| According to capitalism it's okay for banks to lose your money and it's your problem for having your identity stolen, go spend a dozen hours to get things fixed. And they won't use secure passwords on their site, and they'll use fake 2-factor, because those incidents don't bother them enough to want to prevent. So when capitalism says a type of security isn't necessary, well, other than a nihilist "nothing is necessary" attitude, I don't believe them. And it doesn't prove that what a company does is "just as secure" as best practices. > When you start with a premise that all sites MUST have HTTPS and MUST NOT support TLSv1.0 in each argument, then your arguments are simply unsound, because they're based on an incorrect premise Whew, good thing I wasn't doing that. > If you intentionally disable your blog from working on such older devices, shifting the blame to device manufacturer is simply ludicrous! Let me try to be clear again, since you definitely misread me. Disabling HTTP is on the site owner. HTTPS breaking is the manufacturer's fault. The site can influence how it breaks, but no matter what a very old implementation will be broken. At a certain point you can't even get certificates any more because all the roots are expired. > All my sites are HTTP-only So you don't want your users to even be able to opt in to privacy or protection from hostile networks? |