Re: Making TLS/SSL optional
Lassi Kortela 23 Aug 2022 17:37 UTC
> Defense in depth is still a good idea, especially when the cost for
> this particular form of protection has been drive close to zero.
>
> Leaving anything on the internet completely unprotected is just asking
> for trouble.
"Defense in depth" sounds like one of the buzzwords that discourage
people from developing a realistic threat model.
Recall how RMS said that people are not supposed to notice the most
prominent security threat is from the vendors themselves.
I'm not arguing we turn off TLS (after all it's a standard), just stop
the forced redirects from HTTP to HTTPS. The point of the extended
discussion in this thread is not to do something for scheme.org but to
develop one's thought process - it's good not to take industry gospel at
face value.