User:Eighty5cacao/misc/Common objections to HTTPS support

From Pin Eight
Jump to: navigation, search
This is a very rough outline.

(...the bad practice is not designing and budgeting for full HTTPS support in the first place. Make an analogy to physical security, similar to this one by EFF)

My website doesn't have any sensitive information

My website doesn't use cookies and/or logins

(Contra: All information is potentially sensitive (i.e., deanonymizing), therefore everyone has something to hide: that is, HTTPS is valuable even without user accounts or PII ... explain how/why)

Cost

Price of hosting

(something about IE/XP no longer officially being a problem since April 2014, but Android 2.x devices are still in use)

Server load

(some people may worry about the energy efficiency of computation)

WIP wording: If "not supporting HTTPS" is the main point of your energy-saving strategy, you very likely have bigger problems.

Certificate rotation

(manual labor involved every year to renew and install certificates)

CDNs and other proxies

To ease some of the server load, a server operator can put it behind a caching proxy CDN such as CloudFlare or Amazon CloudFront. Such a CDN makes a single HTTPS request to the origin server and then reuses the data to handle incoming requests from clients.

(but what about caching proxies near the client?)

Not perfectly secure

("Who needs a heart when a heart can be broken" ...so why is it worthwhile? mention appropriate points from sections above)

Mixed-content blocking

New vs. existing websites

Q: "All this advice seems fine for new websites. However, a lot of owners of existing websites wouldn't be happy..."

A: ... (TODO: mention appropriate items from above)