On Tue, Aug 18, 2015 at 8:13 PM, Christian Pietsch < [log in to unmask]> wrote: > Thank you, Andrew, for answering the question. What Stuart wrote, > however, is misleading: > > On Tue, Aug 18, 2015 at 02:59:37PM +1200, Stuart A. Yeates wrote: > > On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]> > wrote: > > > > > That said, there is a big push recently for dropping non-SSL > connections > > > in general (going so far as to call the protocol relative URIs an > > > anti-pattern), so is it really worth all the potential pain and > suffering > > > to make your links scheme-agnostic, when maybe it would be a better > > > investment in time to switch them all to SSL instead? This dovetails > > > nicely with some of the discussions I have had recently with electronic > > > services librarians about how to protect patron privacy in an online > world > > > by using SSL as an arrow in that quiver. > > > > > > > Dropping non-SSL connections is almost certainly a mistake for two > classes > > reasons: > > (i) a number of very widely used tools and standards (OAI-PMH, web > > cacheing, monitoring, etc.) are HTTP-only > > Let me give you a counter example: Of 4810 OAI-PMH providers currently > known to BASE <https://base-search.net>, 147 use a HTTPS base URL. Of > the 3632 OAI-PMH sources BASE actively harvests at this time, 107 use > HTTPS. While these may appear to be OAI-PMH providers, they're non-conformant: http://www.openarchives.org/OAI/openarchivesprotocol.html#ProtocolFeatures OAI-PMH requests *must* be submitted using either the HTTP GET or POST methods. > (ii) assumptions about the proportion of our users who have access > > to a certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages > > already disadvantaged groups of users, perpetuating the kind of > > social ills that libraries are traditional held to be the cure of. > > I fail to see how continuing to use insecure, obsolete software is > serving social justice. Excellent cryptographic software is available > freely and openly. Maybe because forcing people to upgrade their tech leaves behind those with the least resources. Maybe because switching to a protocol whose minimum message cost (in cpu cycles) is many thousands of times higher is a dubious cost/benefit trade-off in some situations. cheers suart