I'm suggesting that site operators need to use HTTPS. It doesn't matter if you use Rails, PHP, Node.js, whatever. USE HTTPS. NEVER USE HTTP.

It's as simple as that. Never assume that anything transmitted over HTTP is safe, because that assumption will come back to bite you.

Exactly - use force_ssl true in the case of Rails.

I'm not sure to understand (I see that you're likely using irony, but I'm not a native english speaker).

Are you suggesting not using SSL?

If not, can you clarify your point?

Thanks.

I think he means getting devs who deploy Rails apps to start using HTTPS for their app, rather than there being a deficiency in the framework.