some
>>> expertise could work with the Oregon State hosts?
>>>
>>> More broadly, I think everyone should be using HTTPS everywhere (and
>> HTTPS
>>> Everywhere, the browser extension). Are any of you implementing HTTPS on
>>> your institution's sites, and moving to it as default? It's one of those
>>> slightly finicky things that on the surface isn't necessary (why bother
>>> with a library's opening hours or address?) but deeper down is, because
>>> everyone should be able to browse the web without being monitored.
>>>
>>> Bill
>>>
>>> [0] https://cert.startcom.org/
>>>
>>> --
>>> William Denton
>>> Toronto, Canada
>>> http://www.miskatonic.org/
>>>
--
Karen Coyle
[log in to unmask] http://kcoyle.net
m: 1-510-435-8234
skype: kcoylenet
|