I don’t understand what point you’re trying to make. For this particular decision, there’s pretty much no externalities such as security or latency; immediate user outcomes are probably the most important thing to optimize for.
Are you opposed to data-driven decisions in general? Do you feel that the metric here is the wrong one for it? Are you worried that it will be applied more broadly than it should be?
Some of those seem reasonable, and feel free to clarify.
Agreed, it is a mess, but in my opinion the least bad option that should be considered by us all to be accepted is DANE. At least with DANE (which does imply DNSSEC), the domain owner can add valid certificate hashes to his/her DNS. This moves certificate validation authority away from selected-by-others “trusted” CAs, and gives more freedom, to the actual owner of the domain. A very welcome alternative as I see it.
Yes, sensible for cases where the domain name is what the user is extending trust to, like amazon.com or google.com. Not great for banks, etc, where what the user really needs to know is that it’s the business they have an existing relationship with.
What’s next?
Disabling TLSv1.0 forces many users to abandon the sites?
HTML-less JS-heavy sites are slow to load, and bleed some users, likewise?
Prohibiting the browser from saving passwords increases the likelihood of website credential theft?
I don’t understand what point you’re trying to make. For this particular decision, there’s pretty much no externalities such as security or latency; immediate user outcomes are probably the most important thing to optimize for.
Are you opposed to data-driven decisions in general? Do you feel that the metric here is the wrong one for it? Are you worried that it will be applied more broadly than it should be?
Some of those seem reasonable, and feel free to clarify.
I guess I might not have been clear – all of the things mentioned seem reasonable; what’s unreasonable is that so few people see it that way.
Ah! Then, profoundly agreed.
(Sigh… The TLS thing is a whole mess, though, with no good answer in the short term.)
Agreed, it is a mess, but in my opinion the least bad option that should be considered by us all to be accepted is DANE. At least with DANE (which does imply DNSSEC), the domain owner can add valid certificate hashes to his/her DNS. This moves certificate validation authority away from selected-by-others “trusted” CAs, and gives more freedom, to the actual owner of the domain. A very welcome alternative as I see it.
Yes, sensible for cases where the domain name is what the user is extending trust to, like amazon.com or google.com. Not great for banks, etc, where what the user really needs to know is that it’s the business they have an existing relationship with.
It’s kinda sad this had to be pointed out.
I’m surprised the number is so high, but it should be a no brainer that something super annoying causes people to leave.