i hate going to non-https websites

sure it's not opsec-ruining for Sky Broadband and the UK Government to have detailed logs of me looking at hrwiki and what pages i was visiting but it would be nice for them to Not

@ipg https should never be enforced for sites that dont handle sensitive data

@zebo it shouldn't be enforced everywhere but it should be available always and maybe enforced on devices that can

@ipg @zebo no, it really should be enforced everywhere. Only exception I'd make is private IP ranges and .local TLD.

@zebo @ipg your threat model is wrong https://doesmysiteneedhttps.com/

@siguza @ipg older devices do not support modern tls standards and some dont allow importing of new root ca certs

@zebo @ipg then set up a local proxy that strips TLS, legacy devices are enough of a liability already, they are absolutely no justification for holding back progress.

@siguza there is a massive and growing ewaste problem and im willing to bet a large part of it is because of progress for the sake of progress like this is making older devices unusable

@zebo ugh, how do I convey this in a single post... so you have a lot of massive, hostile organisations not just reading everything you send and receive but also injecting code to make your devices part of their botnet, and you yell at the people wanting to stop them because your shit vendor not only stopped shipping OS updates to you after like a year and a half, but also locked down your device to the point where you can't even install a more recent TLS library, and instead of seeing the cold, hard capitalist motivations behind this, you blame it on the ideology of the people who fight for encryption and privacy?

Do you really think dropping encryption is going to make a difference for e-waste, when web and app devs mandate software as recent as a few months old, for one because vendors make it hard for them to test on non-latest stuff, and for another because it's just cheaper for them to declare anything else unsupported? And we are already doing way too much for legacy systems: TLS 1.3 and ESNI won't be real for at least another decade, because everything allows downgrade attacks for compatibility reasons.

The real problem is not the world moving forward, it's vendors preventing perfectly good hardware from doing so. But as it stands, if you are running an OS today that is too old to support TLS 1.3, then you shouldn't be connecting it to the internet in the first place. If you're missing multiple years of security patches, then there will be publicly available weaponised exploits available for your system, and in this day and age there is no shortage of botnet operators who have enough of an incentive to use them.

This isn't some paranoia level of encryption I'm asking for, it's the absolute baseline. And we fail to achieve even that.