I’m astounded to see people still arguing “my site doesn’t need HTTPS” so I’ll put it simply: either spend a few mins putting it on your site now or continually explaining to your visitors why your site is not “not secure” until you end up doing it anyway. It’s not a negotiation.
http://stripe.ian.sh ? Revocation is a problem. Browsers should probably remove CRL support so the only way to revoke is not to renew, leaving unfairly revoked sites 3 months to get a new cert provider.
-
-
Site looks up to me.
-
Yes because it got new certificates. Multiple times. But unwarranted revocation puts a site effectively offline until they can obtain a new cert.
-
That site was using intentionally-misleading EV certs to demonstrate that EV is stupid. Everybody who doesn't sell EV certs for a living agrees that EV is stupid. This has nothing to do with using HTTPS instead of HTTP.
-
Agreed, but it shows that there are irresponsible CAs revoking certs & that it's a real-world risk. I don't see this as an argument against https/dropping-plain-http, but it's a problem that needs to be solved.
-
Need for cert adds an additional layer (on top of domain registrar, dns, hosting) where the powerful can exercise influence to get a site taken offline.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.