Print

Print


I guess I just don't see why http and https can't coexist.

-Ross.
On Nov 6, 2013 9:39 PM, "Cary Gordon" <[log in to unmask]> wrote:

> This conversation is heading into the "draining the swamp" category.
>
> Bill Denton started this thread with the suggestion that we use HTTPS
> everywhere. He did not make a specific case for it. I am just guessing that
> an argument for going that route would include security.
>
> Regardless of whether this is a good idea, or whether there is a
> compelling reason for doing it, it seems to me that the possibility of its
> making it difficult for older scraping tools to scrape the site does not
> seem like a compelling reason not to do it.
>
> The cost issue, on the other hand, would be a more compelling
> consideration.
>
> Thanks,
>
> Cary
>
> On Nov 6, 2013, at 6:17 PM, Ross Singer <[log in to unmask]> wrote:
>
> > How is security getting thrown under the bus?
> >
> > -Ross.
> >
> > On Wednesday, November 6, 2013, Cary Gordon wrote:
> >
> >> It sounds like we are willing to throw security under the bus for an
> edge
> >> case, although I am sure that I am missing some subtlety
> >>
> >> Cary
> >>
> >> On Nov 5, 2013, at 10:27 AM, Ross Singer <[log in to unmask]
> <javascript:;>>
> >> wrote:
> >>
> >>> On Tue, Nov 5, 2013 at 12:07 PM, William Denton <[log in to unmask]
> <javascript:;>>
> >> wrote:
> >>>
> >>>>
> >>>> (Question:  Why does HTTPS complicate screen-scraping?  Every decent
> >> tool
> >>>> and library supports HTTPS, doesn't it?)
> >>>>
> >>>
> >>> Birkin asked me this same question, and I realized I should clarify
> what
> >> I
> >>> meant.  I was mostly referring to existing screen scrapers/existing web
> >>> sites.  If you redirect every request from http to https, this will
> >>> probably break things.  I think the Open Library example that Karen
> >>> mentioned is a good case study.
> >>>
> >>> And it's pretty different for a library or tool to support HTTPS and a
> >>> specific app to be expecting it.  If you follow the thread around that
> OL
> >>> change, it appears there are issues with Java (as one example)
> >> arbitrarily
> >>> consuming HTTPS (from what I understand, you need to have the cert
> >>> locally?), but I don't know enough about it to say for certain.  I
> think
> >>> there would also probably be potential issues around mashups (AJAX, for
> >>> example), but seeing as code4lib.org doesn't support CORS, not really
> a
> >>> current issue.  Does apply more generally to your question about
> library
> >>> websites at large, though.
> >>>
> >>> Anyway, I agree with you that the option for both should be there.  I'm
> >> not
> >>> just not convinced that HTTPS-all-the-time is necessary for all web use
> >>> cases.
> >>>
> >>> -Ross.
> >>
>