Thank you, Andrew, for answering the question. What Stuart wrote,
however, is misleading:
On Tue, Aug 18, 2015 at 02:59:37PM +1200, Stuart A. Yeates wrote:
> On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]> wrote:
>
> > That said, there is a big push recently for dropping non-SSL connections
> > in general (going so far as to call the protocol relative URIs an
> > anti-pattern), so is it really worth all the potential pain and suffering
> > to make your links scheme-agnostic, when maybe it would be a better
> > investment in time to switch them all to SSL instead? This dovetails
> > nicely with some of the discussions I have had recently with electronic
> > services librarians about how to protect patron privacy in an online world
> > by using SSL as an arrow in that quiver.
> >
>
> Dropping non-SSL connections is almost certainly a mistake for two classes
> reasons:
> (i) a number of very widely used tools and standards (OAI-PMH, web
> cacheing, monitoring, etc.) are HTTP-only
Let me give you a counter example: Of 4810 OAI-PMH providers currently
known to BASE <https://base-search.net>, 147 use a HTTPS base URL. Of
the 3632 OAI-PMH sources BASE actively harvests at this time, 107 use
HTTPS.
> (ii) assumptions about the proportion of our users who have access
> to a certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages
> already disadvantaged groups of users, perpetuating the kind of
> social ills that libraries are traditional held to be the cure of.
I fail to see how continuing to use insecure, obsolete software is
serving social justice. Excellent cryptographic software is available
freely and openly.
Cheers,
Chris
--
Christian Pietsch · http://purl.org/net/pietsch
LibTec (Library Technology and Knowledge Management) department
of Bielefeld University Library, Bielefeld, Germany
|