Thank you, Andrew, for answering the question. What Stuart wrote, however, is misleading: On Tue, Aug 18, 2015 at 02:59:37PM +1200, Stuart A. Yeates wrote: > On Tue, Aug 18, 2015 at 10:08 AM, Andrew Anderson <[log in to unmask]> wrote: > > > That said, there is a big push recently for dropping non-SSL connections > > in general (going so far as to call the protocol relative URIs an > > anti-pattern), so is it really worth all the potential pain and suffering > > to make your links scheme-agnostic, when maybe it would be a better > > investment in time to switch them all to SSL instead? This dovetails > > nicely with some of the discussions I have had recently with electronic > > services librarians about how to protect patron privacy in an online world > > by using SSL as an arrow in that quiver. > > > > Dropping non-SSL connections is almost certainly a mistake for two classes > reasons: > (i) a number of very widely used tools and standards (OAI-PMH, web > cacheing, monitoring, etc.) are HTTP-only Let me give you a counter example: Of 4810 OAI-PMH providers currently known to BASE <https://base-search.net>, 147 use a HTTPS base URL. Of the 3632 OAI-PMH sources BASE actively harvests at this time, 107 use HTTPS. > (ii) assumptions about the proportion of our users who have access > to a certain level tech (i.e. HTTP vs HTTPS) systematically disadvantages > already disadvantaged groups of users, perpetuating the kind of > social ills that libraries are traditional held to be the cure of. I fail to see how continuing to use insecure, obsolete software is serving social justice. Excellent cryptographic software is available freely and openly. Cheers, Chris -- Christian Pietsch · http://purl.org/net/pietsch LibTec (Library Technology and Knowledge Management) department of Bielefeld University Library, Bielefeld, Germany