Hacker News new | past | comments | ask | show | jobs | submit login

> It's so much easier to just say "HTTPS everywhere" than to examine the tradeoffs.

This touches on the real point of all this, which doesn't seem to have been contained in any replies to you.

There's no real choice in the matter, https is a requirement if, and that the very big if right there, we truly acknowledge that the network is hostile. With a hostile network the only option is to distrust all non-secure communication.

https isn't about securing the site as you know, it's about securing the transmission of data over the transport layer, and it's needed because the network is hostile.

It doesn't matter one little iota what the data is that's traversing it, as there's no way to determine its importance ahead of time. A resume site might not be of much worth to the creator, but the ecosystem as a whole ends up having to distrust it without a secure transport layer because the hostile network could have altered it.

It doesn't matter the effect of that alteration might be inconsequential, as there's also no way to determine that effect ahead of time. The ecosystems 'defense' is to distrust it entirely.

And that's the situation the browsers/users/all of us are left with. There's is no option but to distrust non-secured communication if the network is hostile.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact