|
|
|
|
|
|
by mr_toad
2758 days ago
|
|
|
There are still valid reasons for not using ssl for everything. Internal facing sites, device admin pages, development servers etc. If I have to deal with obnoxious warning pages doing local Node.js development & testing I’m switching browsers. |
|
|
For local development localhost(and 127.0.0.1, and ::1) is explicitly in the definition of "secure" used by browsers and the html specs.
Device admin pages are about the only place you could legit claim the ssl isn't viable (because it isn't). But that's a problem that needs to be solved - if you can't make a secure connection to your device, then anyone can intercept the login creds. Those various peering steps required for a lot of new devices are explicitly there to act us a side channel to establish trust (either a shared key, or certs, or whatever) as until you have a source of trust that isn't from the network, you can't trust anything you receive from the device (and the device can't trust you).