Around last christmas there was this long discussion on a mailing list I followed about people being unable to access websites because their computers were too old to reasonably run modern encryption algorithms in browsers. Much of the internet is pushing for https-only access, which, it would appear, locks out an entire bunch of end devices of perfectly healthy, yet not very wealthy people.
The guy defending unencrypted traffic got bullied and called names, and I stepped in but not to the amount of success that would have anyone from the opposing side acknowledge that there is indeed a case to be made for it. I ultimately cancelled my subscription, because I realized all the arguments had been repeated several times over to no effect.
Having worked for GOV.UK I’m painfully aware of the realities of supporting everyone’s devices and browsers, but it’s not quite that simple. The opposing factor is protecting people’s right to a secure experience.
Or, to put it another way, which is more important: letting a user who currently only has access to extremely old technology access any page on the site, or protecting (for example) someone suffering from domestic abuse when they access a page with details on how to get help?
In the end it’s a judgement call, but if you can argue your case both approaches are valid.
> their computers were too old to reasonably run modern encryption algorithms in browsers.
Do your remember any of the examples of such computers given?
I'm aware of the problem of no-longer-supported software too old to have added support for modern encryption, but I'm unfamiliar with this being a hardware problem.
Yeah, exactly. These are software limitations in Android.
The above comment seemed to be referring to older hardware so I was wondering if they were simply conflating bundled software (like pre-installed OS) or actually talking about hardware limitations.
While there is of course plenty of hardware that would be too limited for modern encryption, but I would seriously doubt anyone would be using it due to budget constraints (as in, these would more likely be specialised hw for niche embedded applications).
The guy defending unencrypted traffic got bullied and called names, and I stepped in but not to the amount of success that would have anyone from the opposing side acknowledge that there is indeed a case to be made for it. I ultimately cancelled my subscription, because I realized all the arguments had been repeated several times over to no effect.