Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bigstrat2003 2 months ago

There's no good reason to serve a blog over TLS. You're not handling sensitive data, so unencrypted is just fine.

foobiekr 2 months ago | parent | next [-]

The reason is to prevent your site from becoming a watering hole where malicious actors use it to inject malware into the browsers of your users.

TLS isn't for you, it's for your readers.

dijit 2 months ago | parent | next [-]

but like, who’s doing that?

Maybe the answer is disabling the JS runtime on non-TLS sites, maybe that has the added benefit of making the web (documents and “posters”) light again.

SMS is unencrypted, phone calls are unencrypted- yet we don’t worry nearly as much about people injecting content or modifying things. Because we trust out providers, largely, but the capability 100% exists for that; with no actual recourse. With browsing the internet we do have recourse- optionally use a VPN.

All of this security theatre is just moving the trust around, I would much rather make laws that protect the integrity of traffic sent via ISPs than add to the computational waste from military grade encrypting the local menu for the pizza shop.

Worse still, the pizza shop won’t go through the effort so they either won’t bother having a website or will put it on facebook or some other crazy centralised platform.

I’ll tell you something, I trust my ISP (Bahnhof- famous for protecting thepiratebay) a lot more than I trust Facebook not to do weird moderation activities.

GoblinSlayer 2 months ago | parent | prev [-]

Ads will inject it anyway.

nssnsjsjsjs 2 months ago | parent [-]

If there are ads.

throw0101b 2 months ago | parent | prev | next [-]

> You're not handling sensitive data, so unencrypted is just fine.

Except when an adversary MITMs your site and injects an attack to one of your readers:

* https://www.infoworld.com/article/2188091/uk-spy-agency-uses...

Further: tapping glass is a thing, and if the only traffic that is encrypted is the "important" or "sensitive" stuff, then it sticks out in the flow, and so attackers know to focus just on that. If all traffic is encrypted, then it's much harder for attackers to figure out what is important and what is not.

So by encrypting your "unimportant" data you add more noise that has to be sifted through.

cAtte_ 2 months ago | parent | prev | next [-]

relevant blog post and HN discussion: https://news.ycombinator.com/item?id=22146291

g-b-r a month ago | parent | prev | next [-]

Do you consider only religion, health and political data to be sensitive??

What someone chooses to read on a blog is no one else's business, and can be very sensitive.

2 months ago | parent | prev [-]
[deleted]