US Senate website says use HTTP instead of HTTPS

Excuse the ignorance, but what&#x27;s the problem if it&#x27;s purely an informational read only site? There&#x27;s no logins, prompts, messaging that can be exploited. What&#x27;s the problem of it being unencrypted?<p>Don&#x27;t get me wrong I&#x27;m all for https when there&#x27;s user information to be protected back and forth, I just don&#x27;t see the applicability for it here.

I also noticed it seems blocked from access outside the US...<p>so what would happen if a traveling american wants to access it?<p>edit: FYI I&#x27;m trying from Kenya. edit2: Using my phone I&#x27;m able to switch between wifi, and mobile and on mobile it is unblocked. hmmm<p>Also for those who don&#x27;t see the Access Denied page but are curious, here is what it reads in full.<p>--------------------<p>Access Denied<p>You don&#x27;t have permission to access &quot;<a href="http:&#x2F;&#x2F;serve-403-www.senate.gov&#x2F;&quot;" rel="nofollow">http:&#x2F;&#x2F;serve-403-www.senate.gov&#x2F;&quot;</a> on this server. Reference #xx.xxxxxxxx.xxxxxxxxxx.xxxxxxxx<p>---------------------<p>It seems it has little to do with geography. It&#x27;s an IP thing.

How strange, I changed it to http as asked. For me it then asked for my social security number to login and then I needed to confirm some of my banking information for the IRS. I&#x27;d expect that to be information you&#x27;d want to protect!! I actually double checked to make sure I wasn&#x27;t on a phising site but I was safe: &quot;senate.gov&quot; why did they need my banking information? Oh well.<p>The above is fiction, but an easy scenario under HTTP. Any AP (wifi access point, like at a cafe) can do it...

Attempted to write to one of my senators. To do so online requires using the web form on the senator&#x27;s &quot;contact&quot; page. It says only messages from the senator&#x27;s constituents will be accepted, so it&#x27;s necessary for the author to share some identifying info.<p>I don&#x27;t know how much checking is done to assure the writer really is a constituent, probably there&#x27;s some lookup of street addresses, zip codes, etc.<p>Main point is that the senator&#x27;s contact page does use https. This is appropriate given that personal info is shared per the contact form. I don&#x27;t think any other senate pages accept input, so maybe their reasoning is that http vs. https is less critical on other parts of the site.

Weird, they&#x27;re hosted on Akamai. Even weirder, it doesn&#x27;t appear that www.senate.gov supports IPv6.

See also: <a href="https:&#x2F;&#x2F;https.cio.gov&#x2F;" rel="nofollow">https:&#x2F;&#x2F;https.cio.gov&#x2F;</a><p>I suspect they haven&#x27;t caught up with the mandate.

I&#x27;d forgotten how <i>fast</i> everything loads if you use http instead of https.<p>It&#x27;s quite refreshing to not have that initial half-second or so lag that you get when loading an https page.<p>Hopefully we&#x27;ll make back some of the difference once http&#x2F;2 is more widespread.

Can someone tell me why this might have been required?<p>What are the situations which might prompt a developer to make their users use http instead of https?

Well, if you&#x27;ve got nothing to hide...<p>;)

I can&#x27;t load the senate.gov website with the HTTPS Everywhere browser plugin. The plugin redirects the senate HTTP URL back to the No HTTPS warning. It&#x27;s easy to get around by going incognito, but this would seriously confuse the average user.

I wondered if there were any senator contact forms etc but I couldn&#x27;t find any. However, you can use the &#x27;find your senator&#x27; drop-down top-right to find a senator&#x27;s private website contact form. Those I looked at were all unencrypted too.

Perhaps they don&#x27;t have the resources to serve all requests over https at this time?

And it&#x27;s OK. This &quot;HTTPS everywhere&quot; concept is damaging. I think it should be revised. The amount of overhead and the lack of ability to optimize encrypted content for transferring over, say, satellite or other radio links, is bad. Lots of people still use very expensive (&gt;$2,000 per Mbps) long-RTT connections that would benefit immensely from content optimization techniques. And most of them are cost-sensitive because they live in developing countries.