On 8/20/21 2:37 PM, Simon Richter wrote:
Such situations are the exception rather than the norm. If https is detrimental to their setup, they can choose to opt out of it.This is a use case where HTTPS does hurt, and where I can't think of any good mitigation strategies that wouldn't be worse from a security PoV than the status quo.
For everyone else, I think https should be the default. Kyle