On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]> wrote:
> That said, there is a big push recently for dropping non-SSL connections
> in general (going so far as to call the protocol relative URIs an
> anti-pattern), so is it really worth all the potential pain and suffering
> to make your links scheme-agnostic, when maybe it would be a better
> investment in time to switch them all to SSL instead? This dovetails
> nicely with some of the discussions I have had recently with electronic
> services librarians about how to protect patron privacy in an online world
> by using SSL as an arrow in that quiver.
Dropping non-SSL connections is almost certainly a mistake for two classes
(i) a number of very widely used tools and standards (OAI-PMH, web
cacheing, monitoring, etc.) are HTTP-only
(ii) assumptions about the proportion of our users who have access to a
certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages
already disadvantaged groups of users, perpetuating the kind of social ills
that libraries are traditional held to be the cure of.