Paul Graham's blog is great but I really wonder why it doesn't use HTTPS.
Googled a bit and found this. But no answers from him personally.
Of course, he doesn't owe anyone anything, but I think it's weird to not have HTTPS nowadays. But I have a cryptography background, so I might be biased.
reply
SSL (well, TLS now) serves three purposes.
  1. Ensuring you are getting the information the website author intends for you to get. i.e. data can’t be manipulated in transit.
  2. Ensuring the information you are getting is in fact coming from the domain you are requesting it from.
  3. Preventing others between you and the website from seeing the information sent back and forth.
I think you questioned the need for TLS here assuming 3 was the only purpose of TLS?
I found this comment on the linked HN thread insightful and probably very useful for a lot of folks. Sensitive data isn’t the only argument for TLS
reply
Yes. It's about CIA: confidentiality, integrity and authenticity.
People most of the times only think about C
reply
I've seen him call this an IQ test, ie he sees it as unnecessary for his site.
reply
I totally get why one might think that HTTPS is not necessary for a site like this but damn, I really believe we should always err on the side of caution with stuff like this. Getting a certificate and setting up auto-renewal with free TLS providers like Let's Encrypt really isn't that hard anymore.
I guess I've heard too many stories about people not taking cryptography seriously or just handwaving arguments so I am always baffled when people say: ohhh, I don't need it, what could go wrong?
That might be true but are you 100% sure?
We should be humble when it's comes to cryptography.
But as mentioned, I get it that most people don't think like this. It's too abstract.
Regarding the IQ test: is it about people being considered dumb if they follow advice like "use HTTPS" blindly?
Well, I would rather fail such a test and say I'm dumb and actually be dumb than say I'm smart but with the risk of actually being dumb, lol
reply
"There's another more subtle lesson in the list of fields with superlinear returns: not to equate work with a job" --Paul Graham
reply