
HTTPSNow - mikecarlton
https://www.httpsnow.org/
======
benatkin
I hadn't heard of this. I started a similar effort a couple of days ago.

<https://github.com/benatkin/pure-ssl>

One thing I'm impressed with is sites that allow people to embed images from
anywhere but still don't have mixed content. The way GitHub and Convore do
this is by making images from an http-only domain available on an https
domain. If you try pasting an image from GitHub pages (GitHub pages is HTTP
only) and you inspect an image on Convore I think it will point to an https
address on Rackspace Cloud Files.

------
Joakal
Ycombinator:
[https://www.httpsnow.org/domains?utf8=%E2%9C%93&search[n...](https://www.httpsnow.org/domains?utf8=%E2%9C%93&search\[name_contains\]=ycombinator.com&commit=Search)

Then there's this comment: 'pg doesn't care about security.'

~~~
pg
Actually we've been talking about switching to https.

~~~
eddie_the_head
Are you also going to make a m.ycombinator.com ever?

~~~
TheAmazingIdiot
Why bother?

I'm using one of THE worst browsers out, called the Blackberry Browser. Yet HN
is one of the few websites that renders just as well as my updated ubuntu
machine running newest firefox.

~~~
pshapiro
Probably because he's not a Blackberry user... :)

~~~
TheAmazingIdiot
Oh very true :)

I tried to help back when DDG started out here. DDG was doing 'funky business'
on my BB curve 8530, which made it unusable. I offered assistance with making
it BB friendly. He asked for screenshots.....(drumroll)

Do you know how hard it is to make screenshots of a BB device? GAH. You need
it plugged in a Windows computer (sorry, no Mac or Linux) and have a package
on your BB, and run a program with the usb cable connected, and the screenshot
goes to the computer. WTF?

On a I(Phone|Pod Touch), I press the sleep button and then tap the home
button. _CHING_

"Completely aside"... Im ditching my BB when my contract ends :)

------
mtodd
Where the hell is the legend?

~~~
Joakal
Click on down arrow on right and click show link. It appears the minus circle
means 'Not Applicable'. X square = No, tick square = Yes.

It's a pretty clunky interface.

------
ambiguity
They should redesign the header so that the site title looks like an actual
header instead of a large text box. I spent a while trying to click on it to
enter in my own site to check.

~~~
aaronblohowiak
.. or better yet, make it work!

------
api
The barrier to ubiquitous encryption on the web is the requirement that
everyone purchase an overprice certificate.

What we need is HTTPC, which would be SSL without verification. It would not
show up as verified like HTTPS-- no green bar, etc. It would look just like
HTTP, except with encryption.

~~~
RyanGWU82
You can get free standard SSL certificates from StartSSL -
<https://www.startssl.com>

They also offer extended validation and other paid options. I use them for
wildcard certificates, which are normally at least $200 each. I've created
nine wildcard certs since January 1, for a total cost of $50.

~~~
premchai21
An interesting aspect of StartSSL is that they require physical residence
addresses for natural persons even for their low-verification certificates.
This seems a bit strong for “validate that the site that I'm talking to is
‘legitimately’ bound to name X”; this is the reason I've been on the fence
about going that route.

------
cookiecaper
I don't know that it's really ideal to try to force all normal browsing
activity to HTTPS. If a person is concerned about pedestrian, non-identifying
data, like reading HN, then he should take it upon himself to set up a VPN or
some other mechanism to encrypt his data. Why do we want to establish a
standard of default HTTPS?

~~~
Joakal
For the same reason users want privacy when looking up embarrassing
information even when not registered:
[https://secure.wikimedia.org/wikipedia/en/wiki/AOL_search_da...](https://secure.wikimedia.org/wikipedia/en/wiki/AOL_search_data_scandal)

~~~
TomOfTTB
Well HTTPS wouldn't have prevented that. In the AOL case the company at the
other end of the connection released the information.

I guess someone in a sensitive position (e.g. someone with access to the
routers at a major ISP) could intercept a every bit of traffic and produce a
similar result but it doesn't seem likely and there's a flip side to this
argument which is it puts a financial strain on the companies themselves.

Wikipedia, for instance, surely wouldn't have the processing power to switch
all its connections to https. So they'd have to significantly upgrade their
infrastructure at an equally significant cost.

~~~
Joakal
HTTPS may not be able to prevent companies releasing information, but the
article shows the similar kind of information that eavesdropping could yield.
You say Wikipedia wouldn't have the processing power to switch all connections
to https, but I see that eavesdroppers wouldn't have the processing power to
decrypt all connections to https.

I would point to Iran and similar countries happy that users don't use
encrypted connections but I found too many replies of "It won't happen to us
[in this peaceful country]."

~~~
cookiecaper
Again, HTTPS isn't the only mechanism by which one can encrypt his/her
communications. Persons in Iran should use a VPN or something like Tor or I2P.
I don't think there's a reason to force Wikipedia to use HTTPS by default.

------
twomuchpizza
I might argue that Google does not encrypt all identifying data

~~~
twomuchpizza
Oh boo hoo, I insulted everyone's favorite monopoly

