> Until there's a free, easy, maintainable, and actually existent solution to SSL certs, enforcing HTTPS-only is just downright extortion.
> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only.
So you want a free, easy, and maintainable solution, but you don't want to talk about solutions that are currently under development? What kind of argument is that? It's as if you specifically added that condition to preempt any discussion about Let's Encrypt. Guess what, a lot of us actually are passionate about this solution, so we're actually contributing to that project by supporting EFF and Mozilla.
The call for HTTPS-only does not ring in a vacuum. Context and timing are critical for any plan that might involve a chicken-and-egg problem. But that's not an insurmountable problem. The proposed enforcement will come into effect some time in the future (if ever). So we still have a few months, maybe a couple of years to prepare for it. That's enough time to build a free CA that can disrupt the shit out of the extortionist market.
Opposing a plan for the future just because a prerequisite does not exist right now is gratuitous negativity, especially if you're deliberately ignoring "actually existent" efforts to build that prerequisite.
Yes, I intentionally wrote that to preempt discussion of Let's Encrypt because Let's Encrypt isn't a working solution yet. If/when Let's Encrypt is a working solution then let's continue the discussion / send "the boys" to break kneecaps wherever someone's using HTTP / etc.
If Let's Encrypt is as close to completion as HTTPS-only advocates claim, then you have very little to lose by simply waiting until it's finished, and then start the evangelism. It isn't like we're standing at a cusp and tomorrow some committee's going to vote whether to permanently ban HTTP or permanently keep it. Right now it's like you're a doctor yanking a patient's access to an important medicine because "there's a better medicine coming along, it's in the last stages of clinical trials, it should be ready any month now".
No, we're like a doctor who is threatening to yank it, with the explicit goal of pressuring others to bring forth a better medicine sooner. Nobody's actually yanking anything yet, and since this is the federal government (of healthcare.gov fame), I don't expect them to yank anything effectively anytime soon.
A doctor using prescriptions to pressure clinical trials into going the way she wants them to. What could possibly, possibly go wrong. (What does that even mean, nobody's actually yanking anything, they're just threatening to do so to coerce people? It sounds creepy and manipulative.)
The analogy breaks if you take it too far. This is politics, not medical science. Good clinical trials will discover facts about the world. Good politics will change the world, making previously discovered facts irrelevant.
Threatening one another into taking action is exactly how progress happens in a market economy. Somebody is always threatening to drive somebody else out of business. Either you disrupt or you are disrupted. And since we probably won't be getting rid of this ruthless system anytime soon, I'd rather want to see the good guys drive the bad extortionists out of business rather than the other way around.
> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only.
So you want a free, easy, and maintainable solution, but you don't want to talk about solutions that are currently under development? What kind of argument is that? It's as if you specifically added that condition to preempt any discussion about Let's Encrypt. Guess what, a lot of us actually are passionate about this solution, so we're actually contributing to that project by supporting EFF and Mozilla.
The call for HTTPS-only does not ring in a vacuum. Context and timing are critical for any plan that might involve a chicken-and-egg problem. But that's not an insurmountable problem. The proposed enforcement will come into effect some time in the future (if ever). So we still have a few months, maybe a couple of years to prepare for it. That's enough time to build a free CA that can disrupt the shit out of the extortionist market.
Opposing a plan for the future just because a prerequisite does not exist right now is gratuitous negativity, especially if you're deliberately ignoring "actually existent" efforts to build that prerequisite.