On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]> wrote:
> That said, there is a big push recently for dropping non-SSL connections
> in general (going so far as to call the protocol relative URIs an
> anti-pattern), so is it really worth all the potential pain and suffering
> to make your links scheme-agnostic, when maybe it would be a better
> investment in time to switch them all to SSL instead? This dovetails
> nicely with some of the discussions I have had recently with electronic
> services librarians about how to protect patron privacy in an online world
> by using SSL as an arrow in that quiver.
>
Dropping non-SSL connections is almost certainly a mistake for two classes
reasons:
(i) a number of very widely used tools and standards (OAI-PMH, web
cacheing, monitoring, etc.) are HTTP-only
(ii) assumptions about the proportion of our users who have access to a
certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages
already disadvantaged groups of users, perpetuating the kind of social ills
that libraries are traditional held to be the cure of.
cheers
stuart
|