I guess I just don't see why http and https can't coexist. -Ross. On Nov 6, 2013 9:39 PM, "Cary Gordon" <[log in to unmask]> wrote: > This conversation is heading into the "draining the swamp" category. > > Bill Denton started this thread with the suggestion that we use HTTPS > everywhere. He did not make a specific case for it. I am just guessing that > an argument for going that route would include security. > > Regardless of whether this is a good idea, or whether there is a > compelling reason for doing it, it seems to me that the possibility of its > making it difficult for older scraping tools to scrape the site does not > seem like a compelling reason not to do it. > > The cost issue, on the other hand, would be a more compelling > consideration. > > Thanks, > > Cary > > On Nov 6, 2013, at 6:17 PM, Ross Singer <[log in to unmask]> wrote: > > > How is security getting thrown under the bus? > > > > -Ross. > > > > On Wednesday, November 6, 2013, Cary Gordon wrote: > > > >> It sounds like we are willing to throw security under the bus for an > edge > >> case, although I am sure that I am missing some subtlety > >> > >> Cary > >> > >> On Nov 5, 2013, at 10:27 AM, Ross Singer <[log in to unmask] > <javascript:;>> > >> wrote: > >> > >>> On Tue, Nov 5, 2013 at 12:07 PM, William Denton <[log in to unmask] > <javascript:;>> > >> wrote: > >>> > >>>> > >>>> (Question: Why does HTTPS complicate screen-scraping? Every decent > >> tool > >>>> and library supports HTTPS, doesn't it?) > >>>> > >>> > >>> Birkin asked me this same question, and I realized I should clarify > what > >> I > >>> meant. I was mostly referring to existing screen scrapers/existing web > >>> sites. If you redirect every request from http to https, this will > >>> probably break things. I think the Open Library example that Karen > >>> mentioned is a good case study. > >>> > >>> And it's pretty different for a library or tool to support HTTPS and a > >>> specific app to be expecting it. If you follow the thread around that > OL > >>> change, it appears there are issues with Java (as one example) > >> arbitrarily > >>> consuming HTTPS (from what I understand, you need to have the cert > >>> locally?), but I don't know enough about it to say for certain. I > think > >>> there would also probably be potential issues around mashups (AJAX, for > >>> example), but seeing as code4lib.org doesn't support CORS, not really > a > >>> current issue. Does apply more generally to your question about > library > >>> websites at large, though. > >>> > >>> Anyway, I agree with you that the option for both should be there. I'm > >> not > >>> just not convinced that HTTPS-all-the-time is necessary for all web use > >>> cases. > >>> > >>> -Ross. > >> >