On Tue, Aug 18, 2015 at 8:13 PM, Christian Pietsch <
[log in to unmask]> wrote:
> Thank you, Andrew, for answering the question. What Stuart wrote,
> however, is misleading:
>
> On Tue, Aug 18, 2015 at 02:59:37PM +1200, Stuart A. Yeates wrote:
> > On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]>
> wrote:
> >
> > > That said, there is a big push recently for dropping non-SSL
> connections
> > > in general (going so far as to call the protocol relative URIs an
> > > anti-pattern), so is it really worth all the potential pain and
> suffering
> > > to make your links scheme-agnostic, when maybe it would be a better
> > > investment in time to switch them all to SSL instead? This dovetails
> > > nicely with some of the discussions I have had recently with electronic
> > > services librarians about how to protect patron privacy in an online
> world
> > > by using SSL as an arrow in that quiver.
> > >
> >
> > Dropping non-SSL connections is almost certainly a mistake for two
> classes
> > reasons:
> > (i) a number of very widely used tools and standards (OAI-PMH, web
> > cacheing, monitoring, etc.) are HTTP-only
>
> Let me give you a counter example: Of 4810 OAI-PMH providers currently
> known to BASE <https://base-search.net>, 147 use a HTTPS base URL. Of
> the 3632 OAI-PMH sources BASE actively harvests at this time, 107 use
> HTTPS.
While these may appear to be OAI-PMH providers, they're non-conformant:
http://www.openarchives.org/OAI/openarchivesprotocol.html#ProtocolFeatures
OAI-PMH requests *must* be submitted using either the HTTP GET or POST
methods.
> (ii) assumptions about the proportion of our users who have access
> > to a certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages
> > already disadvantaged groups of users, perpetuating the kind of
> > social ills that libraries are traditional held to be the cure of.
>
> I fail to see how continuing to use insecure, obsolete software is
> serving social justice. Excellent cryptographic software is available
> freely and openly.
Maybe because forcing people to upgrade their tech leaves behind those with
the least resources. Maybe because switching to a protocol whose minimum
message cost (in cpu cycles) is many thousands of times higher is a dubious
cost/benefit trade-off in some situations.
cheers
suart
|