This article comes off as basically victim-blaming, when it comes to "not my problem" if some bad actor injects ads etc.
The arguments against Caddy are no longer true. Caddy runs on a ton of platforms, essentially any that Go can use as compile targets (except for plan9 for the moment because of a dependency of Caddy's that has a compatibility problem https://github.com/caddyserver/caddy/issues/3615#issuecommen...). Caddy also doesn't have to run as root, nor does it by default with our apt/yum packages.
Also a passing comment essentially calling Let's Encrypt... with their track record at this point, I don't think that can be said.
It's nothing more than victim blaming and circular logic. Damn near every argument being made is "That attack doesn't matter to me because I don't use HTTPS because my site doesn't need HTTPS".
> > If we encrypt only secret content, then we automatically paint a target on those transmissions.
> None of those things are my problem.
> > [HTTPS] guarantees content integrity and the ability to detect tampering.
> The legions of browser programmers employed by Mozilla, Google, Apple, and Microsoft should do something about that. It's not my flaw to fix, because it's a problem with the clients.
I re-ordered the quotes a bit, but I'm reasonably confident I didn't misrepresent what he was trying to say. The counter-arguments after this are good, but the first couple of things are, imo, already sufficient to make HTTPS a very very important thing.
Though… I find myself wondering whether he's really all that wrong, after all.
> Users must keep themselves safe. Software can't ever do that for you. Users are on their own to ensure they use a quality web client, on a computer they're reasonably sure is well-maintained, over an internet connection that is not run by people who hate them.
> Users must keep themselves safe. Software can't ever do that for you. Users are on their own to ensure they use a quality web client, on a computer they're reasonably sure is well-maintained, over an internet connection that is not run by people who hate them.
And not use insecure websites, I guess. I don't know how that person expects the browser to magically protect the user if their server transmits in plain text.
What's the point you're making with your first two quotes? Are they supposed to be self-evidently incorrect? If you're just serving static content, why should you care whether there are governments out there that may be inserting content into it?
And while "encrypting only sensitive content calls out that content as being sensitive" is certainly true theoretically, almost every site has HTTPS, sensitive or not, so in practice it's not a concern.
The arguments against Caddy are no longer true. Caddy runs on a ton of platforms, essentially any that Go can use as compile targets (except for plan9 for the moment because of a dependency of Caddy's that has a compatibility problem https://github.com/caddyserver/caddy/issues/3615#issuecommen...). Caddy also doesn't have to run as root, nor does it by default with our apt/yum packages.
Also a passing comment essentially calling Let's Encrypt... with their track record at this point, I don't think that can be said.
The rest is basically just vitriol.