"It's not a bug, it's a feature" of most modern web browsers. A https page that includes content fetched using http is called a "mixed content" page. Radiooooo over https still fetches the songs via http requests, and so many browsers block these requests.
It’s for listening to clips of old music, not email or banking. It’s literally replicating data that is otherwise being publicly broadcast through the air unencrypted.
my ISP doesn't do this currently. reason is actually that I don't see any reason why the app should be using mixed_content to begin with. In the age of letsencrypt you can easily get certificates, so the only reasons I can think of are a) performance overhead due to TLS, b) storage of audio tracks done on 3rd party domains due to cost/limits.
a) is a non-issue in 2020
b) not extending trust to 3rd party domains is literally why allowing mixed_content is a terrible idea
TLS is anything but a non-issue. TLS accounts for roughly 40% of the CPU and 45% of the memory bandwidth on our CDN nodes.
I work for Netflix on our CDN. I wrote much of the FreeBSD kernel TLS layer, and am working with several vendors on hardware TLS offload to eliminate this overhead. Hopefully your statement will be correct soon :)
I agree that you have compute overhead which you need to account for.
At least for SaaS companies it's not really a technical hurdle that blocks anyone from running their service, except maybe for those who are already very large (Netflix obvioulsy) and have scaled and optimized so well that it makes sense for further reducing this additional cost. You're in a unique position I think and you are lucky to work on a cool project like this.
But I have not seen any places where this was at all an urgent on a clients or employers agenda. It is a budgeting issue (if you're buying) or pricing issue (if you're selling), but it's not an technical problem that needs to be solved in any place other than hyper-scaling companies/stacks.
Terminating TLS and (load-balancing it) is not really what prevents a cash strapped start-up from scaling, nor is it super high priority in large companies who are able to throw a little extra money at this problem. Those companies who still have skilled innovators around solves the problem like you do at Netflix, in older industries (banks come to mind) they just by OTS or have a consulting company implement some "bespoke solution".
It's a "problem" most SaaS businesses can carry with them for a long time, until they have room to address it.
obviously this sounds like a cool project to dive into but quite rare too! enjoy it, I know I would :)
I get that. but how would you allow the mixed content on a per site basis? sure I could use another browser that ignores the security just for this one page. how else would you do it without editing about:config and then switching back, is there a extension or something that can do that on a per-site basis?
It's a shame this isn't working in a secure way and out of the box on modern browsers.
