It is immensely frustrating to me that Dave's excellent point about legacy content is obscured by his characterization of the push to HTTPS. At the core, the idea that security only matters for transactions is wrong. For example, I want my blog to be served over HTTPS because I don't want anyone to be able to edit my words between my server and the person reading them.
Now, Dave acknowledges this: "They tell us to worry about man-in-the-middle attacks that might modify content, but fail to mention that they can do it in the browser, even if you use a 'secure' protocol."
The rhetorical slip here is bad. "They" is me. I say you should worry about man-in-the-middle attacks. I can't "do it in the browser." He keeps doing this; he's acting like Google is the only entity that thinks the move is a good idea.
It also fails to acknowledge that partial solutions matter! What, I should give up on putting locks on my door just because the lock manufacturer can go right through them? Further, right now I have a choice of three plausible browsers, and I can switch between them freely. There's a significant difference between the danger of man-in-the-middle attacks and the danger of a browser level attack. (Both pretty low, to be fair, but still.)
And that's just the concern about attacks. Tracking is a whole additional issue that he doesn't acknowledge.
So, yeah, he makes some good points. But since he won't engage in discussion on the topic, they're not useful and they get drowned out by the noise.
won't engage in discussion -- it's been a long day, lots of discussion, and most of it repetitive. The fact that so much discussion is needed is a pretty good indication that the open web should not be corporatized. Google should create a new medium, like they did with AMP, and make it opt-in. Stop trying to be the dictator of the web. And you -- please stop saying bullshit about me. Thanks. Tired.
Now, Dave acknowledges this: "They tell us to worry about man-in-the-middle attacks that might modify content, but fail to mention that they can do it in the browser, even if you use a 'secure' protocol."
The rhetorical slip here is bad. "They" is me. I say you should worry about man-in-the-middle attacks. I can't "do it in the browser." He keeps doing this; he's acting like Google is the only entity that thinks the move is a good idea.
It also fails to acknowledge that partial solutions matter! What, I should give up on putting locks on my door just because the lock manufacturer can go right through them? Further, right now I have a choice of three plausible browsers, and I can switch between them freely. There's a significant difference between the danger of man-in-the-middle attacks and the danger of a browser level attack. (Both pretty low, to be fair, but still.)
And that's just the concern about attacks. Tracking is a whole additional issue that he doesn't acknowledge.
So, yeah, he makes some good points. But since he won't engage in discussion on the topic, they're not useful and they get drowned out by the noise.