Support secure connections by default
Short, concise description of the idea
All connections to LiveJournal should be over HTTPS, not HTTP; all email from LiveJournal should be via secure connection, not insecure.
Full description of the idea
Insecure web connections are becoming very dangerous.
They do not only secure browsing; they largely eliminate the risk of code injection and drive-by exploits.
Please secure all web connections to LiveJournal, not just the login part. Require https. It's faster, too!
This includes outbound email; LJ comment notifications often contain sensitive information and links, but are one of the few emails I receive that are still transmitted in the clear.
Here is additional background:
- Contents of communication are private between LJ and the viewer.
- Much lower risk of malicious content injection. I hate the thought of having my readers getting their computer hacked just for viewing my blog.
- HTTPS is now faster than HTTP, in some cases almost twice as fast.
- Browsers show warnings to users for insecure connections, scaring away potential readers.
- Google has already started ranking insecure websites lower than secure ones; this harms the LJ brand.
- Some major browsers (e.g., Chrome) are disabling some features for insecure connections.
- Let's Encrypt offers free, public, and automated SSL/TLS certificates.
- Changing over will require development effort, and require LiveJournal to acquire and maintain a signing certificate.
- Introduces overhead on the server-side (of less than 1% CPU load).