RE: HTTPS and the Forums
2018-02-27, 14:50 (This post was last modified: 2018-02-27, 14:56 by Steffen.)
2018-02-27, 14:50 (This post was last modified: 2018-02-27, 14:56 by Steffen.)
I know about this move of the browsers and I like it a lot basically. It is coming from a good origin and principle.
However, I think you are overshooting here a little: applying those considerations especially to this forum and in that strict way
IMHO creates more damage than benefit. I think the different usecases need different treatment:
(a) Existing embedded images
All old posts which currently have an image embedded from a http source, like for example http://www.brickshelf.com,
would be blocked by your new policy, and the posts therefore would look broken.
This is a huge collateral damage.
(b) Embedding new images
Enforcing a "https only allowed" policy for new embedded images will lock out all sites which have not yet migrated to https
(like brickshelf.com). I again here think that the achieved "gain" is much smaller than the "loss".
(c ) Links to somewhere else in a post
I think enforcing a policy here makes no sense, because these things have no impact on the "security" classification of forums.ldraw.org itself.
It is the job of the destination site to migrate to https, not ours to lock them out.
The loss of information sharing capability also here IMHO is too large compared to the small gain.
Imagine someone wanting to describe a problem and point a link to somewhere and cannot post that.
What I consider *more important* is to migrate whole ldraw.org to https.
We ourselves haven't done our own homework yet!
For example, the forums are https now, but the parts tracker is not.
I have suggested doing that long time ago:
https://forums.ldraw.org/thread-21917.html
Your new policy would lock out
- all links to the PT
- all ldraw.org own-generated images like http://www.ldraw.org/library/unofficial/.../28324.png
- peeron.com
- brickshelf.com
Please understand that I'm also working in the IT industry and of course am a https stakeholder in general.
I just think that the approach taken here is the wrong order. I instead suggest:
(I) migrate whole ldraw.org to https
This will be a lot of work, I expect lots and lots of small trivial edits (https by http) on the parts tracker implementation
and its scripts. It will probably also affect the peeron.com infrastructure, therefore I suggest at the same time:
(II) migrate whole peeron.com to https
(III) In the forum, we can _recommend_ https over http, but not forbid http
Forbidding must come at a much later stage.
- just my opinion! -
However, I think you are overshooting here a little: applying those considerations especially to this forum and in that strict way
IMHO creates more damage than benefit. I think the different usecases need different treatment:
(a) Existing embedded images
All old posts which currently have an image embedded from a http source, like for example http://www.brickshelf.com,
would be blocked by your new policy, and the posts therefore would look broken.
This is a huge collateral damage.
(b) Embedding new images
Enforcing a "https only allowed" policy for new embedded images will lock out all sites which have not yet migrated to https
(like brickshelf.com). I again here think that the achieved "gain" is much smaller than the "loss".
(c ) Links to somewhere else in a post
I think enforcing a policy here makes no sense, because these things have no impact on the "security" classification of forums.ldraw.org itself.
It is the job of the destination site to migrate to https, not ours to lock them out.
The loss of information sharing capability also here IMHO is too large compared to the small gain.
Imagine someone wanting to describe a problem and point a link to somewhere and cannot post that.
What I consider *more important* is to migrate whole ldraw.org to https.
We ourselves haven't done our own homework yet!
For example, the forums are https now, but the parts tracker is not.
I have suggested doing that long time ago:
https://forums.ldraw.org/thread-21917.html
Your new policy would lock out
- all links to the PT
- all ldraw.org own-generated images like http://www.ldraw.org/library/unofficial/.../28324.png
- peeron.com
- brickshelf.com
Please understand that I'm also working in the IT industry and of course am a https stakeholder in general.
I just think that the approach taken here is the wrong order. I instead suggest:
(I) migrate whole ldraw.org to https
This will be a lot of work, I expect lots and lots of small trivial edits (https by http) on the parts tracker implementation
and its scripts. It will probably also affect the peeron.com infrastructure, therefore I suggest at the same time:
(II) migrate whole peeron.com to https
(III) In the forum, we can _recommend_ https over http, but not forbid http
Forbidding must come at a much later stage.
- just my opinion! -