Hacker News new | past | comments | ask | show | jobs | submit login

Every visitor would have to manually trust them; provided they're using a browser that still allows them to do so.



This is literally the same as HTTP except that browsers don't (by default yet) put up a scary warning for that. But with a self-signed cert you get protection from passive attackers and once you press yes the first time it verifies if someone else tries to hijack your connection.

I think almost all protocols should have always-on encryption. You can choose to validate the other end or not but it is simpler and safer to only have the encrypted option in the protocol.

FWIW I have HTTPS-only mode enabled and I would prefer to be notified of insecure connections. To me a self-signed cert is actually better than HTTP.

I'm sure it will be a while until HTTPS-only is the default, but it seems clear that browsers are moving in that direction.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: