I should probably clarify my statement regarding SSL. I think we were both referring to HTTPS as SSL. So I'll restate: HTTPS is a good thing and should be encouraged for consideration everywhere as a "Why not?" instead of "Why?"
SSL protocol has issues and demonstrable attacks, TLS is intended to be a better and if it were perfect already then work on TLS 1.3 wouldn't be underway.
This site has logins and passwords - for me that is enough to welcome HTTPS (but not require it, based on my personal value of the site, otherwise I'd have complained about the previous lack of HTTPS). HTTPS isn't a replacement for unique password discipline. I don't use the app so don't feel the same pain on it's breakage: I do hope the app issue gets fixed and that it can be done without disabling HTTP entirely.
External Certificate Authorities and relying on them has it's problems too which I think is what I understand your primary concern to be regarding SSL/HTTPS. Perhaps I should have left in the slight nod I'd written saying that I'm not a spokesman for a CA (or a government). The possibility that a Certificate Authority (that isn't yourself) has interests that are different from your own is not at all unlikely. If this is difference in interests is effectively deliberate/indeliberate, of internal/external origin or fundamentally incompatible is a complex equation to work out.
What we have are options and little in the way of options that are perfect and without compromise. I hope to hold my own against others in the same weight class (similar funding/resource availability) and occasionally wonder how things would hold up against a clearly more substantial set of resources.
So, I'll take HTTPS (TLS 1.2 if I can and even SSL if I must) and hope for better (as my skills and interests seem to be elsewhere regarding "actual" work).
I should probably clarify my statement regarding SSL. I think we were both referring to HTTPS as SSL. So I'll restate: HTTPS is a good thing and should be encouraged for consideration everywhere as a "Why not?" instead of "Why?"
SSL protocol has issues and demonstrable attacks, TLS is intended to be a better and if it were perfect already then work on TLS 1.3 wouldn't be underway.
This site has logins and passwords - for me that is enough to welcome HTTPS (but not require it, based on my personal value of the site, otherwise I'd have complained about the previous lack of HTTPS). HTTPS isn't a replacement for unique password discipline. I don't use the app so don't feel the same pain on it's breakage: I do hope the app issue gets fixed and that it can be done without disabling HTTP entirely.
External Certificate Authorities and relying on them has it's problems too which I think is what I understand your primary concern to be regarding SSL/HTTPS. Perhaps I should have left in the slight nod I'd written saying that I'm not a spokesman for a CA (or a government). The possibility that a Certificate Authority (that isn't yourself) has interests that are different from your own is not at all unlikely. If this is difference in interests is effectively deliberate/indeliberate, of internal/external origin or fundamentally incompatible is a complex equation to work out.
What we have are options and little in the way of options that are perfect and without compromise. I hope to hold my own against others in the same weight class (similar funding/resource availability) and occasionally wonder how things would hold up against a clearly more substantial set of resources.
So, I'll take HTTPS (TLS 1.2 if I can and even SSL if I must) and hope for better (as my skills and interests seem to be elsewhere regarding "actual" work).
